Malware Analysis Report

2025-08-10 18:08

Sample ID 240507-dpxkxafe5w
Target 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118
SHA256 30ef369d154a2d3bf33e28940ecfddf8a0194b4f4e7128571b643044556bbb70
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

30ef369d154a2d3bf33e28940ecfddf8a0194b4f4e7128571b643044556bbb70

Threat Level: Shows suspicious behavior

The file 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 03:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240419-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 224

Network

N/A

Files

memory/1520-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1520-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/1520-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 208 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 208 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4772-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4772-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.12:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 12.101.113.138.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 62d59d949c8738764fb4e0c440fc0d3b
SHA1 cc0d44be6faa84393a3ce3e1e725a95d5a662ce4
SHA256 c9a35e11c82fe4df61b96a9c57b20bdd59a5903a67a59c6e9156d303450afc61
SHA512 1587f863992d1ab62029d033551f3d567c9716738dfc4ca90f6cf9f7a034925d9a019cee1fed839b51db7c187eaa230b79a8f47f2eb0d22232bbb9cf7347b9e5

C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/408-10-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\lander.ini

MD5 c7619a63909ac7b1891cdef2c58eae86
SHA1 e312edb9c470f43f869611cdcdcb3dd2e3d133f7
SHA256 a9f4943ff41ee1db6024b3cc53a801898f16af32f5b6c1ab15e935aae86cf00e
SHA512 a6bc53cab680017198a595e166a1eabe79d79b024c414d4c895a13e9ac0ff126383899fabeb30cc84e2fab0ed1e7e28e0e8c25b542fb850be03772210fb15667

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 224

Network

N/A

Files

memory/2296-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2296-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2296-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1660-3-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/1660-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4600 wrote to memory of 4672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4672 -ip 4672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4672-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4672-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 236

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp

Files

memory/2164-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2164-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 224

Network

N/A

Files

memory/3040-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/3040-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 1612 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /ShowDeskTop

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /autorun /setuprun

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd7C91.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsd7C91.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/1612-12-0x00000000003B0000-0x00000000003B3000-memory.dmp

memory/1612-13-0x00000000003B1000-0x00000000003B2000-memory.dmp

\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

MD5 ebeb1bb919543b07d57aabb96c331e27
SHA1 06c1857f7cbb76ce01b6b1ea9a1bf8fc4538b2c9
SHA256 68538e5ab408445b3b73158a40ea6e9b1bada7e874a7c4b3bbf3b48568e9a676
SHA512 39d13db5ad0b17e16a9db56b3294cc7c0f66d79ab64d69d796dd005963f6f1a33000b1f306b7a59b2cd3525f9a41b7f192748837498123ad0ee54903c19817b2

C:\Users\Admin\AppData\Roaming\yj_dtsk\lander.ini

MD5 79833079e022c9ec09974a780083b68f
SHA1 a640dd52a3722a0e4be42c2789245d4a1d251d1c
SHA256 e415657883d27b1268f301948188906856a1998ef49b72f215cc474e331dbef3
SHA512 8494f2c99631c36e5d9f7e40423b9469e78198076eec6a443c219d30380e84fd298fb45ea03989c630a2297d7c4324c9a861695988740b18908720a8f0bd7bbf

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ѫɫ¹Å±¤.lnk

MD5 775e8d45bd2b9f7c80773281a36b980f
SHA1 6b42a8297e8bf25f750d503c8c71c41a2b9c3250
SHA256 4f3a2fbc2b20c689bea144d6f9877254446865e7689c23199c4ce56119de42c1
SHA512 330545bcb5f6bb568e830e705742083bb38f420f60380394df8e1ced47c736cd4699957761c3c69e0416a11f626409b673b5b8afbd33e44ac4f60dd87f181bec

C:\Users\Admin\AppData\Roaming\yj_dtsk\lander.ini

MD5 3061881b3fde56a8e3a9d9b3acb85ec9
SHA1 646b806ef0384a275a1102673068ed68ce3d1763
SHA256 238147067f662483813185c19c33bfd59fd94e548c4914cce9a0cacd07b38f90
SHA512 45a784876205c400f47b9561162d01e64f5d66b0170d88c300b3fdcbd2b4e9bc474ffd2cfc306d4a6da84829df6e75177db8da7dc5cf3927bb49688b84a0ee3c

C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

MD5 04e813edb010a8177e6348ad91ae63ce
SHA1 1bd0dac493ca7affc732c042aafad0e2aa207980
SHA256 fb32d354a4f95d9326b494b17280f830c989a7fd54c1afd20c25804ae9655020
SHA512 9c105c668658b10e054be88429a46c36eb5977b557362b9a6152a27470ad2b04ea313c4f7dc612021ef13284c9e812d3ff1d07b344000d8b9cea00ebfb790a4b

memory/1612-71-0x00000000003B1000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

MD5 4ed9614397e098853a4a72806969a8a8
SHA1 8accfa48b6af02e9c5403215b8d23300fcca5717
SHA256 ef49df72840ea1f48503510664000c0da83a65df63b4b1eed65165d30d5a0f16
SHA512 9bfa9dafff77441ff8b1b3a732425b54b7a54d01b4f712c107d325fb8e3a3a4ae259c6874b9a49b61945cff1f46589141906ed8267d01de9990c0de3463ec6d0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe
PID 3420 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" SW_SHOWNORMAL

