Analysis Overview
SHA256
de816e7d788fd665abd28a349bca7aa82e3f866f12bea7041ce7e07afc81c5c1
Threat Level: Known bad
The file 2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
Executes dropped EXE
Loads dropped DLL
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 00:10
Signatures
Privateloader family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 228
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 4912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4912 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4912 -ip 4912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1096
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3012 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 244
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win10v2004-20240508-en
Max time kernel
97s
Max time network
100s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2372 wrote to memory of 2888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 249.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
112s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.107.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\TvGetVersion.dll
| MD5 | d2c761a29981f8469a4c3071db73cd02 |
| SHA1 | 7e3fa24665b4ddd615dbc2e9b07dd73595836930 |
| SHA256 | 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11 |
| SHA512 | 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\UserInfo.dll
| MD5 | 352495269f7d223991247cd2f2eec4db |
| SHA1 | 22a4aae719ba575c7b90524595a1eac500c2209f |
| SHA256 | 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1 |
| SHA512 | 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608 |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\InstallOptions.dll
| MD5 | 44a147533d1439c7b6ef37e2153e3c00 |
| SHA1 | 1f7c3bce46180b1e791b8fc27f576c8c39881e18 |
| SHA256 | d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a |
| SHA512 | 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482 |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini
| MD5 | f1d7983a7acefcf4d6eb384f7cddcb2d |
| SHA1 | 4c645cd34c6c1be9f4b67dca786722534efc1a1e |
| SHA256 | 9eb0c830eb208b17650a7e41f37d65dcc7a0d75e633893eb128482f3929c99d9 |
| SHA512 | 78db9dcdb258cf09029a19ffd042f4916b3c25250a036bbc51fc292c7ae4bdc89b210cd031b2a67e9c3acd227e7d23b97e0d1c7e6bfc90b5b6ee2537e5f9fdcf |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini
| MD5 | 432b26a081f3a47f8446965f4cd92a58 |
| SHA1 | 57deeb6adad58f85c74f10ee21669277199ed91f |
| SHA256 | 9450e0e0bbd372c4b9c2e845e6bc9a9b8c4002416f6354fd96858b2bb7150698 |
| SHA512 | a21073856d6c75178e51394022e3ba950746718b08a3d2f1d7900c7b7af0d90e80b6f08d659aae7f9ed82b6d55b575001ee2a5cb06d1511672e8203e944dc5af |
memory/3144-242-0x0000000006C90000-0x0000000006C9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\linker.dll
| MD5 | 4ac3f0ab2e423515ed9c575333342054 |
| SHA1 | a3e4f2b2135157f964d471564044b023a64f2532 |
| SHA256 | f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9 |
| SHA512 | 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5 |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\start_unicode.ini
| MD5 | 2a8a139cdab38b5f4264ae82850cbd22 |
| SHA1 | 816e8acb2adc36c7f138f963a9802622dfc9536a |
| SHA256 | 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b |
| SHA512 | d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1 |
C:\Users\Admin\AppData\Local\Temp\nsq3068.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20231129-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 244
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
96s
Max time network
100s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 4132 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe |
| PID 2352 wrote to memory of 4132 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe |
| PID 2352 wrote to memory of 4132 | N/A | C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk4603.tmp\TvGetVersion.dll
| MD5 | 663fe1b2d25c55c3bde91052f178f6c2 |
| SHA1 | 63e15d773eac5ed7307de6cf533d97d1f37fd65b |
| SHA256 | eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902 |
| SHA512 | 97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
| MD5 | b4612cc1939373b0b2b3859fddb678b4 |
| SHA1 | 3312ee73b98f2a75b10a02c8f92d81fcaa827199 |
| SHA256 | 97c17e47ad008c94b2fec451ab6bb7876dd0de5fd02be838d297b902dbf9e5c4 |
| SHA512 | edcdc2a8460774fc104a9467904c51aacaace9c8a78185c4f100380deb50a107bed627bdbc49218f51c303e59e38c583397b447ab201a4f9e2cf481c85a6df36 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini
| MD5 | 22f784a81b879073572395db660a9e81 |
| SHA1 | ceb692cb3a7540ed2b98fc66c061bcf3b89d49e6 |
| SHA256 | 72a464451c98f2b8da4f6e29b5e5f23c034985e2471025ac8df13d32e9aa20a6 |
| SHA512 | f80f70ebd19b7b37fc0939c03b09474c94bbef9bc66eb1e0ec35fe577463332a6161cead9b94d58ab018326bd0219cf60d24ad750acd55b27e8b7a0388f0bdbf |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\TvGetVersion.dll
| MD5 | d2c761a29981f8469a4c3071db73cd02 |
| SHA1 | 7e3fa24665b4ddd615dbc2e9b07dd73595836930 |
| SHA256 | 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11 |
| SHA512 | 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\UserInfo.dll
| MD5 | 352495269f7d223991247cd2f2eec4db |
| SHA1 | 22a4aae719ba575c7b90524595a1eac500c2209f |
| SHA256 | 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1 |
