Analysis Overview
SHA256
76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20
Threat Level: Known bad
The file 76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20 was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Unexpected DNS network traffic destination
Deletes itself
Executes dropped EXE
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-04-10 12:01
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-10 12:01
Reported
2024-04-10 12:03
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
memory/960-0-0x00007FFD0EEE0000-0x00007FFD0EEE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 12:01
Reported
2024-04-10 12:04
Platform
win7-20240221-en
Max time kernel
168s
Max time network
163s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 123.111.231.1 | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003100450036004300460031003900430035003000340041004400420046000000 | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"
C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 2688
C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2444
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| KR | 123.111.231.1:53 | localhost.11i.me | udp |
| US | 8.8.4.4:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
Files
memory/2688-0-0x0000000001C20000-0x0000000001D20000-memory.dmp
memory/2688-1-0x0000000077090000-0x0000000077091000-memory.dmp
memory/2688-2-0x0000000001DA0000-0x0000000001DDC000-memory.dmp
\ProgramData\Bitdefender\update\USOPrivate.exe
| MD5 | 10866465a9b0c56af2cd093b80cdbc9f |
| SHA1 | fc77be3e68a79b597ffed1b307d1b447787e7995 |
| SHA256 | 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa |
| SHA512 | 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091 |
C:\ProgramData\Bitdefender\update\log.dll
| MD5 | 2a747a6201189e133c18ae24e44476f3 |
| SHA1 | 002be31d69cf30bc8a8e2ed51c038a5bdfd88141 |
| SHA256 | 0cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c |
| SHA512 | 36080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3 |
C:\ProgramData\Bitdefender\update\USOPrivate.dat
| MD5 | 1eb44d7ec4d7d2a13a81d7542ef6bc2b |
| SHA1 | f35d30962790b99cc29d38ccf6e9e66c82e5aa80 |
| SHA256 | bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece |
| SHA512 | 9a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c |
memory/2560-21-0x0000000077090000-0x0000000077091000-memory.dmp
memory/2560-23-0x0000000001E70000-0x0000000001EAC000-memory.dmp
memory/2560-24-0x0000000001E70000-0x0000000001EAC000-memory.dmp
memory/2504-29-0x0000000001BD0000-0x0000000001C0C000-memory.dmp
memory/2444-30-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2444-32-0x0000000000080000-0x00000000000A5000-memory.dmp
memory/2444-33-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/2444-34-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2444-35-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-37-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-36-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2504-38-0x0000000001BD0000-0x0000000001C0C000-memory.dmp
memory/2688-44-0x0000000001DA0000-0x0000000001DDC000-memory.dmp
memory/2444-49-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2444-50-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-51-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-52-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-53-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-55-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-54-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-56-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2444-58-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2560-59-0x0000000001E70000-0x0000000001EAC000-memory.dmp
memory/2828-68-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2828-70-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/2828-72-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2828-73-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/2828-74-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/2828-75-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/2444-76-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/2828-77-0x0000000000290000-0x00000000002CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 12:01
Reported
2024-04-10 12:04
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
166s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 103.56.18.101 | N/A | N/A |
| Destination IP | 123.111.231.1 | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| N/A | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003700440031004600440032004200370037004300320035004400310046000000 | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Bitdefender\update\USOPrivate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"
C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 4800
C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| N/A | 10.127.255.255:53 | udp | |
| KR | 123.111.231.1:53 | localhost.11i.me | udp |
| US | 8.8.4.4:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | 1.231.111.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.18.56.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:443 | localhost.11i.me | tcp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.11i.me | udp |
| HK | 103.56.18.101:53 | localhost.11i.me | udp |
Files
memory/4800-0-0x00007FFE047B0000-0x00007FFE047B1000-memory.dmp
memory/4800-1-0x000002835C510000-0x000002835C610000-memory.dmp
memory/4800-2-0x000002835C390000-0x000002835C3CC000-memory.dmp
memory/4800-3-0x000002835C390000-0x000002835C3CC000-memory.dmp
C:\ProgramData\Bitdefender\update\USOPrivate.exe
| MD5 | 10866465a9b0c56af2cd093b80cdbc9f |
| SHA1 | fc77be3e68a79b597ffed1b307d1b447787e7995 |
| SHA256 | 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa |
| SHA512 | 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091 |
C:\ProgramData\Bitdefender\update\log.dll
| MD5 | 2a747a6201189e133c18ae24e44476f3 |
| SHA1 | 002be31d69cf30bc8a8e2ed51c038a5bdfd88141 |
| SHA256 | 0cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c |
| SHA512 | 36080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3 |
C:\ProgramData\Bitdefender\update\USOPrivate.dat
| MD5 | 1eb44d7ec4d7d2a13a81d7542ef6bc2b |
| SHA1 | f35d30962790b99cc29d38ccf6e9e66c82e5aa80 |
| SHA256 | bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece |
| SHA512 | 9a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c |
memory/3092-20-0x00007FFE047B0000-0x00007FFE047B1000-memory.dmp
memory/3092-22-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp
memory/3092-23-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp
memory/4288-27-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp
memory/4288-28-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp
memory/3468-29-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-30-0x0000015042480000-0x0000015042481000-memory.dmp
memory/3468-31-0x0000015042840000-0x000001504287C000-memory.dmp
memory/4800-33-0x000002835C390000-0x000002835C3CC000-memory.dmp
memory/4288-35-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp
memory/3468-32-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-45-0x0000015042480000-0x0000015042481000-memory.dmp
memory/3468-46-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-47-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-48-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-49-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-50-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-51-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3468-54-0x0000015042840000-0x000001504287C000-memory.dmp
memory/3092-55-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp
memory/1092-56-0x0000020ADA680000-0x0000020ADA681000-memory.dmp
memory/1092-57-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
memory/1092-61-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
memory/1092-60-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
memory/1092-59-0x0000020ADA9A0000-0x0000020ADA9A1000-memory.dmp
memory/1092-62-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
memory/1092-63-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
memory/3468-64-0x0000015042840000-0x000001504287C000-memory.dmp
memory/1092-65-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-10 12:01
Reported
2024-04-10 12:04
Platform
win7-20240221-en
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1
Network
Files
memory/2296-0-0x0000000077320000-0x0000000077321000-memory.dmp