Malware Analysis Report

2025-08-11 01:26

Sample ID 240229-er7z4adb46
Target ada83f24db805cdc68a240df31289f0a
SHA256 79e77a92e9fbc01a18c002abd63bd41f4b08970d747ff9283fa19217cf9284a9
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

79e77a92e9fbc01a18c002abd63bd41f4b08970d747ff9283fa19217cf9284a9

Threat Level: Shows suspicious behavior

The file ada83f24db805cdc68a240df31289f0a was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 04:11

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32\ = "E:\\\\WINDOWS\\\\system32\\\\urlFilter.dll" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "G:\\\\Program Files\\\\360safe\\\\safemon\\\\safemon.dll" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xiezai.exe

"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 6e4c948407b43e2bf15c9bbef5e2b35e
SHA1 de139fe1114aeaf8064379afdeb32184cb852d32
SHA256 8e76e356a9b92f70ed731d96eab90d59586a7e53d3c4bc6a50f1347546c2a992
SHA512 471e204f9426fd9d250ba02b1b0f08add3cc22d31c718f43efe567987399a8858f7236672d94a7623a16b6b29a0cdd04bae6883c2c642a97ff188d8aac203db1

C:\Users\Admin\AppData\Local\Temp\nsg7CF1.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3484-10-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240215-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lianmeng.kkjie.com udp

Files

memory/2824-0-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2824-1-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmeng\tsoft.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 lianmeng.kkjie.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 74.125.193.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 95.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/1404-0-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1404-1-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1404-2-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:15

Platform

win7-20240221-en

Max time kernel

210s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KKjie.exe

"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nse3BD9.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/1996-7-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

MD5 ac68dffc261c8625c5f2a94364ca10c9
SHA1 d5873084dcf4a74631c9abe82f1afc3ba1216464
SHA256 16694059e7073810021960bb709f814f42490a5219f7970fa201b3d8ef259db7
SHA512 d7ab568b6906d6d0ff924da59983cb8def9cfbb76ed93371e815c26f2f59f3a33edef0e65419bdaee02bcf85efc7a5b856949de5c26afab689aeada50a705b59

C:\Users\Admin\AppData\Local\Temp\nse3BD9.tmp\Banner.dll

MD5 103580e980d6082efc8580953d3692c3
SHA1 62f3fe6148e99c1ecf65411686cac19ae6d2dafc
SHA256 a5d8839e9b015538c54af7b171a47e223f2f1d6b6f28af715341bba95252d318
SHA512 14e2f480bc64126b2e20848cc36e774cd5a326e83896de6c64ecd8cea61f665178e41e4999ac17ad3898dd770e1166eb82a460e919dd1eaacc5868a71ecf57a4

memory/2436-29-0x00000000002F0000-0x00000000002FD000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KKjie.exe

"C:\Users\Admin\AppData\Local\Temp\KKjie.exe"

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 92.123.128.181:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 181.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf6D90.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3304-5-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

MD5 ac68dffc261c8625c5f2a94364ca10c9
SHA1 d5873084dcf4a74631c9abe82f1afc3ba1216464
SHA256 16694059e7073810021960bb709f814f42490a5219f7970fa201b3d8ef259db7
SHA512 d7ab568b6906d6d0ff924da59983cb8def9cfbb76ed93371e815c26f2f59f3a33edef0e65419bdaee02bcf85efc7a5b856949de5c26afab689aeada50a705b59

C:\Users\Admin\AppData\Local\Temp\nsf6D90.tmp\Banner.dll

MD5 103580e980d6082efc8580953d3692c3
SHA1 62f3fe6148e99c1ecf65411686cac19ae6d2dafc
SHA256 a5d8839e9b015538c54af7b171a47e223f2f1d6b6f28af715341bba95252d318
SHA512 14e2f480bc64126b2e20848cc36e774cd5a326e83896de6c64ecd8cea61f665178e41e4999ac17ad3898dd770e1166eb82a460e919dd1eaacc5868a71ecf57a4

memory/1880-20-0x0000000002CC0000-0x0000000002CCD000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe

"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

134s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"

Network

N/A

Files

memory/2208-0-0x0000000000360000-0x000000000036D000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4780-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4780-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 224

Network

N/A

Files

memory/2220-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:15

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsg6D3E.tmp\Banner.dll

MD5 5ce60830e6db34a33f12be5018b21ca2
SHA1 1a4f855b358884d0c67053ec606a5a68aadf75b8
SHA256 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512 e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"

Signatures

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1612 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 872 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 1612 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe

"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

MD5 5aa5f1c916bac1a35ebea267e7a4840f
SHA1 1429790fa37313ddfece78c764992d21fa87b710
SHA256 323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700
SHA512 7da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493