| SHA512 | 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608 |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\InstallOptions.dll
| MD5 | 44a147533d1439c7b6ef37e2153e3c00 |
| SHA1 | 1f7c3bce46180b1e791b8fc27f576c8c39881e18 |
| SHA256 | d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a |
| SHA512 | 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482 |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\advanced_unicode.ini
| MD5 | 8b3e104f11c5d046bd93df4e9fb40f4e |
| SHA1 | 0362bb65744a07563dc05cd612dd54a865233d79 |
| SHA256 | cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1 |
| SHA512 | edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8 |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\start_unicode.ini
| MD5 | 2a8a139cdab38b5f4264ae82850cbd22 |
| SHA1 | 816e8acb2adc36c7f138f963a9802622dfc9536a |
| SHA256 | 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b |
| SHA512 | d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1 |
memory/4132-253-0x00000000023F0000-0x00000000023FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\linker.dll
| MD5 | 4ac3f0ab2e423515ed9c575333342054 |
| SHA1 | a3e4f2b2135157f964d471564044b023a64f2532 |
| SHA256 | f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9 |
| SHA512 | 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5 |
C:\Users\Admin\AppData\Local\Temp\nsw4AD6.tmp\start_unicode.ini
| MD5 | 25734f8e6654f55f06e1348bedd90e6f |
| SHA1 | 640e816089c62c27384fdfadadcef35eb5c148e4 |
| SHA256 | d0429634429a078a1d37941212b5e2c76ac8fdc66ce852e3b3281ec55cdb8b05 |
| SHA512 | 58545ae37ba0bf65db948aa55a2e531f24b7207e09adf617735fec8f8173caa110e9185d2bbecaa5e835997f72a26d30da23ed2782ba9cda64f932391f8eda10 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 380
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 224
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 224
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 380
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240508-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c6023ceee158ad83ee43d61cc610ced_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nstD6A.tmp\TvGetVersion.dll
| MD5 | 663fe1b2d25c55c3bde91052f178f6c2 |
| SHA1 | 63e15d773eac5ed7307de6cf533d97d1f37fd65b |
| SHA256 | eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902 |
| SHA512 | 97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
| MD5 | 72da5c1113c019b8ad3cba4e949b05de |
| SHA1 | e4227dd47207797cef6a7c9688393e6bf9b48860 |
| SHA256 | aefc180ae5e840fc1d8b07708a2e607bedb933d924c2bb37e8fc12c96fd33a52 |
| SHA512 | 93c46aeb47ea1faf828c159554c5275bc4175723ee0f7133f5f4999986f471faf3a93a20327bba0cb25f44299a604fb5b6bf220d39b00a33a756ff92c9425519 |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
| MD5 | 3e8a4329e2928b730cbfbbb15fd93b1b |
| SHA1 | 7c174d6cbce6a5fe47321b21df59bd0e5a3ab594 |
| SHA256 | 70e3320d26b573759bafdf42ebbd6765e8e65c5e40b5d997348c528d0af3e729 |
| SHA512 | 0723c566d554b33e5fb2906ce8b4687cc74cd8e678356bc9fffcecd8f7bff637ab21c753c757dd01dec9ad33fbb8634a6df6a3b168ccfa54944f199583e9573b |
\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
| MD5 | f59ded1e0daca86204d0bf31cfaad760 |
| SHA1 | 2759aedbc99c0c8e540025a673487bfdae085959 |
| SHA256 | e525efe56b2e3aa00879a7a85f7cb28fb12aa1cfe304033be919d119d0bc5fc2 |
| SHA512 | f6f45d9cea241c09edf49bddbc93e8889d63badbc3accc313970b7c7a092b25636b24ed9132b5a3b5ac6ff3f65417b59c2ba574941607955c6507c1657a90b0d |
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\TvGetVersion.dll
| MD5 | d2c761a29981f8469a4c3071db73cd02 |
| SHA1 | 7e3fa24665b4ddd615dbc2e9b07dd73595836930 |
| SHA256 | 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11 |
| SHA512 | 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c |
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini
| MD5 | 22f784a81b879073572395db660a9e81 |
| SHA1 | ceb692cb3a7540ed2b98fc66c061bcf3b89d49e6 |
| SHA256 | 72a464451c98f2b8da4f6e29b5e5f23c034985e2471025ac8df13d32e9aa20a6 |
| SHA512 | f80f70ebd19b7b37fc0939c03b09474c94bbef9bc66eb1e0ec35fe577463332a6161cead9b94d58ab018326bd0219cf60d24ad750acd55b27e8b7a0388f0bdbf |
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\UserInfo.dll
| MD5 | 352495269f7d223991247cd2f2eec4db |
| SHA1 | 22a4aae719ba575c7b90524595a1eac500c2209f |
| SHA256 | 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1 |
| SHA512 | 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608 |
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\InstallOptions.dll
| MD5 | 44a147533d1439c7b6ef37e2153e3c00 |
| SHA1 | 1f7c3bce46180b1e791b8fc27f576c8c39881e18 |
| SHA256 | d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a |
| SHA512 | 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482 |
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/2356-260-0x00000000003E0000-0x00000000003EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\start_unicode.ini
| MD5 | fb255902be48a337ac04e8f8d96bf833 |
| SHA1 | 101c391c2d508d57c9c237fbd8bb9dfbf5cd4557 |
| SHA256 | 3f7799154c15f983d90d06f234654733a907b4356db20ca83dac0e0bb1f12c2f |
| SHA512 | ab509d061f706ab01c72ff46b298c60efbe578613d24a1cb561e5fa6a9451f0df16b602d9b4dcab213ef03b6abf7c520c58b2b8646dde1702ade1e2b89712a9c |
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\linker.dll
| MD5 | 4ac3f0ab2e423515ed9c575333342054 |
| SHA1 | a3e4f2b2135157f964d471564044b023a64f2532 |
