Analysis Overview
SHA256
79e77a92e9fbc01a18c002abd63bd41f4b08970d747ff9283fa19217cf9284a9
Threat Level: Shows suspicious behavior
The file ada83f24db805cdc68a240df31289f0a was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 04:11
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32\ = "E:\\\\WINDOWS\\\\system32\\\\urlFilter.dll" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "G:\\\\Program Files\\\\360safe\\\\safemon\\\\safemon.dll" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4936 wrote to memory of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4936 wrote to memory of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4936 wrote to memory of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\xiezai.exe
"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 6e4c948407b43e2bf15c9bbef5e2b35e |
| SHA1 | de139fe1114aeaf8064379afdeb32184cb852d32 |
| SHA256 | 8e76e356a9b92f70ed731d96eab90d59586a7e53d3c4bc6a50f1347546c2a992 |
| SHA512 | 471e204f9426fd9d250ba02b1b0f08add3cc22d31c718f43efe567987399a8858f7236672d94a7623a16b6b29a0cdd04bae6883c2c642a97ff188d8aac203db1 |
C:\Users\Admin\AppData\Local\Temp\nsg7CF1.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/3484-10-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240215-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lianmeng.kkjie.com | udp |
Files
memory/2824-0-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2824-1-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | lianmeng.kkjie.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 74.125.193.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
memory/1404-0-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1404-1-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1404-2-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:15
Platform
win7-20240221-en
Max time kernel
210s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 1996 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\KKjie.exe
"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
Network
Files
\Users\Admin\AppData\Local\Temp\nse3BD9.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/1996-7-0x0000000010000000-0x0000000010003000-memory.dmp
\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
| MD5 | ac68dffc261c8625c5f2a94364ca10c9 |
| SHA1 | d5873084dcf4a74631c9abe82f1afc3ba1216464 |
| SHA256 | 16694059e7073810021960bb709f814f42490a5219f7970fa201b3d8ef259db7 |
| SHA512 | d7ab568b6906d6d0ff924da59983cb8def9cfbb76ed93371e815c26f2f59f3a33edef0e65419bdaee02bcf85efc7a5b856949de5c26afab689aeada50a705b59 |
C:\Users\Admin\AppData\Local\Temp\nse3BD9.tmp\Banner.dll
| MD5 | 103580e980d6082efc8580953d3692c3 |
| SHA1 | 62f3fe6148e99c1ecf65411686cac19ae6d2dafc |
| SHA256 | a5d8839e9b015538c54af7b171a47e223f2f1d6b6f28af715341bba95252d318 |
| SHA512 | 14e2f480bc64126b2e20848cc36e774cd5a326e83896de6c64ecd8cea61f665178e41e4999ac17ad3898dd770e1166eb82a460e919dd1eaacc5868a71ecf57a4 |
memory/2436-29-0x00000000002F0000-0x00000000002FD000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3304 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 3304 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
| PID 3304 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie.exe | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\KKjie.exe
"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf6D90.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/3304-5-0x0000000010000000-0x0000000010003000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
| MD5 | ac68dffc261c8625c5f2a94364ca10c9 |
| SHA1 | d5873084dcf4a74631c9abe82f1afc3ba1216464 |
| SHA256 | 16694059e7073810021960bb709f814f42490a5219f7970fa201b3d8ef259db7 |
| SHA512 | d7ab568b6906d6d0ff924da59983cb8def9cfbb76ed93371e815c26f2f59f3a33edef0e65419bdaee02bcf85efc7a5b856949de5c26afab689aeada50a705b59 |
C:\Users\Admin\AppData\Local\Temp\nsf6D90.tmp\Banner.dll
| MD5 | 103580e980d6082efc8580953d3692c3 |
| SHA1 | 62f3fe6148e99c1ecf65411686cac19ae6d2dafc |
| SHA256 | a5d8839e9b015538c54af7b171a47e223f2f1d6b6f28af715341bba95252d318 |
| SHA512 | 14e2f480bc64126b2e20848cc36e774cd5a326e83896de6c64ecd8cea61f665178e41e4999ac17ad3898dd770e1166eb82a460e919dd1eaacc5868a71ecf57a4 |
memory/1880-20-0x0000000002CC0000-0x0000000002CCD000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe
"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
114s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4804 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4804 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4804 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
134s
Max time network
141s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"
Network
Files
memory/2208-0-0x0000000000360000-0x000000000036D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4316 wrote to memory of 4780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 4780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 4780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4780-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/4780-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224
Network
Files
memory/2220-0-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:15
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
