Analysis Overview
SHA256
088bb68fbf4041fb6791391b3341f072d4d80d09aee987476a0b2946f814b5bf
Threat Level: Shows suspicious behavior
The file dc8a4459e85921933103422b753283a1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 20:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 228
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20231129-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 224
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UE_TOOLBAR\Cache\{6275FC9A-992D-4328-AE18-62ECF556A0EA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} = 01 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ = "UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\Clsid\ = "{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ProgID\ = "$R0.UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\ = "UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1336 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R0.dll
Network
Files
memory/1908-0-0x0000000002350000-0x00000000024F9000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 44.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/1156-0-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe
"C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso6FB5.tmp\UserInfo.dll
| MD5 | 43f01045f0ea2fba6987be0c5acc4f09 |
| SHA1 | de970efa43539d7d2c5ddf41e741cef7819e86b6 |
| SHA256 | a535dcf35a0b8f89b32fa61f0f2e168de421f90f0ef4956132050cb0d8140ab2 |
| SHA512 | fb187cc74b213b8ef5903b52baccf44ec9d24ef6ce18c6a38309a07a1baee5434790057fa6a892ff07ec9f94c3bee2bd6f66fca39f0995087e7611db8cfbc236 |
C:\Users\Admin\AppData\Local\Temp\nso6FB5.tmp\ioSpecial.ini
| MD5 | 26055f241a3bcd245b596ddb22534cdd |
| SHA1 | a582890af85bedf37c4d8778fbe3696b299fa893 |
| SHA256 | c7f240812d7aa047707cc660a5f2e6863301f9940072a0ce66783b853931be8a |
| SHA512 | e73d835021669722863ae10d1eeb833aac8f5dc2df93000f098fb5134f7b754addabe2888d9a10f728cd4c1d0b532c5caa1545b0b299db72d08ad8ab779d00bf |
\Users\Admin\AppData\Local\Temp\nso6FB5.tmp\InstallOptions.dll
| MD5 | cce5450725a9429a1d3c7aa851d40e8d |
| SHA1 | 05722500e42757ac03f2558452a064b906e31937 |
| SHA256 | d850c786a68df9520a3ecf2a96f4f091c9bae71d3adbf7731e8c172533cb266d |
| SHA512 | 3ddb56429e097ecf942e8a5147ba4c4191c52b736df267934f0dca75ffa74faffee8911dda47c5d2542f91138abbcaf61be3e3d68b368631d6bc21e254b5c637 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:30
Platform
win7-20240221-en
Max time kernel
117s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 248
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:30
Platform
win7-20240221-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 228
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4552 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4552 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4552 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4288 -ip 4288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
Network
Files
memory/1252-0-0x0000000000400000-0x0000000000416000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win10v2004-20231215-en
Max time kernel
96s
Max time network
153s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe
"C:\Users\Admin\AppData\Local\Temp\dc8a4459e85921933103422b753283a1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\UserInfo.dll
| MD5 | 43f01045f0ea2fba6987be0c5acc4f09 |
| SHA1 | de970efa43539d7d2c5ddf41e741cef7819e86b6 |
| SHA256 | a535dcf35a0b8f89b32fa61f0f2e168de421f90f0ef4956132050cb0d8140ab2 |
| SHA512 | fb187cc74b213b8ef5903b52baccf44ec9d24ef6ce18c6a38309a07a1baee5434790057fa6a892ff07ec9f94c3bee2bd6f66fca39f0995087e7611db8cfbc236 |
C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\ioSpecial.ini
| MD5 | 35cfbdfca0fe556f11569331abe031ec |
| SHA1 | 58157a2e642af35c7f1ca86a9cf91e00f0064fa2 |
| SHA256 | c2b1e5d0a112844f5ed231144a5f1d1856c4b82be2c71bdf8a5464bf8776d41a |
| SHA512 | ea779cae3cda1729ce2a83661cc2e3a6da098bdf72565c3c640214f019373653d7519f05602c74d9bd319013397db0b14e30ab44391ec7296ada4aa425985619 |
C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\InstallOptions.dll
| MD5 | cce5450725a9429a1d3c7aa851d40e8d |
| SHA1 | 05722500e42757ac03f2558452a064b906e31937 |
| SHA256 | d850c786a68df9520a3ecf2a96f4f091c9bae71d3adbf7731e8c172533cb266d |
| SHA512 | 3ddb56429e097ecf942e8a5147ba4c4191c52b736df267934f0dca75ffa74faffee8911dda47c5d2542f91138abbcaf61be3e3d68b368631d6bc21e254b5c637 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:30
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
196s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1256 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1256 wrote to memory of 3760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.179.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:30
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3532 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3532 wrote to memory of 868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 624
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.179.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
153s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UE_TOOLBAR\Cache\{E0AF4509-9E58-4BFD-A845-71884340BBE5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} = 01 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ = "UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\Clsid\ = "{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\ProgID\ = "$R0.UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\$R0.UE_TOOLBAR\ = "UE_TOOLBAR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2960 wrote to memory of 4340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2960 wrote to memory of 4340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2960 wrote to memory of 4340 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R0.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.225.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4340-0-0x00000000024C0000-0x0000000002669000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v2.$_6_.exe
"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v2.$_6_.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:29
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3104 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3104 wrote to memory of 544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 544 -ip 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-21 20:27
Reported
2024-03-21 20:30
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v2.$_6_.exe
"C:\Users\Admin\AppData\Local\Temp\$R2\NSIS.Library.RegTool.v2.$_6_.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.225.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |