Analysis Overview
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
Threat Level: Known bad
The file 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729 was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 07:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
Blocklisted process makes network request
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
| File created | C:\Windows\Tasks\diskshadow.job | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | tcp |
Files
memory/1092-0-0x0000000000540000-0x0000000000544000-memory.dmp
memory/1092-1-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1092-2-0x00000000005B0000-0x00000000005B7000-memory.dmp
C:\Windows\win.ini
| MD5 | 9848e4efb0abd437d65e6d3d1d973adb |
| SHA1 | f427ac7c50b19f66658ae7f92cbaf21110b49a47 |
| SHA256 | c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f |
| SHA512 | f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17 |
memory/1092-10008-0x0000000000800000-0x0000000000822000-memory.dmp
memory/11376-10009-0x0000000000BF0000-0x0000000000BF6000-memory.dmp
memory/11376-10012-0x0000000000BE0000-0x0000000000BE3000-memory.dmp
memory/11376-10013-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/10184-10017-0x00000000726F0000-0x0000000072EA0000-memory.dmp
memory/10184-10018-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/10184-10016-0x0000000000D60000-0x0000000000D96000-memory.dmp
memory/10184-10019-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/10184-10020-0x0000000004F00000-0x0000000005528000-memory.dmp
memory/10184-10021-0x0000000004DF0000-0x0000000004E12000-memory.dmp
memory/10184-10022-0x00000000055E0000-0x0000000005646000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqwhhw02.to5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/10184-10023-0x0000000005650000-0x00000000056B6000-memory.dmp
memory/10184-10033-0x00000000058B0000-0x0000000005C04000-memory.dmp
memory/10184-10034-0x0000000005C90000-0x0000000005CAE000-memory.dmp
memory/10184-10035-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/10184-10036-0x000000007F190000-0x000000007F1A0000-memory.dmp
memory/10184-10037-0x0000000006E70000-0x0000000006EA2000-memory.dmp
memory/10184-10038-0x000000006EEC0000-0x000000006EF0C000-memory.dmp
memory/10184-10048-0x0000000006250000-0x000000000626E000-memory.dmp
memory/10184-10050-0x0000000006EB0000-0x0000000006F53000-memory.dmp
memory/10184-10049-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/10184-10051-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/10184-10052-0x0000000007600000-0x0000000007C7A000-memory.dmp
memory/10184-10053-0x0000000006FC0000-0x0000000006FDA000-memory.dmp
memory/10184-10054-0x0000000007030000-0x000000000703A000-memory.dmp
memory/10184-10055-0x0000000007240000-0x00000000072D6000-memory.dmp
memory/10184-10056-0x00000000071C0000-0x00000000071D1000-memory.dmp
memory/10184-10057-0x00000000071F0000-0x00000000071FE000-memory.dmp
memory/10184-10058-0x0000000007200000-0x0000000007214000-memory.dmp
memory/10184-10059-0x0000000007300000-0x000000000731A000-memory.dmp
memory/10184-10060-0x00000000072E0000-0x00000000072E8000-memory.dmp
memory/10184-10063-0x00000000726F0000-0x0000000072EA0000-memory.dmp
memory/11376-10064-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10066-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10068-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10070-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10073-0x0000000073720000-0x00000000739B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdminShell\logs.dat
| MD5 | 61624923bea01c8ac9c3f81b39572c07 |
| SHA1 | b1907634afc55a9c1a3525ba9c80a802a6cb5f40 |
| SHA256 | 0a5611f99aae2cce0338b746638eeae7e90813ad000f69e396e9a61ee7f13dc4 |
| SHA512 | f949923652968b88fdc99bd8c90f5a59b05198cca0204cccd0999ef80bb9fbf023847dfb17f79fb1a2013b532ef36a22fc5a501e1038c1881b69afef3d74c542 |
memory/11376-10075-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10077-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10079-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10081-0x0000000073720000-0x00000000739B1000-memory.dmp
memory/11376-10083-0x0000000073720000-0x00000000739B1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:25
Platform
win10v2004-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 20.211.142.183:443 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DevCfgUI.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\VJUpgradePackageUI.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20231215-en
Max time kernel
115s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\pdfgeom.cpython-36.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Remcos
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
| File created | C:\Windows\Tasks\diskshadow.job | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"
C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0"
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\plier.exe
| MD5 | 11c8f037f0e1a68ff1c74cbcac6e3c6e |
| SHA1 | bb50ac196dfd3a194b7b7161947a012a0d49886c |
| SHA256 | aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34 |
| SHA512 | 05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b |
C:\Users\Admin\AppData\Local\Temp\Umbellule.DLL
| MD5 | 6000783aeacd1836db8f8d7c10330a3b |
| SHA1 | ba0176243cc0568dd0d10a1762ab69498e1dcb44 |
| SHA256 | 573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65 |
| SHA512 | 954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248 |
