Malware Analysis Report

2025-06-15 19:54

Sample ID 240425-svbmysca2t
Target installer_v1.3.7.7z
SHA256 6c2a40998028849e7f033918065886102be34e9674e17c7d9db6f3877bc85a9c
Tags
lumma stealer evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c2a40998028849e7f033918065886102be34e9674e17c7d9db6f3877bc85a9c

Threat Level: Known bad

The file installer_v1.3.7.7z was found to be: Known bad.

Malicious Activity Summary

lumma stealer evasion trojan

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 15:26

Signatures

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

315s

Max time network

1604s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\backupkey.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 2260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3848 wrote to memory of 2260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3848 wrote to memory of 2260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\backupkey.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\backupkey.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

574s

Max time network

1593s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\genkey.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2696 wrote to memory of 704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2696 wrote to memory of 704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\genkey.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\license\genkey.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 752

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 16:14

Platform

win10-20240404-de

Max time kernel

601s

Max time network

1593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3800 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3800 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 19.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp

Files

memory/3800-1-0x00000000002D0000-0x0000000000403000-memory.dmp

memory/4948-0-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4948-3-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4948-4-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3800-5-0x00000000002D0000-0x0000000000403000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

314s

Max time network

1605s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\keygen\mit.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4196 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4196 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\keygen\mit.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\keygen\mit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

614s

Max time network

1578s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 4496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4300 wrote to memory of 4496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4300 wrote to memory of 4496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

314s

Max time network

1588s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESV2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 5000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESV2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESV2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

314s

Max time network

1604s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libeay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libeay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libeay32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

314s

Max time network

1584s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 4296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win32.dll,#1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

881s

Max time network

1614s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\platforms\win64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

317s

Max time network

1576s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Engine.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 5088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Engine.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\data\Engine.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

memory/5088-0-0x0000000020000000-0x00000000230C3000-memory.dmp

memory/5088-1-0x0000000077CE4000-0x0000000077CE5000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-25 15:26

Reported

2024-04-25 15:59

Platform

win10-20240404-de

Max time kernel

315s

Max time network

1588s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\iconengines\qsvgicon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

N/A