Malware Analysis Report

2024-10-16 03:34

Sample ID 240503-bgy3nadb82
Target 2f06cd778c8bee67cb4ff8ad4595fa1d.bin
SHA256 ef66d3ed5d41a5adc633a124c3aacfa4b91590ea9c92630e9713cf9b5a68cd3e
Tags
banload vidar downloader dropper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef66d3ed5d41a5adc633a124c3aacfa4b91590ea9c92630e9713cf9b5a68cd3e

Threat Level: Known bad

The file 2f06cd778c8bee67cb4ff8ad4595fa1d.bin was found to be: Known bad.

Malicious Activity Summary

banload vidar downloader dropper evasion persistence stealer trojan

Vidar

Detect Vidar Stealer

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Suspicious use of SetThreadContext

Loads dropped DLL

Registers COM server for autorun

Unsigned PE

Program crash

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2192-0-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 201.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240419-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2312 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\system32\\wuapi.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version\ = "2.0" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "Microsoft.Update.UpdateColl" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "Microsoft.Update.UpdateColl.1" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{B596CC9F-56E5-419E-A622-E01BB457431E}" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\system32\\wuapi.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "UpdateCollection Class" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Programmable C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2312 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2900 wrote to memory of 2556 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2556 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2556 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2556 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2556 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 148

Network

N/A

Files

memory/2312-0-0x0000000003E10000-0x0000000003FF8000-memory.dmp

memory/2312-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-18-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2312-20-0x00000000048A0000-0x0000000004C9A000-memory.dmp

memory/2312-22-0x000007FEF6530000-0x000007FEF6688000-memory.dmp

memory/2312-37-0x000007FEF6530000-0x000007FEF6688000-memory.dmp

memory/2312-36-0x000007FEF6548000-0x000007FEF6549000-memory.dmp

memory/2312-38-0x000007FEF6530000-0x000007FEF6688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b1744723

MD5 b9a7573a5ae24887b0df809bb21f2a2e
SHA1 899a5d830df3d09b9b268167ffd93eb84ee0ea3b
SHA256 eaea61ec092b26abf552bbe1b9a5d770e5ced510373e4554187a6291865ad30f
SHA512 de582cfe324a4780a874fdc56720e2cbf313e07a57ed30d2fda85d741a7e532c33bba5a94fd4bb160833189092d454fc6dc9276f5ba9bed3af7701cf0e01e12a

memory/2900-41-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2900-43-0x0000000073D20000-0x0000000073E94000-memory.dmp

\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

MD5 3d754cfa4a5b2a3f19720550acf6d3cf
SHA1 e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA256 8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA512 18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

memory/2900-48-0x0000000073D20000-0x0000000073E94000-memory.dmp

memory/2900-46-0x0000000073D2E000-0x0000000073D30000-memory.dmp

memory/2556-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-52-0x0000000073D20000-0x0000000073E94000-memory.dmp

memory/2556-54-0x0000000000540000-0x0000000000C8B000-memory.dmp

memory/2556-59-0x0000000000540000-0x0000000000C8B000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx" /ou ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx" /ou ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4240-1-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-3-0x00007FFFA74AD000-0x00007FFFA74AE000-memory.dmp

memory/4240-2-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-0-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-6-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-5-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-4-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-7-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-9-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-8-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-11-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-10-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-12-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-14-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-13-0x00007FFF64B30000-0x00007FFF64B40000-memory.dmp

memory/4240-15-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

memory/4240-16-0x00007FFF64B30000-0x00007FFF64B40000-memory.dmp

memory/4240-40-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-41-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-43-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-42-0x00007FFF67490000-0x00007FFF674A0000-memory.dmp

memory/4240-44-0x00007FFFA7410000-0x00007FFFA7605000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-utility-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-utility-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2392 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2392 wrote to memory of 2400 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2392 -s 80

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240215-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 201.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Network

N/A

Files

memory/552-0-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240419-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-time-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-time-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 201.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

141s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

116s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240419-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 3004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2456 -s 84

Network

N/A

Files

memory/2456-1-0x00000000020C0000-0x00000000024BA000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-stdio-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1368 -s 84

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win10v2004-20240419-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4688 set thread context of 3052 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\IME\\shared\\imjkapi.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "IMEAPI.CImeProductObjectJK.15" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{da524058-bdb4-482a-997a-338ae04d7156}" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "CImeProductObject_JK Class" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\IME\\shared\\imjkapi.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "IMEAPI.CImeProductObjectJK" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 2104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1188

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 redddog.xyz udp
US 172.67.151.14:443 redddog.xyz tcp
US 172.67.151.14:443 redddog.xyz tcp
US 172.67.151.14:443 redddog.xyz tcp
US 8.8.8.8:53 14.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 172.67.151.14:443 redddog.xyz tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4688-0-0x0000000004020000-0x0000000004208000-memory.dmp

memory/4688-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4688-20-0x00007FFC947A0000-0x00007FFC94912000-memory.dmp

memory/4688-34-0x00007FFC947B8000-0x00007FFC947B9000-memory.dmp

memory/4688-35-0x00007FFC947A0000-0x00007FFC94912000-memory.dmp

memory/4688-36-0x00007FFC947A0000-0x00007FFC94912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6f3e30f

MD5 ff1aa6be4d57fe35f3f540d99faa2919
SHA1 349d00b86d7bc3ae6640e491bb9fa2a7205bf6d5
SHA256 27b4ef0be10db5cc3ebb7658fef9f2f65aa5005813d050ca9b0fe31ef859de11
SHA512 90516a2a3d67de7c64ba7fe0c2a5b84824be36aa3c25b41653204a11a3545c394e165f0688e9d470ffffc7c900c219cc4826807045980af4d5b749a92217d410

memory/3052-39-0x00007FFCB2950000-0x00007FFCB2B45000-memory.dmp

memory/3052-42-0x000000007418E000-0x0000000074190000-memory.dmp

memory/3052-43-0x0000000074181000-0x000000007418F000-memory.dmp

memory/3052-46-0x0000000074181000-0x000000007418F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

MD5 3d754cfa4a5b2a3f19720550acf6d3cf
SHA1 e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA256 8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA512 18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

memory/2104-49-0x0000000000E00000-0x000000000154B000-memory.dmp

memory/2104-51-0x00007FFCB2950000-0x00007FFCB2B45000-memory.dmp

memory/2104-58-0x0000000000E00000-0x000000000154B000-memory.dmp

memory/2104-59-0x0000000000E00000-0x000000000154B000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-03 01:07

Reported

2024-05-03 01:10

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2996-0-0x000000002DEA1000-0x000000002DEA2000-memory.dmp

memory/2996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2996-2-0x0000000071BED000-0x0000000071BF8000-memory.dmp

memory/2996-5-0x0000000071BED000-0x0000000071BF8000-memory.dmp

memory/2996-6-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2996-7-0x0000000071BED000-0x0000000071BF8000-memory.dmp