C:\Users\Admin\AppData\Local\Temp\Cornhusk
| MD5 | 32604f4797fafd34895f707137146e3a |
| SHA1 | 86bb7be89f74c85a1f77e52879ab1354af5b00be |
| SHA256 | f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a |
| SHA512 | e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721 |
memory/2768-33-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2768-34-0x0000000000260000-0x0000000000267000-memory.dmp
memory/2768-35-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\win.ini
| MD5 | 893cae59ab5945a94a7da007d47a1255 |
| SHA1 | d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06 |
| SHA256 | edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938 |
| SHA512 | d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9 |
memory/2768-10041-0x00000000002A0000-0x00000000002C2000-memory.dmp
memory/3204-10042-0x0000000000090000-0x0000000000096000-memory.dmp
memory/3204-10092-0x0000000000080000-0x0000000000083000-memory.dmp
memory/3204-10103-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10107-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10109-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10112-0x0000000074540000-0x0000000074780000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdminShell\logs.dat
| MD5 | d4efae098a46095c49ddfe77b608cd6b |
| SHA1 | 7151a5d93149c5189a75d8487a62ba8c8a772a46 |
| SHA256 | 44412ebb6748adcff1d5adf06b42c8d28845194f85d4201e456f6188860506ad |
| SHA512 | 2b7d7adab5ae4bea31a56df05b3e218b1694381a5715ead80b44031ef332e29439473aa5e6f7e60171202f636283cf3e0803ef88f90ab90a3e31fb5410e6d363 |
memory/3204-10116-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10118-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10119-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10121-0x0000000074540000-0x0000000074780000-memory.dmp
memory/3204-10124-0x0000000074540000-0x0000000074780000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\55.opends60.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\DevCfgUI.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
138s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SampDBInstall.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SampDBInstall.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\Umbellule.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\Umbellule.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\aspnetcompiler.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\aspnetcompiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3116-0-0x0000000074E30000-0x00000000753E1000-memory.dmp
memory/3116-1-0x0000000074E30000-0x00000000753E1000-memory.dmp
memory/3116-2-0x0000000001570000-0x0000000001580000-memory.dmp
memory/3116-4-0x0000000074E30000-0x00000000753E1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Processes
/tmp/$TEMP/libutil-tdb.so.0
[/tmp/$TEMP/libutil-tdb.so.0]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.130.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.2.49:443 | cdn.fwupd.org | tcp |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.129.91:443 | ocp-ingress.fastly.gnome.org | tcp |
| GB | 195.181.164.20:443 | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2524 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\pdfgeom.cpython-36.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$TEMP\pdfgeom.cpython-36.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$TEMP\pdfgeom.cpython-36.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 4250e3fc11afc5016fb1db7242bb43b2 |
| SHA1 | 64a04e2dab70840200d83590f9d52659bf78f962 |
| SHA256 | e48c78f8422b706c9786a83faf3359e3dfcd0149d1eb8696610571dd85d583f5 |
| SHA512 | c2c06707551d6a8c7162c70fdf903650651c25584769e8f5791135e504edb226f546535b01e550e6785fa7cf81c9cfc78eeff28d1d3d84c47f53890904880bac |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\55.opends60.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:25
Platform
win7-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:28
Platform
win10v2004-20240226-en
Max time kernel
168s
Max time network
159s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SampDBInstall.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SampDBInstall.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1168 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\Umbellule.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\Umbellule.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:28
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\VJUpgradePackageUI.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\WebClientProgressForm.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\WebClientProgressForm.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Remcos
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\diskshadow.job | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\plier.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"
C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Users\Admin\AppData\Local\Temp\plier.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | amsdkjeduejfhdgerop.duckdns.org | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
| US | 192.169.69.26:2223 | amsdkjeduejfhdgerop.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\plier.exe
| MD5 | 11c8f037f0e1a68ff1c74cbcac6e3c6e |
| SHA1 | bb50ac196dfd3a194b7b7161947a012a0d49886c |
| SHA256 | aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34 |
| SHA512 | 05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b |
