Analysis Overview
SHA256
45c944889a482ae2e0e0a8e260c3be737cb612c8804164badef61e8a8713b92f
Threat Level: Known bad
The file 45c944889a482ae2e0e0a8e260c3be737cb612c8804164badef61e8a8713b92f was found to be: Known bad.
Malicious Activity Summary
Detects Talisman variant of PlugX
PlugX
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 10:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 10:42
Reported
2024-04-10 10:45
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1704 wrote to memory of 4412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1704 wrote to memory of 4412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1704 wrote to memory of 4412 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RasTls.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RasTls.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 852
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-10 10:42
Reported
2024-04-10 10:45
Platform
win7-20240215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Talisman variant of PlugX
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\nslookup.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecisionTime = f0dc6b12348bda01 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\ea-0e-c6-f9-27-49 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecisionTime = f0dc6b12348bda01 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4}\WpadDecision = "0" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecisionReason = "1" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{16B8C21C-FCFD-4320-935D-98F49C0D03A4} | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-0e-c6-f9-27-49\WpadDecision = "0" | C:\Windows\SysWOW64\nslookup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004500420032003600340042004600300042003900300036003100320030000000 | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RasTls.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RasTls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RasTls.exe
"C:\Users\Admin\AppData\Local\Temp\RasTls.exe"
\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /delete /tn "SymantecRasTls" /F
\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "SymantecRasTls" /tr "\"C:\ProgramData\SymantecRasTls\RasTls.exe\"" /ru "system"
\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /delete /tn "SymantecRasTls" /F
\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "SymantecRasTls" /tr "\"C:\ProgramData\SymantecRasTls\RasTls.exe\"" /ru "system"
C:\Windows\system32\taskeng.exe
taskeng.exe {5739FB93-B851-4677-AE9B-512D5C3904EE} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\SymantecRasTls\RasTls.exe
C:\ProgramData\SymantecRasTls\RasTls.exe
C:\Windows\SysWOW64\nslookup.exe
C:\Windows\system32\nslookup.exe 201 0
Network
| Country | Destination | Domain | Proto |
| JP | 45.77.16.91:51094 | tcp | |
| JP | 45.77.16.91:51094 | tcp | |
| JP | 45.77.16.91:51094 | tcp | |
| JP | 45.77.16.91:51094 | tcp |
Files
memory/2952-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2952-1-0x0000000000280000-0x00000000002A3000-memory.dmp
memory/2952-2-0x0000000001BF0000-0x0000000001C29000-memory.dmp
memory/2952-3-0x0000000001BF0000-0x0000000001C29000-memory.dmp
memory/2952-16-0x0000000001BF0000-0x0000000001C29000-memory.dmp
memory/2952-17-0x0000000000400000-0x000000000041B000-memory.dmp
C:\ProgramData\SymantecRasTls\RasTls.exe
| MD5 | 62944e26b36b1dcace429ae26ba66164 |
| SHA1 | 2616da1697f7c764ee7fb558887a6a3279861fac |
| SHA256 | f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68 |
| SHA512 | e3c366044ac0b4df834b2f05d900cad01bc55b39028984ed3486aa2522e8c226bf9a81952da2c7e4bf0bc2c322d10fe58329e787238bb710a137827927b48d7c |
C:\ProgramData\SymantecRasTls\RasTls.dll
| MD5 | d5915394a6916a00c426aa2827d97c0e |
| SHA1 | 50064d66c9b55b6f7d22051b81914d8366fe36c8 |
| SHA256 | 6cd5079a69d9a68029e37f2680f44b7ba71c2b1eecf4894c2a8b293d5f768f10 |
| SHA512 | 56aa607a5a1bf095b017fd23a1007795f4bdd3a5a5efe571f7c74b7a4e37fb88f3031c26b5189e9f67328222b3dda621a7379da5341bfa95e25605b703ea6373 |
C:\ProgramData\SymantecRasTls\RasTls.dll.res
| MD5 | 9ae8a7837c60f3f587701934ff41bd96 |
| SHA1 | ea7595bff1cfd1d72fe72417bf263d9adc9bc59e |
| SHA256 | 37b3fb9aa12277f355bbb334c82b41e4155836cf3a1b83e543ce53da9d429e2f |
| SHA512 | 61ba5240b9a2376f8c88616b229323f71775639d1629467847260d555251b5d9b9e36a7858d8ff1601e3661163020219c2b3192997acd323bf58b27f8ed2efe2 |
memory/2296-23-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2296-24-0x0000000000460000-0x0000000000499000-memory.dmp
memory/2296-25-0x0000000000460000-0x0000000000499000-memory.dmp
memory/2504-26-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2504-28-0x00000000000A0000-0x00000000000C1000-memory.dmp
memory/2504-29-0x00000000000D0000-0x00000000000D2000-memory.dmp
