Malware Analysis Report

2025-08-05 12:51

Sample ID 240509-cnwrjsch6y
Target caada1d448c6b4ffedeffc3f598005d0_NEIKI
SHA256 b267fc474977cc4b40c6956662ea7e8c073e68ca003b1cbc54c159154f181d8a
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b267fc474977cc4b40c6956662ea7e8c073e68ca003b1cbc54c159154f181d8a

Threat Level: Shows suspicious behavior

The file caada1d448c6b4ffedeffc3f598005d0_NEIKI was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 02:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe

"C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy148C.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsy148C.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2840-14-0x00000000004B1000-0x00000000004B2000-memory.dmp

memory/2840-13-0x00000000004B0000-0x00000000004B3000-memory.dmp

\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe

MD5 1b65ca9566e6fcc4f5286a8bdd9518ee
SHA1 0744a66417dc712701b426d26ecd4b811b7065dd
SHA256 dfa88f801ad48651ac69e19154fd5248710b2c80b4c902f9763c2a07a4e54623
SHA512 47f9505c9ecf38c4ee1be397bab976416ad7a15eaf82aa905e304c44782a132dfa0c6a75d3ce37a85e8ffcd335617be880e6a758e5be8060b91b5158508fe829

C:\Users\Admin\AppData\Roaming\qxz\config.ini

MD5 98efa8568aed419201ecb2350293ae0c
SHA1 4a43c3d1297534734c4075e3af7f82655c07e388
SHA256 71f4a6f8fef1aadd97d12f79860a6709e2901bf3cf7061017c6e70ba4c61b2ab
SHA512 cbeaa53e11b063b2a7641468148c671d4c4f0b32bb7fd423cf614275c0453f0ee35d28415a9040769f13d4189eabb3c03bef184bd6854135b018daf6a14f3f4b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÉÙÄêȺÏÀ´«.lnk

MD5 975497c60683fd106a21c15600bf2ef5
SHA1 1deef9939b5724076d34d4f2b7bb2035fec2445b
SHA256 bd0f15afeb8f864f35935c9a2da35417677f085b1e2fcbbc14430d5c7a2bd924
SHA512 4be9582517de007717209ecce2f42b5ca5585736ffb6a06c4a6b79ed5b45f7e1a3f96e7bff852a7c185ed29413850a9943fba9a6e302b235d9566cef3ca21849

memory/2840-65-0x0000000004FE1000-0x0000000004FE2000-memory.dmp

memory/2840-64-0x0000000004FE0000-0x0000000004FE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\qxz\config.dll

MD5 f9da380edeade2cd43e88209aa5f5593
SHA1 639cbdb652bfd2bbcccba9629a3e3bd99b4085f4
SHA256 4bd67a9d8c2cab01c6f11bed72ebbcc350cdfae84bc88f4999a1cf580a63cfe4
SHA512 b0da97fd3bd6397fe4bba8ef63e4f0821f15663a864c85f2f9449851859f123478fb61d9a638384d48a2ec749400d2340948b76f3658e82e5080ea940e102b60

memory/2840-76-0x00000000004B1000-0x00000000004B2000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 224

Network

N/A

Files

memory/1028-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/1028-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2684 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2684 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/212-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/212-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CN 193.112.84.233:80 gameapp.37.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1688-3-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1688-4-0x0000000002500000-0x0000000002501000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 244

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 228

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

memory/2012-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2012-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 3196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/3196-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/3196-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp

Files

memory/1216-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\caada1d448c6b4ffedeffc3f598005d0_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe

"C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe" SW_SHOWNORMAL

C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe

"C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb57A7.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsb57A7.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/4544-17-0x0000000004711000-0x0000000004712000-memory.dmp

memory/4544-16-0x0000000004710000-0x0000000004713000-memory.dmp

memory/4544-15-0x0000000004710000-0x0000000004713000-memory.dmp

C:\Users\Admin\AppData\Roaming\qxz\config.ini

MD5 98efa8568aed419201ecb2350293ae0c
SHA1 4a43c3d1297534734c4075e3af7f82655c07e388
SHA256 71f4a6f8fef1aadd97d12f79860a6709e2901bf3cf7061017c6e70ba4c61b2ab
SHA512 cbeaa53e11b063b2a7641468148c671d4c4f0b32bb7fd423cf614275c0453f0ee35d28415a9040769f13d4189eabb3c03bef184bd6854135b018daf6a14f3f4b

C:\Users\Admin\AppData\Roaming\qxz\wour_wrnd.exe

MD5 1b65ca9566e6fcc4f5286a8bdd9518ee
SHA1 0744a66417dc712701b426d26ecd4b811b7065dd
SHA256 dfa88f801ad48651ac69e19154fd5248710b2c80b4c902f9763c2a07a4e54623
SHA512 47f9505c9ecf38c4ee1be397bab976416ad7a15eaf82aa905e304c44782a132dfa0c6a75d3ce37a85e8ffcd335617be880e6a758e5be8060b91b5158508fe829

