Malware Analysis Report

2025-01-02 07:35

Sample ID 240510-afxyjafb5t
Target 2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118
SHA256 de816e7d788fd665abd28a349bca7aa82e3f866f12bea7041ce7e07afc81c5c1
Tags
upx privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de816e7d788fd665abd28a349bca7aa82e3f866f12bea7041ce7e07afc81c5c1

Threat Level: Known bad

The file 2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx privateloader

Privateloader family

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 00:10

Signatures

Privateloader family

privateloader

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 228

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4912 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1096

Network

Country Destination Domain Proto
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4536 -ip 4536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240215-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 244

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win10v2004-20240508-en

Max time kernel

97s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2888 -ip 2888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 99.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\TvGetVersion.dll

MD5 d2c761a29981f8469a4c3071db73cd02
SHA1 7e3fa24665b4ddd615dbc2e9b07dd73595836930
SHA256 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11
SHA512 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\UserInfo.dll

MD5 352495269f7d223991247cd2f2eec4db
SHA1 22a4aae719ba575c7b90524595a1eac500c2209f
SHA256 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1
SHA512 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\InstallOptions.dll

MD5 44a147533d1439c7b6ef37e2153e3c00
SHA1 1f7c3bce46180b1e791b8fc27f576c8c39881e18
SHA256 d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a
SHA512 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini

MD5 f1d7983a7acefcf4d6eb384f7cddcb2d
SHA1 4c645cd34c6c1be9f4b67dca786722534efc1a1e
SHA256 9eb0c830eb208b17650a7e41f37d65dcc7a0d75e633893eb128482f3929c99d9
SHA512 78db9dcdb258cf09029a19ffd042f4916b3c25250a036bbc51fc292c7ae4bdc89b210cd031b2a67e9c3acd227e7d23b97e0d1c7e6bfc90b5b6ee2537e5f9fdcf

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini

MD5 432b26a081f3a47f8446965f4cd92a58
SHA1 57deeb6adad58f85c74f10ee21669277199ed91f
SHA256 9450e0e0bbd372c4b9c2e845e6bc9a9b8c4002416f6354fd96858b2bb7150698
SHA512 a21073856d6c75178e51394022e3ba950746718b08a3d2f1d7900c7b7af0d90e80b6f08d659aae7f9ed82b6d55b575001ee2a5cb06d1511672e8203e944dc5af

memory/3144-242-0x0000000006C90000-0x0000000006C9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini

MD5 2a8a139cdab38b5f4264ae82850cbd22
SHA1 816e8acb2adc36c7f138f963a9802622dfc9536a
SHA256 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b
SHA512 d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 244

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

96s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk4603.tmp\TvGetVersion.dll

MD5 663fe1b2d25c55c3bde91052f178f6c2
SHA1 63e15d773eac5ed7307de6cf533d97d1f37fd65b
SHA256 eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902
SHA512 97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 b4612cc1939373b0b2b3859fddb678b4
SHA1 3312ee73b98f2a75b10a02c8f92d81fcaa827199
SHA256 97c17e47ad008c94b2fec451ab6bb7876dd0de5fd02be838d297b902dbf9e5c4
SHA512 edcdc2a8460774fc104a9467904c51aacaace9c8a78185c4f100380deb50a107bed627bdbc49218f51c303e59e38c583397b447ab201a4f9e2cf481c85a6df36

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

MD5 22f784a81b879073572395db660a9e81
SHA1 ceb692cb3a7540ed2b98fc66c061bcf3b89d49e6
SHA256 72a464451c98f2b8da4f6e29b5e5f23c034985e2471025ac8df13d32e9aa20a6
SHA512 f80f70ebd19b7b37fc0939c03b09474c94bbef9bc66eb1e0ec35fe577463332a6161cead9b94d58ab018326bd0219cf60d24ad750acd55b27e8b7a0388f0bdbf

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\TvGetVersion.dll

MD5 d2c761a29981f8469a4c3071db73cd02
SHA1 7e3fa24665b4ddd615dbc2e9b07dd73595836930
SHA256 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11
SHA512 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\UserInfo.dll

MD5 352495269f7d223991247cd2f2eec4db
SHA1 22a4aae719ba575c7b90524595a1eac500c2209f
SHA256 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1
SHA512 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\InstallOptions.dll

MD5 44a147533d1439c7b6ef37e2153e3c00
SHA1 1f7c3bce46180b1e791b8fc27f576c8c39881e18
SHA256 d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a
SHA512 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\advanced_unicode.ini

MD5 8b3e104f11c5d046bd93df4e9fb40f4e
SHA1 0362bb65744a07563dc05cd612dd54a865233d79
SHA256 cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1
SHA512 edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\start_unicode.ini

MD5 2a8a139cdab38b5f4264ae82850cbd22
SHA1 816e8acb2adc36c7f138f963a9802622dfc9536a
SHA256 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b
SHA512 d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

memory/4132-253-0x00000000023F0000-0x00000000023FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\start_unicode.ini

MD5 25734f8e6654f55f06e1348bedd90e6f
SHA1 640e816089c62c27384fdfadadcef35eb5c148e4
SHA256 d0429634429a078a1d37941212b5e2c76ac8fdc66ce852e3b3281ec55cdb8b05
SHA512 58545ae37ba0bf65db948aa55a2e531f24b7207e09adf617735fec8f8173caa110e9185d2bbecaa5e835997f72a26d30da23ed2782ba9cda64f932391f8eda10

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 380

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 380

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240508-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nstD6A.tmp\TvGetVersion.dll