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /ShowDeskTop

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /autorun /setuprun

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 a.clickdata.37wan.com udp
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp
CN 193.112.84.233:80 gameapp.37.com tcp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsd423B.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3420-14-0x0000000002130000-0x0000000002133000-memory.dmp

memory/3420-15-0x0000000002131000-0x0000000002132000-memory.dmp

C:\Users\Admin\AppData\Roaming\yj_dtsk\lander.ini

MD5 79833079e022c9ec09974a780083b68f
SHA1 a640dd52a3722a0e4be42c2789245d4a1d251d1c
SHA256 e415657883d27b1268f301948188906856a1998ef49b72f215cc474e331dbef3
SHA512 8494f2c99631c36e5d9f7e40423b9469e78198076eec6a443c219d30380e84fd298fb45ea03989c630a2297d7c4324c9a861695988740b18908720a8f0bd7bbf

C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe

MD5 ebeb1bb919543b07d57aabb96c331e27
SHA1 06c1857f7cbb76ce01b6b1ea9a1bf8fc4538b2c9
SHA256 68538e5ab408445b3b73158a40ea6e9b1bada7e874a7c4b3bbf3b48568e9a676
SHA512 39d13db5ad0b17e16a9db56b3294cc7c0f66d79ab64d69d796dd005963f6f1a33000b1f306b7a59b2cd3525f9a41b7f192748837498123ad0ee54903c19817b2

C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

MD5 152d7eb5f41a46a5bd348a990987d932
SHA1 714d6a87a0abd8a455f5825f5a6029a8c4de4b4a
SHA256 4d7d96a4e7d18bd237b579f0a3e36e73cf2e2e0504497c8df8306a0903d115c5
SHA512 8b81a15c2bdd0ed537ae6e55d78206f8f7d2c8d0e0befbc3643c66c666e0220c610d13d47349efde563ecf4173626e0aa6104e4ff52166e027d7699e14fb8127

memory/2800-53-0x0000000000920000-0x0000000000921000-memory.dmp

C:\Users\Admin\AppData\Roaming\yj_dtsk\Lander.ini

MD5 0abdd761eb06aa596b1809360d5292ec
SHA1 d1cc92ca8859d936dd3516200f355164d584436d
SHA256 7bcf17229b288193713ddb69c1c4e89246f1e4105fdab6d6ea0a1a668429d136
SHA512 a3e5b71a3c290658bf310ea07a1e262d575961b19f63b4a36baa45e43776382c3450e2360ade57d36adff1f35a7b5af0ed6f988259fa45ca2efcb1a5bbfced5e

memory/3420-62-0x0000000002131000-0x0000000002132000-memory.dmp

memory/2800-63-0x0000000000920000-0x0000000000921000-memory.dmp

memory/3420-70-0x0000000002130000-0x0000000002133000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/1348-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1348-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4212 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4212 wrote to memory of 3488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3488 -ip 3488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240419-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

memory/2324-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2324-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2324-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 1992 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

N/A

Files

memory/1136-0-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-1-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-18-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-28-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-27-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-26-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-25-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-24-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-23-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-22-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-21-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-20-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-19-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-17-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-16-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-14-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-13-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-12-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-11-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-10-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-9-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-8-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-7-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-6-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1136-2-0x0000000002A10000-0x0000000002A11000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 876 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2964 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

N/A

Files

memory/1156-0-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-2-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-6-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-8-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-10-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-16-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-14-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-12-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-18-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-22-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-20-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-26-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-24-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-36-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-56-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-60-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-58-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-54-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-52-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-50-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-48-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-46-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-44-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-42-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-40-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-38-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-34-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-32-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1156-28-0x0000000002A20000-0x0000000002A21000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1484 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1440 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1224 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe
PID 1224 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe
PID 1224 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe
PID 1224 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe

"C:\Users\Admin\AppData\Local\Temp\yj_dtsk.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.12:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 62d59d949c8738764fb4e0c440fc0d3b
SHA1 cc0d44be6faa84393a3ce3e1e725a95d5a662ce4
SHA256 c9a35e11c82fe4df61b96a9c57b20bdd59a5903a67a59c6e9156d303450afc61
SHA512 1587f863992d1ab62029d033551f3d567c9716738dfc4ca90f6cf9f7a034925d9a019cee1fed839b51db7c187eaa230b79a8f47f2eb0d22232bbb9cf7347b9e5

memory/1224-12-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjA92C.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

\Users\Admin\AppData\Local\Temp\nsjA92C.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\lander.ini

MD5 5ac808ed7aa482e21ef198bf27bd99f8
SHA1 f30f9f06d64ef4690259d02afc13f27ce2a34003
SHA256 3461f6954479e0861b65a54e9e6202608308388c119201811abd543394215194
SHA512 05d894f90b7961c3a80baac6e2bd8f01e24ef07117bc61d822c50c3b4c216305ffaf1696b10048607ebf88ce66b93536cd15d6b5319778ca115dbc371c5f924c

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

134s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3908 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3908 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

129s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

131s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 2756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2756-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2756-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1620 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1620 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20240215-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 244

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win10v2004-20240419-en

Max time kernel

131s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 112 -ip 112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 03:11

Reported

2024-05-07 03:14

Platform

win7-20231129-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 244

Network

N/A

Files

N/A