C:\Users\Admin\AppData\Local\Temp\Umbellule.DLL
| MD5 | 6000783aeacd1836db8f8d7c10330a3b |
| SHA1 | ba0176243cc0568dd0d10a1762ab69498e1dcb44 |
| SHA256 | 573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65 |
| SHA512 | 954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248 |
C:\Users\Admin\AppData\Local\Temp\Cornhusk
| MD5 | 32604f4797fafd34895f707137146e3a |
| SHA1 | 86bb7be89f74c85a1f77e52879ab1354af5b00be |
| SHA256 | f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a |
| SHA512 | e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721 |
memory/1868-30-0x0000000000740000-0x0000000000744000-memory.dmp
memory/1868-32-0x0000000000750000-0x0000000000751000-memory.dmp
memory/1868-29-0x0000000000770000-0x0000000000777000-memory.dmp
C:\Windows\win.ini
| MD5 | 9848e4efb0abd437d65e6d3d1d973adb |
| SHA1 | f427ac7c50b19f66658ae7f92cbaf21110b49a47 |
| SHA256 | c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f |
| SHA512 | f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17 |
memory/1868-10037-0x00000000007E0000-0x0000000000802000-memory.dmp
memory/7476-10038-0x0000000000370000-0x0000000000376000-memory.dmp
memory/7476-10041-0x0000000000340000-0x0000000000343000-memory.dmp
memory/7476-10042-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/6748-10045-0x0000000002B50000-0x0000000002B86000-memory.dmp
memory/6748-10046-0x0000000072920000-0x00000000730D0000-memory.dmp
memory/6748-10047-0x0000000002C80000-0x0000000002C90000-memory.dmp
memory/6748-10048-0x00000000052F0000-0x0000000005918000-memory.dmp
memory/6748-10049-0x0000000005270000-0x0000000005292000-memory.dmp
memory/6748-10050-0x0000000005A90000-0x0000000005AF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqhwrhy1.rdc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6748-10056-0x0000000005B00000-0x0000000005B66000-memory.dmp
memory/6748-10061-0x0000000005C80000-0x0000000005FD4000-memory.dmp
memory/6748-10062-0x0000000006120000-0x000000000613E000-memory.dmp
memory/6748-10063-0x0000000006170000-0x00000000061BC000-memory.dmp
memory/6748-10064-0x000000007FA90000-0x000000007FAA0000-memory.dmp
memory/6748-10065-0x0000000006700000-0x0000000006732000-memory.dmp
memory/6748-10066-0x000000006F1A0000-0x000000006F1EC000-memory.dmp
memory/6748-10072-0x0000000002C80000-0x0000000002C90000-memory.dmp
memory/6748-10077-0x00000000066E0000-0x00000000066FE000-memory.dmp
memory/6748-10078-0x0000000007100000-0x00000000071A3000-memory.dmp
memory/6748-10079-0x0000000007AA0000-0x000000000811A000-memory.dmp
memory/6748-10080-0x0000000007460000-0x000000000747A000-memory.dmp
memory/6748-10081-0x00000000074D0000-0x00000000074DA000-memory.dmp
memory/6748-10082-0x00000000076E0000-0x0000000007776000-memory.dmp
memory/6748-10083-0x0000000007660000-0x0000000007671000-memory.dmp
memory/6748-10084-0x0000000007690000-0x000000000769E000-memory.dmp
memory/6748-10085-0x00000000076A0000-0x00000000076B4000-memory.dmp
memory/6748-10086-0x00000000077A0000-0x00000000077BA000-memory.dmp
memory/6748-10087-0x0000000007780000-0x0000000007788000-memory.dmp
memory/6748-10090-0x0000000072920000-0x00000000730D0000-memory.dmp
memory/7476-10091-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10093-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10095-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10097-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10100-0x0000000073A00000-0x0000000073C91000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdminShell\logs.dat
| MD5 | e1cf98e0941efad1d6f7e3e1db7d38e0 |
| SHA1 | da72c520255c8b2851629f8de90cbcfbf016ef33 |
| SHA256 | 2d4bc1b51007671cba479dbb3d50b5635e6c27c7f64edf6f3828a55a4f55b23e |
| SHA512 | d9917160c5f883970051728e0c2c4ebd68c300327ad3fe398dde874e586f523a79afaae1a91a35ab4368e17dfb41a17fdffd3864e6b3d5a11160878d46494556 |
memory/7476-10102-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10104-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10106-0x0000000073A00000-0x0000000073C91000-memory.dmp
memory/7476-10110-0x0000000073A00000-0x0000000073C91000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\WizardFrameworkVS.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\WizardFrameworkVS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240319-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\aspnetcompiler.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\aspnetcompiler.exe"
Network
Files
memory/2984-0-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/2984-1-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/2984-2-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2984-3-0x0000000074CD0000-0x000000007527B000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-10 07:25
Reported
2024-04-10 07:27
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "COPY /Y /B "" "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\diskshadow.exe""
Network
Files
memory/2732-1-0x0000000000230000-0x0000000000234000-memory.dmp
memory/2732-0-0x0000000000270000-0x0000000000277000-memory.dmp
memory/2732-3-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Windows\win.ini
| MD5 | 893cae59ab5945a94a7da007d47a1255 |
| SHA1 | d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06 |
| SHA256 | edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938 |
| SHA512 | d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9 |
memory/2732-10008-0x00000000002A0000-0x00000000002C2000-memory.dmp
memory/3852-10009-0x0000000000090000-0x0000000000096000-memory.dmp