Malware Analysis Report

2024-10-18 22:20

Sample ID 240328-a2cjqahf94
Target SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe
SHA256 c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2
Tags
qr link upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2

Threat Level: Shows suspicious behavior

The file SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Program crash

One or more HTTP URLs in qr code identified

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 00:42

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 19.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240215-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 260

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 220

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-gl.lilithgame.com udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:55067 tcp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.214:443 app.farlightgames.com tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
SG 101.33.48.102:443 pc.crashsight.wetest.net tcp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 8.8.8.8:53 214.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 102.48.33.101.in-addr.arpa udp
US 8.8.8.8:53 244.154.181.163.in-addr.arpa udp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:55073 tcp
N/A 127.0.0.1:55075 tcp
N/A 127.0.0.1:55080 tcp
N/A 127.0.0.1:55083 tcp
N/A 127.0.0.1:55086 tcp
N/A 127.0.0.1:55089 tcp
N/A 127.0.0.1:55097 tcp
US 8.8.8.8:53 psp-api.farlightgames.com udp
SG 18.141.97.108:443 psp-api.farlightgames.com tcp
US 8.8.8.8:53 d1s9fa96v0yqzs.cloudfront.net udp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 8.8.8.8:53 108.97.141.18.in-addr.arpa udp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:55110 tcp
N/A 127.0.0.1:55120 tcp
N/A 127.0.0.1:55123 tcp
N/A 127.0.0.1:55133 tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
N/A 127.0.0.1:55136 tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
US 8.8.8.8:53 212.82.239.18.in-addr.arpa udp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
N/A 127.0.0.1:57735 tcp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:57739 tcp
N/A 127.0.0.1:57740 tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.204:443 app.farlightgames.com tcp
GB 104.77.160.204:443 app.farlightgames.com tcp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.160.77.104.in-addr.arpa udp
GB 104.77.160.204:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:57747 tcp
N/A 127.0.0.1:57750 tcp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 f2dc7d2733d165e77b62c68206aa2eee
SHA1 67dcc9a09c4aed29e7563572a7aee145fcf6ac49
SHA256 5aa20c035ad691041d9b5077b739238a4d061ea4e076fc5e019259ffa0e96045
SHA512 dc06d87a983eafe3df320ed1a5ed16f9c9b1beb45192e7c3f33c40e477d865edec9635058786dc84928e5545b613afde4cc2161cb3e8283fc17877086d3f0e2a

C:\Users\Admin\AppData\Local\Temp\nsg4A2A.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:45

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 224

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 4108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3724 wrote to memory of 4108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3724 wrote to memory of 4108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
N/A 127.0.0.1:49181 tcp
N/A 127.0.0.1:49184 tcp
N/A 127.0.0.1:49186 tcp
GB 104.77.160.204:443 app.farlightgames.com tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
GB 104.77.160.204:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
N/A 127.0.0.1:49190 tcp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:49193 tcp

Files

\Users\Admin\AppData\Local\Temp\nsyFC7A.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:45

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 3356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 3356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3196 wrote to memory of 3356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3356 -ip 3356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:45

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4748 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 35.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

120s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-gl.lilithgame.com udp
N/A 127.0.0.1:49204 tcp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
N/A 127.0.0.1:49207 tcp
N/A 127.0.0.1:49209 tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.214:443 app.farlightgames.com tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
SG 101.33.48.102:443 pc.crashsight.wetest.net tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 163.181.154.244:443 static-gl.lilithgame.com tcp
US 8.8.8.8:53 psp-api.farlightgames.com udp
SG 13.215.107.93:443 psp-api.farlightgames.com tcp
N/A 127.0.0.1:49214 tcp
N/A 127.0.0.1:49217 tcp
N/A 127.0.0.1:49220 tcp
N/A 127.0.0.1:49223 tcp
N/A 127.0.0.1:49226 tcp
N/A 127.0.0.1:49235 tcp
N/A 127.0.0.1:49246 tcp
US 8.8.8.8:53 d1s9fa96v0yqzs.cloudfront.net udp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49253 tcp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49263 tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
N/A 127.0.0.1:49266 tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
N/A 127.0.0.1:49204 tcp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49208 tcp
N/A 127.0.0.1:49207 tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.204:443 app.farlightgames.com tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
GB 104.77.160.204:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:49213 tcp
N/A 127.0.0.1:49216 tcp

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 f2dc7d2733d165e77b62c68206aa2eee
SHA1 67dcc9a09c4aed29e7563572a7aee145fcf6ac49
SHA256 5aa20c035ad691041d9b5077b739238a4d061ea4e076fc5e019259ffa0e96045
SHA512 dc06d87a983eafe3df320ed1a5ed16f9c9b1beb45192e7c3f33c40e477d865edec9635058786dc84928e5545b613afde4cc2161cb3e8283fc17877086d3f0e2a

\Users\Admin\AppData\Local\Temp\nst168F.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 228

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

133s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 232

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

114s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 1620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 172.217.16.234:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 4396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4396-0-0x00000000757C0000-0x00000000757C9000-memory.dmp

memory/4396-1-0x00000000757C0000-0x00000000757C9000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240319-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 264

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 700 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 700 wrote to memory of 116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 680

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:45

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3328 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3328 wrote to memory of 1616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 201.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/1616-0-0x0000000076450000-0x0000000076460000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:45

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TScope.Malware-Cryptor.SB.3839.14708.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49828 tcp
N/A 127.0.0.1:49831 tcp
N/A 127.0.0.1:49833 tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.214:443 app.farlightgames.com tcp
GB 104.77.160.214:443 app.farlightgames.com tcp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 214.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:49840 tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.77.160.214:443 app.farlightgames.com tcp
N/A 127.0.0.1:49843 tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 208.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsoF658.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

141s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 224

Network

N/A

Files

memory/2748-0-0x0000000074F30000-0x0000000074F39000-memory.dmp

memory/2748-1-0x0000000074F20000-0x0000000074F29000-memory.dmp

memory/2748-4-0x0000000074F30000-0x0000000074F39000-memory.dmp

memory/2748-5-0x0000000074F30000-0x0000000074F39000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-28 00:42

Reported

2024-03-28 00:44

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp

Files

N/A