Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-tsszwsfe2v
Target ORDER88273747829304.exe
SHA256 f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea

Threat Level: Known bad

The file ORDER88273747829304.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 16:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 16:19

Reported

2024-03-25 16:22

Platform

win7-20240319-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
File opened for modification C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 renzoll.com udp
VN 103.20.145.3:80 renzoll.com tcp

Files

C:\Windows\Resources\murkier.lnk

MD5 2c317b138dc769e9c54c8f299705d425
SHA1 ce81bb74ebdfd77217fb7d727c75ed42ba767ceb
SHA256 2f64b84f9b6f4ac227c4049564eb056f6e74faef242ed1e04d0075ef7478bf8c
SHA512 21dced78ceaa7b64f985dca09fb0c289272a6b5335516c9cb38392ffb7aba3ad0f0cb50a55c5e2b5592923e7fde38fdd4d176b896a35d86ba3aa128640d512ae

\Users\Admin\AppData\Local\Temp\nso450E.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1 fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA256 6305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512 d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 d856983df5f78b6918c4e0680279fea2
SHA1 03e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA256 23a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512 c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 82b08967613d161614588d050a924bb1
SHA1 b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256 a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512 d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Asteriskerne.lnk

MD5 1e05ec7edd7b8b85501b919539d5f4a4
SHA1 fb97cdff2ab05ac13f79862829f0f235a1cf29ee
SHA256 a2ffbfe69d96474faa760f3d0cf2038ee6d64e5f1170309d9be2d37328341db1
SHA512 088279ae0672169692cd3bae2d6a80a9aa3d00f3f0acdb1a39adbfc433c815280d720ea660c83c161bdfbe49b54bd242b0f1e2ece06d9739f33e431891f601fe

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 019803e333ae98d5541e83869a5ac694
SHA1 5d8b0ec6e8218569358a55af9359718039283588
SHA256 e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA512 7f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403

memory/2060-268-0x0000000003A40000-0x00000000044F7000-memory.dmp

memory/2060-269-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2060-270-0x0000000077830000-0x0000000077906000-memory.dmp

memory/2060-271-0x0000000010000000-0x0000000010006000-memory.dmp

memory/1328-272-0x00000000014F0000-0x0000000001FA7000-memory.dmp

memory/2060-273-0x0000000003A40000-0x00000000044F7000-memory.dmp

memory/1328-274-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/1328-275-0x0000000077866000-0x0000000077867000-memory.dmp

memory/1328-276-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-277-0x00000000014F0000-0x0000000001FA7000-memory.dmp

memory/2060-279-0x0000000003A40000-0x00000000044F7000-memory.dmp

memory/1328-278-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-280-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-281-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-282-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-283-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-284-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-286-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-287-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-288-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-289-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-290-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-291-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-292-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-293-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-294-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-295-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-296-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-297-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-298-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-299-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-300-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-301-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-302-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-303-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-304-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-305-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-306-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-307-0x0000000077830000-0x0000000077906000-memory.dmp

memory/1328-308-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-309-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-310-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-312-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-313-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-314-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-315-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-316-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-317-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-318-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-319-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-320-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-321-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-322-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-323-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-324-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-325-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-326-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-327-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-328-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-329-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-330-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-331-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-332-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-333-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-334-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/1328-335-0x0000000000480000-0x00000000014E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 16:19

Reported

2024-03-25 16:22

Platform

win10v2004-20240226-en

Max time kernel

18s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5076 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A
File opened for modification C:\Windows\resources\murkier.lnk C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe

"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 renzoll.com udp
VN 103.20.145.3:80 renzoll.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 3.145.20.103.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp

Files

C:\Windows\Resources\murkier.lnk

MD5 e34f5967eab465812e8ad8392bc6e3a6
SHA1 12fa38d4f8ad03c108126d1bc187eef15c934e03
SHA256 ebf22fe3cc076cc8e0e4db7522a1fadc160da71d4980bfd9dbf53c44231551c5
SHA512 da60693387352bf8c9baec0cc4e46346b0af6705a9ca5182e5b9816c38ee4b45d4782369a5cbe578585fcf2638d48109e559dfaba5e25e90691c5a6e33497284

C:\Users\Admin\AppData\Local\Temp\nsb300B.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 83ba0e43146bd6b154cd4db8918268ec
SHA1 1802fb439cc0bf9cebbd0f7a88d807cb5c0f69af
SHA256 89d303c05766b6af6d4fe6ed4168110bd8071f770d2df24545b30e237e78f79f
SHA512 31a2c1c89e5268d47868423c5af5f91099ad9b0b79acdb1a58059aad5f8490b252f6d03cb8aae26ea51bf4fc2c02a56f64663224669a828a7f858eb6c2dde36f

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 d856983df5f78b6918c4e0680279fea2
SHA1 03e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA256 23a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512 c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 82b08967613d161614588d050a924bb1
SHA1 b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256 a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512 d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Asteriskerne.lnk

MD5 b531981807e55ed48524b3906888f99d
SHA1 8fc249d18c06e8e26694aec32c71a21f6d6c39e6
SHA256 d4100f6d7c653d9b505bd64d2993459d8b426e01f40823c4918783e139c8e59f
SHA512 224d3d90639671031de911671a1b5c7355c53600213ebe5a2c29161a71c47a66ebbcc5cc025ccc1285094ca21da8bd5d01aea226dea47d4c4e6f5ad59da9ec47

C:\Users\Admin\AppData\Local\Temp\Cambo.ini

MD5 019803e333ae98d5541e83869a5ac694
SHA1 5d8b0ec6e8218569358a55af9359718039283588
SHA256 e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA512 7f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403

memory/5076-266-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/5076-267-0x0000000077071000-0x0000000077191000-memory.dmp

memory/5076-268-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2724-269-0x00000000016E0000-0x0000000002197000-memory.dmp

memory/2724-270-0x00000000770F8000-0x00000000770F9000-memory.dmp

memory/2724-271-0x0000000077115000-0x0000000077116000-memory.dmp

memory/5076-272-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/2724-273-0x00000000016E0000-0x0000000002197000-memory.dmp

memory/2724-275-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/5076-274-0x0000000005210000-0x0000000005CC7000-memory.dmp

memory/2724-276-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-277-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-278-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-279-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-280-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-281-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-282-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-284-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-285-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-286-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-287-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-288-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-289-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-290-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-291-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-292-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-293-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-294-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-295-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-296-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-297-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-298-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-299-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-300-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-301-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-302-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-303-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-304-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-305-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-306-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-307-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-308-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-309-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-310-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-311-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-312-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/2724-313-0x0000000000480000-0x00000000016D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 16:19

Reported

2024-03-25 16:22

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 16:19

Reported

2024-03-25 16:22

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4152 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4152 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4616 -ip 4616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
GB 96.17.178.205:80 tcp

Files

N/A