Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-tp8k6sfd5z
Target ORDER88273747829304.exe
SHA256 f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea

Threat Level: Known bad

The file ORDER88273747829304.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 16:15

Reported

2024-03-25 16:17

Platform

win7-20240221-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
File opened for modification C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe
PID 1244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Windows\SysWOW64\WerFault.exe
PID 1244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Windows\SysWOW64\WerFault.exe
PID 1244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Windows\SysWOW64\WerFault.exe
PID 1244 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 464

Network

Country Destination Domain Proto
US 8.8.8.8:53 renzoll.com udp
VN 103.20.145.3:80 renzoll.com tcp

Files

C:\Windows\Resources\murkier.lnk

MD5 3ac938a720291341bd2d690f9da5c283
SHA1 4de2768a482583e563ca5e8f4bc4b39c9da400a7
SHA256 fddf42cb02691ea1aca5c47ae383eb6613f470725f39117f7a5783ebe37778e1
SHA512 c60729ba8eff929c9ac3f13f0ed3d013d2f124a33062afaf37af1eb13b8fbb7a9c3ec34803f76f61bb7e48398cefe5732164e15bed3afdbf43dcf9d2ba45468b

\Users\Admin\AppData\Local\Temp\nso2204.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1 fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA256 6305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512 d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 d856983df5f78b6918c4e0680279fea2
SHA1 03e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA256 23a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512 c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 82b08967613d161614588d050a924bb1
SHA1 b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256 a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512 d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Asteriskerne.lnk

MD5 1e05ec7edd7b8b85501b919539d5f4a4
SHA1 fb97cdff2ab05ac13f79862829f0f235a1cf29ee
SHA256 a2ffbfe69d96474faa760f3d0cf2038ee6d64e5f1170309d9be2d37328341db1
SHA512 088279ae0672169692cd3bae2d6a80a9aa3d00f3f0acdb1a39adbfc433c815280d720ea660c83c161bdfbe49b54bd242b0f1e2ece06d9739f33e431891f601fe

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 019803e333ae98d5541e83869a5ac694
SHA1 5d8b0ec6e8218569358a55af9359718039283588
SHA256 e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA512 7f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403

memory/1196-268-0x0000000004730000-0x00000000051E7000-memory.dmp

memory/1196-269-0x0000000076E80000-0x0000000077029000-memory.dmp

memory/1196-270-0x0000000077070000-0x0000000077146000-memory.dmp

memory/1196-271-0x0000000010000000-0x0000000010006000-memory.dmp

memory/1244-272-0x00000000014F0000-0x0000000001FA7000-memory.dmp

memory/1244-273-0x0000000076E80000-0x0000000077029000-memory.dmp

memory/1244-274-0x00000000770A6000-0x00000000770A7000-memory.dmp

memory/1196-275-0x0000000004730000-0x00000000051E7000-memory.dmp

memory/1244-276-0x00000000014F0000-0x0000000001FA7000-memory.dmp

memory/1196-278-0x0000000004730000-0x00000000051E7000-memory.dmp

memory/1244-279-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-280-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-281-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-282-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-283-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-284-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-285-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-286-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-287-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-288-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-289-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-290-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-291-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-292-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-293-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-294-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-295-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-296-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-297-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-298-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-299-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-300-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-301-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-302-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-303-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-304-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-305-0x00000000014F0000-0x0000000001FA7000-memory.dmp

memory/1244-306-0x0000000077070000-0x0000000077146000-memory.dmp

memory/1244-307-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-308-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-309-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-310-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-311-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-312-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-313-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-314-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-315-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-316-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-317-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-318-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-319-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-320-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-321-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-322-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-323-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-324-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-325-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-326-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-327-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-328-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-329-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-331-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-330-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-332-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1244-333-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 16:15

Reported

2024-03-25 16:17

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1348 set thread context of 1860 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
File opened for modification C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 renzoll.com udp
VN 103.20.145.3:80 renzoll.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.145.20.103.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Windows\Resources\murkier.lnk

MD5 fd3740d48bd06612a568ad694c0f2de0
SHA1 1a5ee3f6bd532c4e6365056ef467cc9ed68849f9
SHA256 9548d896c43b9e7f3ebbf69d18d6f8cca86bb610a597fa200a83c42c685faae3
SHA512 96a1a2b5480aacf9c30e16117621ff79422881cfb73183534e49398bfe61d2ba38feec02a1880a877afec75f819a9c2b519280723fcfc8cf9f2adeb3386df259

C:\Users\Admin\AppData\Local\Temp\nsn2623.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1 fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA256 6305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512 d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 d856983df5f78b6918c4e0680279fea2
SHA1 03e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA256 23a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512 c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 82b08967613d161614588d050a924bb1
SHA1 b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256 a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512 d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Asteriskerne.lnk

MD5 b531981807e55ed48524b3906888f99d
SHA1 8fc249d18c06e8e26694aec32c71a21f6d6c39e6
SHA256 d4100f6d7c653d9b505bd64d2993459d8b426e01f40823c4918783e139c8e59f
SHA512 224d3d90639671031de911671a1b5c7355c53600213ebe5a2c29161a71c47a66ebbcc5cc025ccc1285094ca21da8bd5d01aea226dea47d4c4e6f5ad59da9ec47

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 019803e333ae98d5541e83869a5ac694
SHA1 5d8b0ec6e8218569358a55af9359718039283588
SHA256 e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA512 7f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403

memory/1348-266-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/1348-267-0x0000000077C81000-0x0000000077DA1000-memory.dmp

memory/1348-268-0x0000000010000000-0x0000000010006000-memory.dmp

memory/1860-269-0x00000000016E0000-0x0000000002197000-memory.dmp

memory/1348-270-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/1860-271-0x0000000077D08000-0x0000000077D09000-memory.dmp

memory/1860-272-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-273-0x0000000077D25000-0x0000000077D26000-memory.dmp

memory/1860-274-0x00000000016E0000-0x0000000002197000-memory.dmp

memory/1348-275-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/1860-276-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-277-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-278-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-279-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-280-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-281-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-282-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-283-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-284-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-285-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-286-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-287-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-288-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-289-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-290-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-291-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-292-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-293-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-294-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-295-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-296-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-297-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-298-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-299-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-300-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-301-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-302-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-303-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-304-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-305-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-307-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-308-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-309-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-310-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-311-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-312-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-313-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-314-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-315-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-316-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-317-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-318-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-319-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-320-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-321-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-322-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-323-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-324-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-325-0x0000000077C81000-0x0000000077DA1000-memory.dmp

memory/1860-326-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-327-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-328-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-329-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-330-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-331-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1860-332-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 16:15

Reported

2024-03-25 16:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 16:15

Reported

2024-03-25 16:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1812 -ip 1812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
GB 88.221.135.217:80 tcp
GB 96.17.178.206:80 tcp
GB 96.17.178.206:80 tcp
GB 96.17.178.206:80 tcp
GB 96.17.178.206:80 tcp
GB 96.17.178.206:80 tcp
GB 96.17.178.206:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.190:80 tcp
GB 96.17.178.190:80 tcp
GB 96.17.178.190:80 tcp
GB 96.17.178.190:80 tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A