\Users\Admin\AppData\Local\Temp\nsy908E.tmp\Banner.dll

MD5 5ce60830e6db34a33f12be5018b21ca2
SHA1 1a4f855b358884d0c67053ec606a5a68aadf75b8
SHA256 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512 e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

MD5 54ebf9996a9c772296d713909a88b4c3
SHA1 5abfbb6bd8e79773fe575fb9c5c26c30254c9532
SHA256 a879172340d85623ab07f481b601ee67afddac49c77269521ce7e4c9e8bc3e0d
SHA512 80ae97248adf191364003af1971425625ccd9f474b60af7be4b7223695b748c5f0993716de4bf9001c88348b9deda31f3c628a6796a26cddf95daffdf096bd3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

MD5 86df01299e969a8a105f504a45a86188
SHA1 3884636b59ce99cb1776a49000e7159f1c5e1621
SHA256 1237a0e33c463217db96ff97f736cde21c84a010805ac3bd7a1937bab69f1360
SHA512 02379a958915e547449b164099734db95c236431723212eb9c4480ddd6e4086b4d5dd50a5de77fd0773b7cbec474976ad401ea0f59f8912353eb8343d89851da

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

MD5 a6f4051f7da492db1ea4096f2effd24c
SHA1 e2c64323fb25429f2c0c39cce159b68b43989b6f
SHA256 4ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563
SHA512 5c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

MD5 8d6f541ff90cb471691963eb1225b011
SHA1 62abcabb3d465aab78a8e2feb5a456560ddc0063
SHA256 65e0a0404b6e3b7a780277837f6090fd7be711d328764b1ca15c2d43ee9cedf5
SHA512 d1ade7b12e161abb78b9fc962e6e9975cda6f139a2d7c4f65a80515ccc7e64a52237c85f3ed1b7931fe6d329fd5391890a245de4eb09779daf2be6a6132de465

\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

C:\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\ioSpecial.ini

MD5 2c9e5a30a2c7e0edc427b6ea27899b52
SHA1 dd9c07f9aaa2c0d4c56931eeb939f56b23a2b6cc
SHA256 d9a9244e1bb26a65946c95878a07e62c5d251ad5b45b9b9ef809f0523c801602
SHA512 21e1b642d1a3d656cbeb2cd2137792059fa056971a44f459e326353e44684489d3277464821296c24f144ddf1be85352d8771ba768adf1bff3bc30b05e70c74a

C:\Users\Admin\AppData\Local\Temp\nsd94F0.tmp\ioSpecial.ini

MD5 a920ab156c5b45efd3b7f3da5e20dda7
SHA1 19df19c0093b110b47aeeac3a4125a32616dd7fe
SHA256 41eb056acfbb8e3c1c4a5e50fe55b4ef0d6cc58514affb3ce3e0a40618d83649
SHA512 89b2b42a41259410442b426b80c92d6af5b9e55a49139e717df88978fc3550d39363b1c1548494df38ecbc4694d45a1bded345ab1ad1e0711164279a30db4438

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\ioSpecial.ini

MD5 a654b88af919776bba268800fede7d72
SHA1 a84f6a3fb187baf64e1250e19c5c065d0fec0ff4
SHA256 7641cfab813656e023c2e9c7f350b1a4542a42dd27c7e40712fdc4a099b6c754
SHA512 42b0a623302bd310d8c61abddcd3f0716b7c5655791291ee981a3d9f0b892f1a234cecfd31844ad5a080aecdb4ee6ff9fedce81f6b88af67b594829452e7cccd

\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

C:\Users\Admin\AppData\Local\Temp\nsi1E3B.tmp\ioSpecial.ini

MD5 15253c20795bd97d0993ad9726d289e5
SHA1 05e7280012e67931b1a9ac5f5f0d0e0f22f82e54
SHA256 7761ce3a5b16758c39bd2108f2b633c84d788647b82acf83cee2910c178034af
SHA512 33c2c19987154f495b107c183f9a1906dfe661b452162b0c0b58fd06eb2ab16c714081e6f62bd561e4e510fabd482e19e20fd25bde18c28a73f9a69f4627f02f

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\languages\Chinese.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lianmena.kkjie.com udp

Files

memory/3068-0-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3068-1-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\lianmena\tsoft.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lianmena.kkjie.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1284-0-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1284-1-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

115s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 1212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 224

Network

N/A

Files

memory/2032-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"

Signatures

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 4632 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 4632 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe
PID 1656 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1656 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1656 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 4632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe
PID 4632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe

"C:\Users\Admin\AppData\Local\Temp\ada83f24db805cdc68a240df31289f0a.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\send.exe