C:\Users\Admin\AppData\Local\Temp\nsb57A7.tmp\KillProcDLL.dll

MD5 99f345cf51b6c3c317d20a81acb11012
SHA1 b3d0355f527c536ea14a8ff51741c8739d66f727
SHA256 c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93
SHA512 937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

memory/4544-62-0x0000000004821000-0x0000000004822000-memory.dmp

memory/4544-61-0x0000000004820000-0x0000000004823000-memory.dmp

memory/4544-60-0x0000000004DC1000-0x0000000004DC2000-memory.dmp

memory/4544-59-0x0000000004DC0000-0x0000000004DC3000-memory.dmp

C:\Users\Admin\AppData\Roaming\qxz\config.dll

MD5 f9da380edeade2cd43e88209aa5f5593
SHA1 639cbdb652bfd2bbcccba9629a3e3bd99b4085f4
SHA256 4bd67a9d8c2cab01c6f11bed72ebbcc350cdfae84bc88f4999a1cf580a63cfe4
SHA512 b0da97fd3bd6397fe4bba8ef63e4f0821f15663a864c85f2f9449851859f123478fb61d9a638384d48a2ec749400d2340948b76f3658e82e5080ea940e102b60

memory/4544-74-0x0000000004711000-0x0000000004712000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240419-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 224

Network

N/A

Files

memory/2316-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2316-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

139s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 4388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.137:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 240

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 668 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 668 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

N/A

Files

memory/1216-14-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-21-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-20-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-19-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-18-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-17-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-16-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-15-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-13-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-12-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-11-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-10-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-9-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-8-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-7-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-22-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-6-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-5-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-4-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-3-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-2-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-1-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-0-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-23-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-27-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-28-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-26-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-25-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1216-24-0x0000000002490000-0x0000000002491000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 174.35.118.62:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 62.118.35.174.in-addr.arpa udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 78366c7f86a685e23eb897c6f34eb503
SHA1 1c01a172a7137890b6b5a4b4fac0f9d8562b5ac0
SHA256 51f44ce9c10bc7a860c431ee7f16c2012fe88513c87d7efad7757c35c2a59c4b
SHA512 20967b60bb14a8772978ba71b3e4e4e8cc7ac934889d01a52486885f1099b02b16091ccc549c9b6117713f72aedc02694d71449ac89db692bf1ab8a9d0d3456a

C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3984-10-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst5BFC.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 74ed4c94c0bf9e64ddd3d81e90bc8e44
SHA1 f0a5721e6e7b64408a7aba1a51f0c4c281dced33
SHA256 20e4f8b6a34dd809495e912b22f8527b27758b489459ade68bf2fdd4c3bb4d53
SHA512 e9181b9fa0761750f245ff7ddd9b8a1f912e0042b3e0ad58a694a9ad59f5e3ed7f29fd8b29f434285a7d2a4d675cf583c6fffbc362a478a065a67c4237c09cf9

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240508-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2276 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1188 wrote to memory of 2160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2248 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe
PID 2196 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe

"C:\Users\Admin\AppData\Local\Temp\wour_wrnd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.12:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 78366c7f86a685e23eb897c6f34eb503
SHA1 1c01a172a7137890b6b5a4b4fac0f9d8562b5ac0
SHA256 51f44ce9c10bc7a860c431ee7f16c2012fe88513c87d7efad7757c35c2a59c4b
SHA512 20967b60bb14a8772978ba71b3e4e4e8cc7ac934889d01a52486885f1099b02b16091ccc549c9b6117713f72aedc02694d71449ac89db692bf1ab8a9d0d3456a

\Users\Admin\AppData\Local\Temp\nsd3370.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2196-12-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd3370.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 b9e922ed99ed720ba19a779f3d6ed688
SHA1 f3119081e3732f10fe66a4b1ed33ffc43ad7c49c
SHA256 374e7067b81f5d72894a1fee4d89d83e25159e1bf0c8be44b469fee17977f8df
SHA512 4cd2eec4186f6541018103a8b2ebb872b9a97a7b9fefce0f4ee3a97487440fac349e915fffd476ce14c9c594bfac876160e3c86381d4df3f81693225a5fa6f70

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2000 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

N/A

Files

memory/1192-56-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-58-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-54-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-52-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-50-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-48-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-46-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-44-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-42-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-40-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-38-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-36-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-34-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-32-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-30-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-28-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-26-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-24-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-22-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-20-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-18-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-16-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-14-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-12-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-10-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-8-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-6-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-4-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-2-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1192-0-0x0000000002510000-0x0000000002511000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 224

Network

N/A

Files

memory/2488-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2488-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 624 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 624 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4880-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4880-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 4044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4044-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4044-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:16

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 5044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-09 02:13

Reported

2024-05-09 02:17

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 5072 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 208.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp

Files

N/A