Malware Analysis Report

2024-09-22 12:32

Sample ID 240430-tfjwfscd77
Target 0a20c7cc0cbb5c6b735646f0c65c70aa_JaffaCakes118
SHA256 2564e6fcff82ffdd9e6bdcd89e15cf1b6389faaae2279975326eac70dedffffb
Tags
troldesh persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2564e6fcff82ffdd9e6bdcd89e15cf1b6389faaae2279975326eac70dedffffb

Threat Level: Known bad

The file 0a20c7cc0cbb5c6b735646f0c65c70aa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

troldesh persistence ransomware trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-30 15:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 3db1d34674bdfab493aca0b6380d3639
SHA1 05a2b02b653cd9efd98f1e276a266efaca29c5ae
SHA256 426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e
SHA512 d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23

C:\Users\Admin\AppData\Local\Temp\nsw325C.tmp\LangDLL.dll

MD5 ea60c7bd5edd6048601729bd31362c16
SHA1 6e6919d969eb61a141595014395b6c3f44139073
SHA256 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
SHA512 f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 244

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 1332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Scans46.scr

Processes

C:\Users\Admin\AppData\Local\Temp\Scans46.scr

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

C:\Users\Admin\AppData\Local\Temp\Scans46.scr

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 924

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr3105.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win10v2004-20240419-en

Max time kernel

67s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240221-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1460 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr C:\Users\Admin\AppData\Local\Temp\Scans46.scr

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scans46.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Scans46.scr

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

C:\Users\Admin\AppData\Local\Temp\Scans46.scr

"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S

Network

Country Destination Domain Proto
DE 131.188.40.189:443 tcp
N/A 127.0.0.1:49206 tcp
US 208.83.223.34:80 tcp

Files

\Users\Admin\AppData\Local\Temp\nsi236A.tmp\System.dll

MD5 55a26d7800446f1373056064c64c3ce8
SHA1 80256857e9a0a9c8897923b717f3435295a76002
SHA256 904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA512 04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

memory/1448-7-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-9-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-10-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-11-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-8-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-12-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-14-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-16-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-13-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-19-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-20-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-21-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-22-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-23-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-26-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-27-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-28-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-29-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-30-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-31-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-32-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-33-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1448-34-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-30 15:59

Reported

2024-04-30 16:02

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 3db1d34674bdfab493aca0b6380d3639
SHA1 05a2b02b653cd9efd98f1e276a266efaca29c5ae
SHA256 426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e
SHA512 d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23

\Users\Admin\AppData\Local\Temp\nsj9A3F.tmp\LangDLL.dll

MD5 ea60c7bd5edd6048601729bd31362c16
SHA1 6e6919d969eb61a141595014395b6c3f44139073
SHA256 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
SHA512 f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993