memory/2504-30-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2504-31-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-32-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2296-33-0x0000000000460000-0x0000000000499000-memory.dmp
memory/2504-34-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2296-35-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2504-36-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-37-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-38-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-39-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-40-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-41-0x0000000000410000-0x0000000000449000-memory.dmp
memory/2504-42-0x0000000000410000-0x0000000000449000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-10 10:42
Reported
2024-04-10 10:45
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Detects Talisman variant of PlugX
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003600450037003500450036004100300031004500440032003600460031000000 | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RasTls.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RasTls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SymantecRasTls\RasTls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\nslookup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RasTls.exe
"C:\Users\Admin\AppData\Local\Temp\RasTls.exe"
\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /delete /tn "SymantecRasTls" /F
\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /delete /tn "SymantecRasTls" /F
\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "SymantecRasTls" /tr "\"C:\ProgramData\SymantecRasTls\RasTls.exe\"" /ru "system"
\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "SymantecRasTls" /tr "\"C:\ProgramData\SymantecRasTls\RasTls.exe\"" /ru "system"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
C:\ProgramData\SymantecRasTls\RasTls.exe
C:\ProgramData\SymantecRasTls\RasTls.exe
C:\Windows\SysWOW64\nslookup.exe
C:\Windows\system32\nslookup.exe 201 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| JP | 45.77.16.91:51094 | tcp | |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/1832-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1832-1-0x0000000002050000-0x0000000002073000-memory.dmp
memory/1832-2-0x0000000002120000-0x0000000002159000-memory.dmp
memory/1832-3-0x0000000002120000-0x0000000002159000-memory.dmp
memory/1832-16-0x0000000002120000-0x0000000002159000-memory.dmp
memory/1832-17-0x0000000000400000-0x000000000041B000-memory.dmp
C:\ProgramData\SymantecRasTls\RasTls.exe
| MD5 | 62944e26b36b1dcace429ae26ba66164 |
| SHA1 | 2616da1697f7c764ee7fb558887a6a3279861fac |
| SHA256 | f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68 |
| SHA512 | e3c366044ac0b4df834b2f05d900cad01bc55b39028984ed3486aa2522e8c226bf9a81952da2c7e4bf0bc2c322d10fe58329e787238bb710a137827927b48d7c |
C:\ProgramData\SymantecRasTls\RasTls.dll
| MD5 | d5915394a6916a00c426aa2827d97c0e |
| SHA1 | 50064d66c9b55b6f7d22051b81914d8366fe36c8 |
| SHA256 | 6cd5079a69d9a68029e37f2680f44b7ba71c2b1eecf4894c2a8b293d5f768f10 |
| SHA512 | 56aa607a5a1bf095b017fd23a1007795f4bdd3a5a5efe571f7c74b7a4e37fb88f3031c26b5189e9f67328222b3dda621a7379da5341bfa95e25605b703ea6373 |
C:\ProgramData\SymantecRasTls\RasTls.dll.res
| MD5 | 9ae8a7837c60f3f587701934ff41bd96 |
| SHA1 | ea7595bff1cfd1d72fe72417bf263d9adc9bc59e |
| SHA256 | 37b3fb9aa12277f355bbb334c82b41e4155836cf3a1b83e543ce53da9d429e2f |
| SHA512 | 61ba5240b9a2376f8c88616b229323f71775639d1629467847260d555251b5d9b9e36a7858d8ff1601e3661163020219c2b3192997acd323bf58b27f8ed2efe2 |
memory/3008-23-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3008-24-0x0000000000D90000-0x0000000000DC9000-memory.dmp
memory/3008-25-0x0000000000D90000-0x0000000000DC9000-memory.dmp
memory/3528-26-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/3528-27-0x0000000000E20000-0x0000000000E59000-memory.dmp
memory/3528-28-0x0000000000E20000-0x0000000000E59000-memory.dmp
memory/3008-29-0x0000000000D90000-0x0000000000DC9000-memory.dmp
memory/3008-30-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3528-31-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/3528-32-0x0000000000E20000-0x0000000000E59000-memory.dmp
memory/3528-33-0x0000000000E20000-0x0000000000E59000-memory.dmp
memory/3528-34-0x0000000000E20000-0x0000000000E59000-memory.dmp
memory/3528-35-0x0000000000E20000-0x0000000000E59000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 10:42
Reported
2024-04-10 10:45
Platform
win7-20231129-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RasTls.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\RasTls.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 284