| SHA256 | f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9 |
| SHA512 | 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5 |
C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\start_unicode.ini
| MD5 | 2a8a139cdab38b5f4264ae82850cbd22 |
| SHA1 | 816e8acb2adc36c7f138f963a9802622dfc9536a |
| SHA256 | 94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b |
| SHA512 | d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20240221-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
107s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1232 wrote to memory of 2296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1232 wrote to memory of 2296 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Base64.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2296 -ip 2296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
134s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\TvGetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 856
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.107.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240419-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 224
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4148 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4148 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4148 wrote to memory of 2864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\$_1_\TeamViewer_.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\TvGetVersion.dll
| MD5 | d2c761a29981f8469a4c3071db73cd02 |
| SHA1 | 7e3fa24665b4ddd615dbc2e9b07dd73595836930 |
| SHA256 | 01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11 |
| SHA512 | 420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c |
\Users\Admin\AppData\Local\Temp\nso286A.tmp\UserInfo.dll
| MD5 | 352495269f7d223991247cd2f2eec4db |
| SHA1 | 22a4aae719ba575c7b90524595a1eac500c2209f |
| SHA256 | 2071ad3c37ddc62c9fdbca7e2551d16bee11b0ef0f510cd16ddc098cd368fbc1 |
| SHA512 | 07005457d0f76fbb412dbbf094460020b486ebd073446265f252226f52e4705d95a0d05a1f32a39c6f3bd3a9853be837e9425360341581ebf36493939c629608 |
\Users\Admin\AppData\Local\Temp\nso286A.tmp\InstallOptions.dll
| MD5 | 44a147533d1439c7b6ef37e2153e3c00 |
| SHA1 | 1f7c3bce46180b1e791b8fc27f576c8c39881e18 |
| SHA256 | d239e6ca779f822e2f28ef9a86bdbbd7a5ea9c7641b7a62a37c9b45b15dc5c8a |
| SHA512 | 85380b45fcc3803c38b9092ed5f310c80390bb40502f2d09599922f0db03b4ea44c7a8c9ddb5ce9d0b6a95c54ae3d79cb58609b197f64f383dacb931c38fd482 |
\Users\Admin\AppData\Local\Temp\nso286A.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\advanced_unicode.ini
| MD5 | 8b3e104f11c5d046bd93df4e9fb40f4e |
| SHA1 | 0362bb65744a07563dc05cd612dd54a865233d79 |
| SHA256 | cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1 |
| SHA512 | edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8 |
C:\Users\Admin\AppData\Local\Temp\nso286A.tmp\start_unicode.ini
| MD5 | ec7513e8d7b17bfb2fc67ca5f27adba7 |
| SHA1 | 42d762c6d8562328b34fadf181fc237d9d1eb44f |
| SHA256 | 806444ab18b27d854be10432615501975d3226e5cbdfd42257faf2a6e3c8c792 |
| SHA512 | ca28ab5fec761cd3361871791052d88a74ee7483699814ac58a2f2bc58b8c2a635a6b29d3058d6fd876f93f09cc35adc143f453ed2c7bfca8f80740239c167a9 |
memory/2968-245-0x00000000003F0000-0x00000000003FE000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso286A.tmp\linker.dll
| MD5 | 4ac3f0ab2e423515ed9c575333342054 |
| SHA1 | a3e4f2b2135157f964d471564044b023a64f2532 |
| SHA256 | f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9 |
| SHA512 | 8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4448 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4448 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4448 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4080 wrote to memory of 1300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.242:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 242.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1672 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1672 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 224
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 3404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 3404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 3404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dialogsEx.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 249.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3268 wrote to memory of 5056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3268 wrote to memory of 5056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3268 wrote to memory of 5056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 1804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1448 wrote to memory of 1804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1448 wrote to memory of 1804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| BE | 2.17.107.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:12
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
134s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4616 wrote to memory of 1168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 1168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4616 wrote to memory of 1168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-10 00:09
Reported
2024-05-10 00:13
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224