Analysis Overview
SHA256
0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20
Threat Level: Likely benign
The file 0bd483a95d3f09154b1ef6a27298b0fbb3d4ac55e90d9c80ec362a89350d7f20 was found to be: Likely benign.
Malicious Activity Summary
One or more HTTP URLs in qr code identified
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-01 10:03
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S
Network
Files
memory/1648-0-0x0000000000880000-0x000000000088C000-memory.dmp
memory/1648-1-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp
memory/1648-2-0x000000001AAF0000-0x000000001AB70000-memory.dmp
memory/1648-3-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp
memory/1648-4-0x000000001AAF0000-0x000000001AB70000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DmtWallpaper.scr" /S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/4072-0-0x0000000000590000-0x000000000059C000-memory.dmp
memory/4072-1-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp
memory/4072-2-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/4072-3-0x00007FFE27BA0000-0x00007FFE28661000-memory.dmp
memory/4072-4-0x00000000027C0000-0x00000000027D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win7-20231129-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"
Network
Files
memory/2040-0-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"
Network
Files
memory/352-0-0x00000000001E0000-0x00000000001E1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/1204-0-0x0000000000BA0000-0x0000000000C86000-memory.dmp
memory/1204-1-0x00007FFC8C000000-0x00007FFC8CAC1000-memory.dmp
memory/1204-2-0x000000001B820000-0x000000001B830000-memory.dmp
memory/1204-8-0x00007FFC8C000000-0x00007FFC8CAC1000-memory.dmp
memory/1204-9-0x000000001B820000-0x000000001B830000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"
Network
Files
memory/2840-0-0x0000000000110000-0x0000000000130000-memory.dmp
memory/2840-1-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp
memory/2840-2-0x000000001A880000-0x000000001A900000-memory.dmp
memory/2840-3-0x000000001A880000-0x000000001A900000-memory.dmp
memory/2840-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp
memory/2840-5-0x000000001A880000-0x000000001A900000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
94s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DualWallpaper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4472-0-0x0000000000C20000-0x0000000000C40000-memory.dmp
memory/4472-1-0x00007FFB65290000-0x00007FFB65D51000-memory.dmp
memory/4472-2-0x000000001B990000-0x000000001B9A0000-memory.dmp
memory/4472-3-0x000000001B990000-0x000000001B9A0000-memory.dmp
memory/4472-4-0x000000001BA00000-0x000000001BBA9000-memory.dmp
memory/4472-5-0x00007FFB65290000-0x00007FFB65D51000-memory.dmp
memory/4472-7-0x000000001B990000-0x000000001B9A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#XIAOYI.VC.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\#ע.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-01 10:03
Reported
2024-04-01 10:06
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe
"C:\Users\Admin\AppData\Local\Temp\Dual Monitor Tools\DMT.exe"
Network
Files
memory/1300-0-0x00000000011D0000-0x00000000012B6000-memory.dmp
memory/1300-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/1300-2-0x000000001AE40000-0x000000001AEC0000-memory.dmp
memory/1300-8-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/1300-9-0x000000001AE40000-0x000000001AEC0000-memory.dmp