Analysis Overview
SHA256
2564e6fcff82ffdd9e6bdcd89e15cf1b6389faaae2279975326eac70dedffffb
Threat Level: Known bad
The file 0a20c7cc0cbb5c6b735646f0c65c70aa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Troldesh, Shade, Encoder.858
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-30 15:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240419-en
Max time kernel
66s
Max time network
55s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 4936 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 216 wrote to memory of 4936 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 216 wrote to memory of 4936 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 3db1d34674bdfab493aca0b6380d3639 |
| SHA1 | 05a2b02b653cd9efd98f1e276a266efaca29c5ae |
| SHA256 | 426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e |
| SHA512 | d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23 |
C:\Users\Admin\AppData\Local\Temp\nsw325C.tmp\LangDLL.dll
| MD5 | ea60c7bd5edd6048601729bd31362c16 |
| SHA1 | 6e6919d969eb61a141595014395b6c3f44139073 |
| SHA256 | 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39 |
| SHA512 | f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240419-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 224
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 244
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240221-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240419-en
Max time kernel
66s
Max time network
55s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4680 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4680 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4680 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1500 -ip 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 1468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2452 wrote to memory of 1468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2452 wrote to memory of 1468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1228 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1228 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1228 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240419-en
Max time kernel
66s
Max time network
54s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 536 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 536 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 536 wrote to memory of 1332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1160 wrote to memory of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1160 wrote to memory of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
Processes
C:\Users\Admin\AppData\Local\Temp\Scans46.scr
"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
C:\Users\Admin\AppData\Local\Temp\Scans46.scr
"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1160 -ip 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 924
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsr3105.tmp\System.dll
| MD5 | 55a26d7800446f1373056064c64c3ce8 |
| SHA1 | 80256857e9a0a9c8897923b717f3435295a76002 |
| SHA256 | 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8 |
| SHA512 | 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win10v2004-20240419-en
Max time kernel
67s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4600 wrote to memory of 4556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4600 wrote to memory of 4556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4600 wrote to memory of 4556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240221-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Troldesh, Shade, Encoder.858
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1460 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1460 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1460 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1460 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
| PID 1460 wrote to memory of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\Scans46.scr | C:\Users\Admin\AppData\Local\Temp\Scans46.scr |
Processes
C:\Users\Admin\AppData\Local\Temp\Scans46.scr
"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
C:\Users\Admin\AppData\Local\Temp\Scans46.scr
"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
Network
| Country | Destination | Domain | Proto |
| DE | 131.188.40.189:443 | tcp | |
| N/A | 127.0.0.1:49206 | tcp | |
| US | 208.83.223.34:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi236A.tmp\System.dll
| MD5 | 55a26d7800446f1373056064c64c3ce8 |
| SHA1 | 80256857e9a0a9c8897923b717f3435295a76002 |
| SHA256 | 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8 |
| SHA512 | 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b |
memory/1448-7-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-9-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-10-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-11-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-8-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-12-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-14-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-16-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-13-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-19-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-20-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-21-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-22-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-23-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-26-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-27-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-28-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-29-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-30-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-31-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-32-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-33-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1448-34-0x0000000000400000-0x00000000005DE000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-30 15:59
Reported
2024-04-30 16:02
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2648 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 2648 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 2648 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 2648 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 3db1d34674bdfab493aca0b6380d3639 |
| SHA1 | 05a2b02b653cd9efd98f1e276a266efaca29c5ae |
| SHA256 | 426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e |
| SHA512 | d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23 |
\Users\Admin\AppData\Local\Temp\nsj9A3F.tmp\LangDLL.dll
| MD5 | ea60c7bd5edd6048601729bd31362c16 |
| SHA1 | 6e6919d969eb61a141595014395b6c3f44139073 |
| SHA256 | 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39 |
| SHA512 | f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993 |