MD5 663fe1b2d25c55c3bde91052f178f6c2
SHA1 63e15d773eac5ed7307de6cf533d97d1f37fd65b
SHA256 eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902
SHA512 97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 72da5c1113c019b8ad3cba4e949b05de
SHA1 e4227dd47207797cef6a7c9688393e6bf9b48860
SHA256 aefc180ae5e840fc1d8b07708a2e607bedb933d924c2bb37e8fc12c96fd33a52
SHA512 93c46aeb47ea1faf828c159554c5275bc4175723ee0f7133f5f4999986f471faf3a93a20327bba0cb25f44299a604fb5b6bf220d39b00a33a756ff92c9425519

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 3e8a4329e2928b730cbfbbb15fd93b1b
SHA1 7c174d6cbce6a5fe47321b21df59bd0e5a3ab594
SHA256 70e3320d26b573759bafdf42ebbd6765e8e65c5e40b5d997348c528d0af3e729
SHA512 0723c566d554b33e5fb2906ce8b4687cc74cd8e678356bc9fffcecd8f7bff637ab21c753c757dd01dec9ad33fbb8634a6df6a3b168ccfa54944f199583e9573b

\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

MD5 f59ded1e0daca86204d0bf31cfaad760
SHA1 2759aedbc99c0c8e540025a673487bfdae085959
SHA256 e525efe56b2e3aa00879a7a85f7cb28fb12aa1cfe304033be919d119d0bc5fc2
SHA512 f6f45d9cea241c09edf49bddbc93e8889d63badbc3accc313970b7c7a092b25636b24ed9132b5a3b5ac6ff3f65417b59c2ba574941607955c6507c1657a90b0d

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\TvGetVersion.dll

MD5 d2c761a29981f8469a4c3071db73cd02
SHA1 7e3fa24665b4ddd615dbc2e9b07dd73595836930
SHA256 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11
SHA512 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

MD5 22f784a81b879073572395db660a9e81
SHA1 ceb692cb3a7540ed2b98fc66c061bcf3b89d49e6
SHA256 72a464451c98f2b8da4f6e29b5e5f23c034985e2471025ac8df13d32e9aa20a6
SHA512 f80f70ebd19b7b37fc0939c03b09474c94bbef9bc66eb1e0ec35fe577463332a6161cead9b94d58ab018326bd0219cf60d24ad750acd55b27e8b7a0388f0bdbf

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\UserInfo.dll

MD5 352495269f7d223991247cd2f2eec4db
SHA1 22a4aae719ba575c7b90524595a1eac500c2209f
SHA256 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1
SHA512 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\InstallOptions.dll

MD5 44a147533d1439c7b6ef37e2153e3c00
SHA1 1f7c3bce46180b1e791b8fc27f576c8c39881e18
SHA256 d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a
SHA512 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/2356-260-0x00000000003E0000-0x00000000003EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\start_unicode.ini

MD5 fb255902be48a337ac04e8f8d96bf833
SHA1 101c391c2d508d57c9c237fbd8bb9dfbf5cd4557
SHA256 3f7799154c15f983d90d06f234654733a907b4356db20ca83dac0e0bb1f12c2f
SHA512 ab509d061f706ab01c72ff46b298c60efbe578613d24a1cb561e5fa6a9451f0df16b602d9b4dcab213ef03b6abf7c520c58b2b8646dde1702ade1e2b89712a9c

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\start_unicode.ini

MD5 2a8a139cdab38b5f4264ae82850cbd22
SHA1 816e8acb2adc36c7f138f963a9802622dfc9536a
SHA256 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b
SHA512 d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1232 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1232 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 856

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240419-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4148 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4148 wrote to memory of 2864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe

"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\TvGetVersion.dll

MD5 d2c761a29981f8469a4c3071db73cd02
SHA1 7e3fa24665b4ddd615dbc2e9b07dd73595836930
SHA256 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11
SHA512 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

\Users\Admin\AppData\Local\Temp\nso286A.tmp\UserInfo.dll

MD5 352495269f7d223991247cd2f2eec4db
SHA1 22a4aae719ba575c7b90524595a1eac500c2209f
SHA256 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1
SHA512 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608

\Users\Admin\AppData\Local\Temp\nso286A.tmp\InstallOptions.dll

MD5 44a147533d1439c7b6ef37e2153e3c00
SHA1 1f7c3bce46180b1e791b8fc27f576c8c39881e18
SHA256 d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a
SHA512 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482

\Users\Admin\AppData\Local\Temp\nso286A.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\advanced_unicode.ini

MD5 8b3e104f11c5d046bd93df4e9fb40f4e
SHA1 0362bb65744a07563dc05cd612dd54a865233d79
SHA256 cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1
SHA512 edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\start_unicode.ini

MD5 ec7513e8d7b17bfb2fc67ca5f27adba7
SHA1 42d762c6d8562328b34fadf181fc237d9d1eb44f
SHA256 806444ab18b27d854be10432615501975d3226e5cbdfd42257faf2a6e3c8c792
SHA512 ca28ab5fec761cd3361871791052d88a74ee7483699814ac58a2f2bc58b8c2a635a6b29d3058d6fd876f93f09cc35adc143f453ed2c7bfca8f80740239c167a9

memory/2968-245-0x00000000003F0000-0x00000000003FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso286A.tmp\linker.dll

MD5 4ac3f0ab2e423515ed9c575333342054
SHA1 a3e4f2b2135157f964d471564044b023a64f2532
SHA256 f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9
SHA512 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 1488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 1300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 1300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4080 wrote to memory of 1300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 224

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 3404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3268 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3268 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3268 wrote to memory of 5056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1448 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1448 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:12

Platform

win10v2004-20240508-en

Max time kernel

124s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 1168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4616 wrote to memory of 1168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4616 wrote to memory of 1168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-10 00:09

Reported

2024-05-10 00:13

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224

Network

N/A

Files

N/A