Analysis Overview
SHA256
bd2c84eb297ff45149c18bcee3a8c57ed663176d4a79c1440b9ef9cc1af310b0
Threat Level: Shows suspicious behavior
The file dc02961c3109e7369f377da2913ba80d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer Protected Mode
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 15:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ac812c6-b714-e717-7e5e-77de319fc517} | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7ac812c6-b714-e717-7e5e-77de319fc517}\NoExplorer = "\"\"" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\nst8F38.tmp | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| File created | C:\Windows\SysWOW64\nst8F38.dll | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| File created | C:\Windows\SysWOW64\9d435dea-7c79-4c80-f8fa-68f67a5077f5.exe | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517} | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\ = "adtimes" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32\ = "C:\\Windows\\SysWow64\\nst8F38.dll" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe
"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | adtimes.info | udp |
| US | 3.33.130.190:80 | adtimes.info | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\System.dll
| MD5 | 7e3c808299aa2c405dffa864471ddb7f |
| SHA1 | b5de7804dd35ed7afd0c3b59d866f1a0749495e0 |
| SHA256 | 91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd |
| SHA512 | 599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738 |
memory/2200-9-0x00000000004A0000-0x00000000004BA000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\Math.dll
| MD5 | 8835b67f15d96144f3184e684fa76b43 |
| SHA1 | 365e34a34eb8c123d765b7deefd3ebb90fe0fe4b |
| SHA256 | df1e70965e0aab1b464e623ccaee5457e66dc2e955733658c8fc337a893aa51c |
| SHA512 | 3a7f89af391708c56d1d117e24f2f9f1c5e3db27716665fcfed66aea64d2a72ac293cb3b8d09482438b06f5e1f97338fd700d0ccef036814047b0842ad8b9c13 |
\Windows\SysWOW64\nst8F38.dll
| MD5 | 104be7b21b09b5863ea03eb7c6c1298a |
| SHA1 | f87600bca12beef0396f19650f34587c2c80cdee |
| SHA256 | afe8c52bf5d96ad9b890477e1608e2f56f332a4e7bae449f68f6d47e4592b54b |
| SHA512 | 339beaba14c9ee8b7277eba97d1d1af1ebb50bf59be4c3dc0f0aa02655c2ea0661738007b4c21642fb76b8c61edf6599208d4cc53b15b6a21eec6656f55eb5a1 |
memory/2200-169-0x0000000002F60000-0x0000000003098000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\NSISdl.dll
| MD5 | f0e51d5722c11a4fe40c97b746c1ffc5 |
| SHA1 | 8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193 |
| SHA256 | 93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d |
| SHA512 | 212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win10v2004-20240226-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 3456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 3456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 3456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3456 -ip 3456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1336 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1336 wrote to memory of 1900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win7-20240319-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f0e742a-6622-09bd-96bc-5a736e41c9c4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\NoExplorer = "\"\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\ = "adtimes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R1.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2884 wrote to memory of 2948 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R1.dll
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
131s
Command Line
Signatures
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c007115d-6e57-7da4-c234-60c105b1f7de} | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c007115d-6e57-7da4-c234-60c105b1f7de}\NoExplorer = "\"\"" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\nsa544D.tmp | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| File created | C:\Windows\SysWOW64\nsa544D.dll | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| File created | C:\Windows\SysWOW64\e0e137dc-3eba-dae0-f1c9-1a25147bcbbc.exe | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de} | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\ = "adtimes" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32\ = "C:\\Windows\\SysWow64\\nsa544D.dll" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe
"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adtimes.info | udp |
| US | 3.33.130.190:80 | adtimes.info | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\System.dll
| MD5 | 7e3c808299aa2c405dffa864471ddb7f |
| SHA1 | b5de7804dd35ed7afd0c3b59d866f1a0749495e0 |
| SHA256 | 91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd |
| SHA512 | 599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738 |
C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\Math.dll
| MD5 | 8835b67f15d96144f3184e684fa76b43 |
| SHA1 | 365e34a34eb8c123d765b7deefd3ebb90fe0fe4b |
| SHA256 | df1e70965e0aab1b464e623ccaee5457e66dc2e955733658c8fc337a893aa51c |
| SHA512 | 3a7f89af391708c56d1d117e24f2f9f1c5e3db27716665fcfed66aea64d2a72ac293cb3b8d09482438b06f5e1f97338fd700d0ccef036814047b0842ad8b9c13 |
memory/5028-10-0x0000000003040000-0x000000000305A000-memory.dmp
C:\Windows\SysWOW64\nsa544D.dll
| MD5 | 104be7b21b09b5863ea03eb7c6c1298a |
| SHA1 | f87600bca12beef0396f19650f34587c2c80cdee |
| SHA256 | afe8c52bf5d96ad9b890477e1608e2f56f332a4e7bae449f68f6d47e4592b54b |
| SHA512 | 339beaba14c9ee8b7277eba97d1d1af1ebb50bf59be4c3dc0f0aa02655c2ea0661738007b4c21642fb76b8c61edf6599208d4cc53b15b6a21eec6656f55eb5a1 |
memory/5028-173-0x00000000031A0000-0x00000000032D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\NSISdl.dll
| MD5 | f0e51d5722c11a4fe40c97b746c1ffc5 |
| SHA1 | 8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193 |
| SHA256 | 93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d |
| SHA512 | 212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a |
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 228
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4812 wrote to memory of 820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4812 wrote to memory of 820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-21 15:49
Reported
2024-03-21 15:52
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\NoExplorer = "\"\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\ = "adtimes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R1.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 312 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2720 wrote to memory of 312 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2720 wrote to memory of 312 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R1.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| GB | 96.17.178.195:80 | tcp |