Malware Analysis Report

2024-10-18 22:19

Sample ID 240329-c4nqwaga89
Target c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe
SHA256 c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2
Tags
upx qr link
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2

Threat Level: Known bad

The file c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe was found to be: Known bad.

Malicious Activity Summary

upx qr link

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Program crash

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 02:38

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:41

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1512 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1512 wrote to memory of 3776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240319-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 264

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 4008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 4008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 4008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4008-0-0x0000000074AB0000-0x0000000074AB9000-memory.dmp

memory/4008-1-0x0000000074AB0000-0x0000000074AB9000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:41

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 812 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 72.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 220

Network

N/A

Files

memory/2460-0-0x00000000753D0000-0x00000000753D9000-memory.dmp

memory/2460-1-0x00000000753C0000-0x00000000753C9000-memory.dmp

memory/2460-4-0x00000000753D0000-0x00000000753D9000-memory.dmp

memory/2460-5-0x00000000753D0000-0x00000000753D9000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:41

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe

"C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.59:443 app.farlightgames.com tcp
GB 104.86.110.59:443 app.farlightgames.com tcp
N/A 127.0.0.1:49196 tcp
N/A 127.0.0.1:49199 tcp
N/A 127.0.0.1:49201 tcp
GB 104.86.110.59:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:49205 tcp
N/A 127.0.0.1:49208 tcp

Files

\Users\Admin\AppData\Local\Temp\nsy1BDC.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe

"C:\Users\Admin\AppData\Local\Temp\c06593ff827ef7579a8612a6e92262683469d2314e6d1aa930c1b032e6320ec2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.75:443 app.farlightgames.com tcp
GB 104.86.110.75:443 app.farlightgames.com tcp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 75.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
N/A 127.0.0.1:63981 tcp
N/A 127.0.0.1:63984 tcp
N/A 127.0.0.1:63986 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 104.86.110.75:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:63993 tcp
N/A 127.0.0.1:63996 tcp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy67E4.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 232

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:41

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240319-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.75:443 app.farlightgames.com tcp
GB 104.86.110.75:443 app.farlightgames.com tcp
N/A 127.0.0.1:56931 tcp
N/A 127.0.0.1:56935 tcp
N/A 127.0.0.1:56936 tcp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.110.86.104.in-addr.arpa udp
GB 104.86.110.75:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:56943 tcp
N/A 127.0.0.1:56946 tcp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 f2dc7d2733d165e77b62c68206aa2eee
SHA1 67dcc9a09c4aed29e7563572a7aee145fcf6ac49
SHA256 5aa20c035ad691041d9b5077b739238a4d061ea4e076fc5e019259ffa0e96045
SHA512 dc06d87a983eafe3df320ed1a5ed16f9c9b1beb45192e7c3f33c40e477d865edec9635058786dc84928e5545b613afde4cc2161cb3e8283fc17877086d3f0e2a

C:\Users\Admin\AppData\Local\Temp\nsu39DE.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 228

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 1764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 1764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 260

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 1412 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-gl.lilithgame.com udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.75:443 app.farlightgames.com tcp
GB 104.86.110.59:443 app.farlightgames.com tcp
SG 101.33.48.102:443 pc.crashsight.wetest.net tcp
N/A 127.0.0.1:49190 tcp
N/A 127.0.0.1:49193 tcp
N/A 127.0.0.1:49195 tcp
US 163.181.154.239:443 static-gl.lilithgame.com tcp
US 163.181.154.239:443 static-gl.lilithgame.com tcp
US 163.181.154.239:443 static-gl.lilithgame.com tcp
US 163.181.154.239:443 static-gl.lilithgame.com tcp
US 163.181.154.239:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49200 tcp
N/A 127.0.0.1:49203 tcp
N/A 127.0.0.1:49206 tcp
N/A 127.0.0.1:49209 tcp
N/A 127.0.0.1:49223 tcp
N/A 127.0.0.1:49234 tcp
US 8.8.8.8:53 psp-api.farlightgames.com udp
SG 18.141.97.108:443 psp-api.farlightgames.com tcp
N/A 127.0.0.1:49240 tcp
US 8.8.8.8:53 d1s9fa96v0yqzs.cloudfront.net udp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49243 tcp
N/A 127.0.0.1:49253 tcp
GB 104.86.110.75:443 app.farlightgames.com tcp
N/A 127.0.0.1:49256 tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 3888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4704 wrote to memory of 3888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4704 wrote to memory of 3888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:41

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 219.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-gl.lilithgame.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:63555 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
SG 101.33.48.102:443 pc.crashsight.wetest.net tcp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.59:443 app.farlightgames.com tcp
GB 104.86.110.59:443 app.farlightgames.com tcp
US 163.181.154.242:443 static-gl.lilithgame.com tcp
US 163.181.154.242:443 static-gl.lilithgame.com tcp
US 163.181.154.242:443 static-gl.lilithgame.com tcp
US 163.181.154.242:443 static-gl.lilithgame.com tcp
US 163.181.154.242:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:63562 tcp
N/A 127.0.0.1:63564 tcp
N/A 127.0.0.1:63568 tcp
N/A 127.0.0.1:63571 tcp
N/A 127.0.0.1:63574 tcp
N/A 127.0.0.1:63577 tcp
N/A 127.0.0.1:63580 tcp
N/A 127.0.0.1:63592 tcp
US 8.8.8.8:53 psp-api.farlightgames.com udp
SG 18.141.97.108:443 psp-api.farlightgames.com tcp
US 8.8.8.8:53 102.48.33.101.in-addr.arpa udp
US 8.8.8.8:53 59.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 242.154.181.163.in-addr.arpa udp
N/A 127.0.0.1:63607 tcp
US 8.8.8.8:53 d1s9fa96v0yqzs.cloudfront.net udp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
NL 18.239.82.212:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:63610 tcp
US 8.8.8.8:53 108.97.141.18.in-addr.arpa udp
US 8.8.8.8:53 212.82.239.18.in-addr.arpa udp
GB 104.86.110.59:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:63620 tcp
N/A 127.0.0.1:63623 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
N/A 127.0.0.1:49202 tcp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.217:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49205 tcp
N/A 127.0.0.1:49207 tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
GB 104.86.110.75:443 app.farlightgames.com tcp
GB 104.86.110.75:443 app.farlightgames.com tcp
GB 104.86.110.75:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:49212 tcp
N/A 127.0.0.1:49215 tcp

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 f2dc7d2733d165e77b62c68206aa2eee
SHA1 67dcc9a09c4aed29e7563572a7aee145fcf6ac49
SHA256 5aa20c035ad691041d9b5077b739238a4d061ea4e076fc5e019259ffa0e96045
SHA512 dc06d87a983eafe3df320ed1a5ed16f9c9b1beb45192e7c3f33c40e477d865edec9635058786dc84928e5545b613afde4cc2161cb3e8283fc17877086d3f0e2a

\Users\Admin\AppData\Local\Temp\nst5775.tmp\NsLauncher.dll

MD5 619afd4d3db1162e81a9b1d2613599e4
SHA1 8ff866c26e6dba79e9c6375173080aa3f632867a
SHA256 8dbe1d37ecba8ea3bd95ac17c51e57136fdca858d3393d8126f2e9c49c49d410
SHA512 ba13410e10e112568ee8c32416982ca754ad37079f26a6cefaabd70cb42d6a215cf0adc202c11bd74b3544f9d95445f637b50a6bd90b5698eee000929449c873

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-29 02:37

Reported

2024-03-29 02:40

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A