MD5 5aa5f1c916bac1a35ebea267e7a4840f
SHA1 1429790fa37313ddfece78c764992d21fa87b710
SHA256 323501be982027bc5b18fbb1c8ee94d0219c02665003f91b7a75dc57e1c6a700
SHA512 7da1ec129f6ffdd028a6d5e31b7b8474c560004e919b88956596bc4497d686f652c86029cc6477860a531c76e1b23170d181b8b31a2b71aa7c411dea7f9c8493

C:\Users\Admin\AppData\Local\Temp\nss2690.tmp\Banner.dll

MD5 5ce60830e6db34a33f12be5018b21ca2
SHA1 1a4f855b358884d0c67053ec606a5a68aadf75b8
SHA256 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512 e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Setup.exe

MD5 a6f4051f7da492db1ea4096f2effd24c
SHA1 e2c64323fb25429f2c0c39cce159b68b43989b6f
SHA256 4ffc6508abc6b72a8b552f1ea9a9127c5c201b4e1e07b0918c3b46921dfd5563
SHA512 5c108d871b6afc4c1494f9776583e2b02ff6359c0a8bd20ce207d27c95c92610b5f0cf4984d4b1b888a358633547836d344407b161bc156f25fc87771f2ae2ee

C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\ioSpecial.ini

MD5 a471bae0af2e0a77018ba787e8609652
SHA1 8860a5715a7e68a9e9311f9bae8ab1bc5cc71dfa
SHA256 4a1fe69e5dddee6f0a6dda9f266a3124d686a2ae6005d8ee08aec8c4708d0fcb
SHA512 29f814824749f986f52192f12cbe8570ac727373fe92db0a30e116fa5258d49dcccd87ed9f337ad7d3bcfd2306e4471b0f2305e514204d924f54f0a47104934d

C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

C:\Users\Admin\AppData\Local\Temp\nsu5DDB.tmp\ioSpecial.ini

MD5 31af488e9b0868704715cd35b98a84e4
SHA1 c086a5005180297c34f4aa4a9d600a55b1b55a59
SHA256 d3326a4a95120010b41fdb7d1a225dc609707aaa9700af2032c534e6dd8986fc
SHA512 996da48ae810f9053ce44ca4de3fd38c47a902dd58d01addb0145bb9b7ee0c3b33716521f446b612af3e1b21d17fa4a25286634accc84fc063355dea4f763386

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\Setup.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsj2ADA.tmp\ioSpecial.ini

MD5 0529edf39cbfb7373736d039d0aea663
SHA1 253077b241bdac36076a19ed56b7936c1520207a
SHA256 5c5549d2e7495ee06636bc41a7b69cf15909f6cf45e363987c32c1703a28870f
SHA512 df757eb46d154e5959938dfee118d28cbb68d1ea2836d6df0ad9100d0333132681e7ddf50a603847549aa9989c19fe81061580993868314b119fc8213bd54c3c

C:\Users\Admin\AppData\Local\Temp\nsj2ADA.tmp\InstallOptions.dll

MD5 107737e3282fefd85684f2fa3df6d1c3
SHA1 3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f
SHA256 21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0
SHA512 439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3244 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe

"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\KKjie_safe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.202.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 95.202.85.209.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4076-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4076-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe

"C:\Users\Admin\AppData\Local\Temp\KKjie_safe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/2364-0-0x0000000002E00000-0x0000000002E0D000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KKjie_safe.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:16

Platform

win7-20240221-en

Max time kernel

188s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32\ = "E:\\\\WINDOWS\\\\system32\\\\urlFilter.dll" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "G:\\\\Program Files\\\\360safe\\\\safemon\\\\safemon.dll" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xiezai.exe

"C:\Users\Admin\AppData\Local\Temp\xiezai.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 6e4c948407b43e2bf15c9bbef5e2b35e
SHA1 de139fe1114aeaf8064379afdeb32184cb852d32
SHA256 8e76e356a9b92f70ed731d96eab90d59586a7e53d3c4bc6a50f1347546c2a992
SHA512 471e204f9426fd9d250ba02b1b0f08add3cc22d31c718f43efe567987399a8858f7236672d94a7623a16b6b29a0cdd04bae6883c2c642a97ff188d8aac203db1

\Users\Admin\AppData\Local\Temp\nsu455B.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/548-15-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 1400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\readme.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Internet Explorer\Connection Wizard\TDAtOnce_Now.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd842F.tmp\Banner.dll

MD5 5ce60830e6db34a33f12be5018b21ca2
SHA1 1a4f855b358884d0c67053ec606a5a68aadf75b8
SHA256 8a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512 e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-29 04:11

Reported

2024-02-29 04:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 248

Network

N/A

Files

N/A