203s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4596 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4596 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4596 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsg6D3E.tmp\Banner.dll
| MD5 | 5ce60830e6db34a33f12be5018b21ca2 |
| SHA1 | 1a4f855b358884d0c67053ec606a5a68aadf75b8 |
| SHA256 | 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a |
| SHA512 | e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe
"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
| MD5 | 5aa5f1c916bac1a35ebea267e7a4840f |
| SHA1 | 1429790fa37313ddfece78c764992d21fa87b710 |
| SHA256 | 323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700 |
| SHA512 | 7da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493 |
\Users\Admin\AppData\Local\Temp\nsy908E.tmp\Banner.dll
| MD5 | 5ce60830e6db34a33f12be5018b21ca2 |
| SHA1 | 1a4f855b358884d0c67053ec606a5a68aadf75b8 |
| SHA256 | 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a |
| SHA512 | e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
| MD5 | 54ebf9996a9c772296d713909a88b4c3 |
| SHA1 | 5abfbb6bd8e79773fe575fb9c5c26c30254c9532 |
| SHA256 | a879172340d85623ab07f481b601ee67afddac49c77269521ce7e4c9e8bc3e0d |
| SHA512 | 80ae97248adf191364003af1971425625ccd9f474b60af7be4b7223695b748c5f0993716de4bf9001c88348b9deda31f3c628a6796a26cddf95daffdf096bd3c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
| MD5 | 86df01299e969a8a105f504a45a86188 |
| SHA1 | 3884636b59ce99cb1776a49000e7159f1c5e1621 |
| SHA256 | 1237a0e33c463217db96ff97f736cde21c84a010805ac3bd7a1937bab69f1360 |
| SHA512 | 02379a958915e547449b164099734db95c236431723212eb9c4480ddd6e4086b4d5dd50a5de77fd0773b7cbec474976ad401ea0f59f8912353eb8343d89851da |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
| MD5 | a6f4051f7da492db1ea4096f2effd24c |
| SHA1 | e2c64323fb25429f2c0c39cce159b68b43989b6f |
| SHA256 | 4ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563 |
| SHA512 | 5c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
| MD5 | 8d6f541ff90cb471691963eb1225b011 |
| SHA1 | 62abcabb3d465aab78a8e2feb5a456560ddc0063 |
| SHA256 | 65e0a0404b6e3b7a780277837f6090fd7be711d328764b1ca15c2d43ee9cedf5 |
| SHA512 | d1ade7b12e161abb78b9fc962e6e9975cda6f139a2d7c4f65a80515ccc7e64a52237c85f3ed1b7931fe6d329fd5391890a245de4eb09779daf2be6a6132de465 |
\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\InstallOptions.dll
| MD5 | 107737e3282fefd85684f2fa3df6d1c3 |
| SHA1 | 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f |
| SHA256 | 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0 |
| SHA512 | 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4 |
C:\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\ioSpecial.ini
| MD5 | 2c9e5a30a2c7e0edc427b6ea27899b52 |
| SHA1 | dd9c07f9aaa2c0d4c56931eeb939f56b23a2b6cc |
| SHA256 | d9a9244e1bb26a65946c95878a07e62c5d251ad5b45b9b9ef809f0523c801602 |
| SHA512 | 21e1b642d1a3d656cbeb2cd2137792059fa056971a44f459e326353e44684489d3277464821296c24f144ddf1be85352d8771ba768adf1bff3bc30b05e70c74a |
C:\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\ioSpecial.ini
| MD5 | a920ab156c5b45efd3b7f3da5e20dda7 |
| SHA1 | 19df19c0093b110b47aeeac3a4125a32616dd7fe |
| SHA256 | 41eb056acfbb8e3c1c4a5e50fe55b4ef0d6cc58514affb3ce3e0a40618d83649 |
| SHA512 | 89b2b42a41259410442b426b80c92d6af5b9e55a49139e717df88978fc3550d39363b1c1548494df38ecbc4694d45a1bded345ab1ad1e0711164279a30db4438 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\ioSpecial.ini
| MD5 | a654b88af919776bba268800fede7d72 |
| SHA1 | a84f6a3fb187baf64e1250e19c5c065d0fec0ff4 |
| SHA256 | 7641cfab813656e023c2e9c7f350b1a4542a42dd27c7e40712fdc4a099b6c754 |
| SHA512 | 42b0a623302bd310d8c61abddcd3f0716b7c5655791291ee981a3d9f0b892f1a234cecfd31844ad5a080aecdb4ee6ff9fedce81f6b88af67b594829452e7cccd |
\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\InstallOptions.dll
| MD5 | 107737e3282fefd85684f2fa3df6d1c3 |
| SHA1 | 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f |
| SHA256 | 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0 |
| SHA512 | 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4 |
C:\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\ioSpecial.ini
| MD5 | 15253c20795bd97d0993ad9726d289e5 |
| SHA1 | 05e7280012e67931b1a9ac5f5f0d0e0f22f82e54 |
| SHA256 | 7761ce3a5b16758c39bd2108f2b633c84d788647b82acf83cee2910c178034af |
| SHA512 | 33c2c19987154f495b107c183f9a1906dfe661b452162b0c0b58fd06eb2ab16c714081e6f62bd561e4e510fabd482e19e20fd25bde18c28a73f9a69f4627f02f |
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
120s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240220-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lianmena.kkjie.com | udp |
Files
memory/3068-0-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3068-1-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lianmena.kkjie.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1284-0-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1284-1-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1688 wrote to memory of 2204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
94s
Max time network
115s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2732 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2732 wrote to memory of 1212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 224
Network
Files
memory/2032-0-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
195s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe
"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
| MD5 | 5aa5f1c916bac1a35ebea267e7a4840f |
| SHA1 | 1429790fa37313ddfece78c764992d21fa87b710 |
| SHA256 | 323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700 |
| SHA512 | 7da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493 |
C:\Users\Admin\AppData\Local\Temp\nss2690.tmp\Banner.dll
| MD5 | 5ce60830e6db34a33f12be5018b21ca2 |
| SHA1 | 1a4f855b358884d0c67053ec606a5a68aadf75b8 |
| SHA256 | 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a |
| SHA512 | e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
| MD5 | a6f4051f7da492db1ea4096f2effd24c |
| SHA1 | e2c64323fb25429f2c0c39cce159b68b43989b6f |
| SHA256 | 4ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563 |
| SHA512 | 5c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee |
C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\ioSpecial.ini
| MD5 | a471bae0af2e0a77018ba787e8609652 |
| SHA1 | 8860a5715a7e68a9e9311f9bae8ab1bc5cc71dfa |
| SHA256 | 4a1fe69e5dddee6f0a6dda9f266a3124d686a2ae6005d8ee08aec8c4708d0fcb |
| SHA512 | 29f814824749f986f52192f12cbe8570ac727373fe92db0a30e116fa5258d49dcccd87ed9f337ad7d3bcfd2306e4471b0f2305e514204d924f54f0a47104934d |
C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\InstallOptions.dll
| MD5 | 107737e3282fefd85684f2fa3df6d1c3 |
| SHA1 | 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f |
| SHA256 | 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0 |
| SHA512 | 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4 |
C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\ioSpecial.ini
| MD5 | 31af488e9b0868704715cd35b98a84e4 |
| SHA1 | c086a5005180297c34f4aa4a9d600a55b1b55a59 |
| SHA256 | d3326a4a95120010b41fdb7d1a225dc609707aaa9700af2032c534e6dd8986fc |
| SHA512 | 996da48ae810f9053ce44ca4de3fd38c47a902dd58d01addb0145bb9b7ee0c3b33716521f446b612af3e1b21d17fa4a25286634accc84fc063355dea4f763386 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsj2ADA.tmp\ioSpecial.ini
| MD5 | 0529edf39cbfb7373736d039d0aea663 |
| SHA1 | 253077b241bdac36076a19ed56b7936c1520207a |
| SHA256 | 5c5549d2e7495ee06636bc41a7b69cf15909f6cf45e363987c32c1703a28870f |
| SHA512 | df757eb46d154e5959938dfee118d28cbb68d1ea2836d6df0ad9100d0333132681e7ddf50a603847549aa9989c19fe81061580993868314b119fc8213bd54c3c |
C:\Users\Admin\AppData\Local\Temp\nsj2ADA.tmp\InstallOptions.dll
| MD5 | 107737e3282fefd85684f2fa3df6d1c3 |
| SHA1 | 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f |
| SHA256 | 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0 |
| SHA512 | 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
176s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1720 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1720 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 636
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3244 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe
"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| IE | 209.85.202.95:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 95.202.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 4076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 4076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 4076 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4076-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/4076-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe
"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
memory/2364-0-0x0000000002E00000-0x0000000002E0D000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1704 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1704 wrote to memory of 1904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:16
Platform
win7-20240221-en
Max time kernel
188s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32\ = "E:\\\\WINDOWS\\\\system32\\\\urlFilter.dll" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "G:\\\\Program Files\\\\360safe\\\\safemon\\\\safemon.dll" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2428 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\xiezai.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\xiezai.exe
"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 6e4c948407b43e2bf15c9bbef5e2b35e |
| SHA1 | de139fe1114aeaf8064379afdeb32184cb852d32 |
| SHA256 | 8e76e356a9b92f70ed731d96eab90d59586a7e53d3c4bc6a50f1347546c2a992 |
| SHA512 | 471e204f9426fd9d250ba02b1b0f08add3cc22d31c718f43efe567987399a8858f7236672d94a7623a16b6b29a0cdd04bae6883c2c642a97ff188d8aac203db1 |
\Users\Admin\AppData\Local\Temp\nsu455B.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/548-15-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 1400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2240 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd842F.tmp\Banner.dll
| MD5 | 5ce60830e6db34a33f12be5018b21ca2 |
| SHA1 | 1a4f855b358884d0c67053ec606a5a68aadf75b8 |
| SHA256 | 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a |
| SHA512 | e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-29 04:11
Reported
2024-02-29 04:14
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 248