Analysis Overview
SHA256
4177896c930119f07b65ac86de3d2aad4499844edf3080908f33e31df343c90a
Threat Level: Known bad
The file 3808e7514decc8b947582ca9439c3cfb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon, KrBanker
VMProtect packed file
UPX packed file
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer start page
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 03:31
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe"
Network
Files
memory/1964-0-0x0000000000400000-0x00000000004D6000-memory.dmp
memory/1964-1-0x00000000775D0000-0x00000000775D1000-memory.dmp
memory/1964-2-0x00000000775CF000-0x00000000775D0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\游戏攻略教程 - 9553资讯.url"
Network
Files
memory/2344-0-0x00000000003E0000-0x00000000003E1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\[ÌÒ»¨ÏÉÈË¡¤T¡¤·ë] - °²È«·À»¤Ä£¿é.fxz | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| File opened for modification | C:\Windows\[ÌÒ»¨ÏÉÈË¡¤T¡¤·ë] - °²È«·À»¤Ä£¿é.fxz | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k89076094" | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/3588-0-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/3588-1-0x0000000000401000-0x00000000004A8000-memory.dmp
memory/3588-2-0x0000000000400000-0x0000000000D81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lazycommon.dll
| MD5 | 033d1db88147b6dab9a1795027a87e74 |
| SHA1 | f6e9f5e82af3e9546711d42aab705a494e851d44 |
| SHA256 | a85b830cec14449763cc174d600324372798f2bb8c5276546419cc6b2563db1c |
| SHA512 | 7689fc5812fc89e27f5691259c15e4109b3ecfd1933393e1d9ce2d63acc37149aa4cf6124c353b62b39352162e9509d7b49caeaabc1618c8e495a14cef095e33 |
memory/3588-9-0x0000000010000000-0x00000000100AA000-memory.dmp
memory/3588-11-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/3588-13-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/3588-12-0x0000000010000000-0x00000000100AA000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe"
Network
Files
memory/2028-0-0x0000000000400000-0x00000000004FB000-memory.dmp
memory/2028-1-0x0000000000400000-0x00000000004FB000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/1528-0-0x0000000000400000-0x00000000004FB000-memory.dmp
memory/1528-1-0x0000000000400000-0x00000000004FB000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20240508-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID\ = "{C691BF80-87AF-43A7-AD56-28D5DA857FBD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308\\iYuwei.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\ = "EyLoginSoft Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ = "IEyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}\ = "EyLogin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ = "EyLoginSoft Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308\\iYuwei.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL\AppID = "{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\ = "EyLogin 1.0.2.5 ÀàÐÍ¿â" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ = "IEyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\iYuwei.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\iYuwei.dll
Network
Files
memory/2456-0-0x00000000740E0000-0x00000000745AB000-memory.dmp
memory/2456-1-0x00000000740E0000-0x00000000745AB000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
127s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ = "EyLoginSoft Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\ = "EyLogin 1.0.2.5 ÀàÐÍ¿â" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL\AppID = "{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308\\iYuwei.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ = "IEyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ = "IEyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\ProgID\ = "EyLogin.EyLoginSoft" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\ = "EyLoginSoft Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A}\ = "EyLogin" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID\ = "{C691BF80-87AF-43A7-AD56-28D5DA857FBD}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C691BF80-87AF-43A7-AD56-28D5DA857FBD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywsj_20150311\\余味视距20150308\\iYuwei.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\TypeLib\ = "{B9096DAC-F8A6-4874-BDAC-C5A79217CE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29D16463-BCC9-4BD5-B4E7-07CB4AC0768A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C8E441E-B77B-44AF-BBDA-548EA8FF0638}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 4644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2836 wrote to memory of 4644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2836 wrote to memory of 4644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\iYuwei.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\iYuwei.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/4644-0-0x0000000075190000-0x000000007565B000-memory.dmp
memory/4644-1-0x0000000075190000-0x000000007565B000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\补丁.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 528
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/1532-0-0x0000000000400000-0x00000000004D6000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\游戏攻略教程 - 9553资讯.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\9553下载站.url
Network
Files
memory/2224-0-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\9553下载站.url
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-12 03:31
Reported
2024-05-12 03:34
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\[ÌÒ»¨ÏÉÈË¡¤T¡¤·ë] - °²È«·À»¤Ä£¿é.fxz | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| File opened for modification | C:\Windows\[ÌÒ»¨ÏÉÈË¡¤T¡¤·ë] - °²È«·À»¤Ä£¿é.fxz | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k89076094" | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe
"C:\Users\Admin\AppData\Local\Temp\ywsj_20150311\余味视距20150308\Common.exe"
Network
Files
memory/2904-0-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/2904-1-0x00000000774B0000-0x00000000774B1000-memory.dmp
memory/2904-3-0x00000000774B0000-0x00000000774B1000-memory.dmp
memory/2904-7-0x0000000076870000-0x0000000076871000-memory.dmp
memory/2904-10-0x0000000000401000-0x00000000004A8000-memory.dmp
memory/2904-9-0x0000000000400000-0x0000000000D81000-memory.dmp
\Users\Admin\AppData\Local\Temp\lazycommon.dll
| MD5 | 033d1db88147b6dab9a1795027a87e74 |
| SHA1 | f6e9f5e82af3e9546711d42aab705a494e851d44 |
| SHA256 | a85b830cec14449763cc174d600324372798f2bb8c5276546419cc6b2563db1c |
| SHA512 | 7689fc5812fc89e27f5691259c15e4109b3ecfd1933393e1d9ce2d63acc37149aa4cf6124c353b62b39352162e9509d7b49caeaabc1618c8e495a14cef095e33 |
memory/2904-17-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/2904-16-0x0000000010000000-0x00000000100AA000-memory.dmp
memory/2904-19-0x0000000000400000-0x0000000000D81000-memory.dmp
memory/2904-20-0x0000000010000000-0x00000000100AA000-memory.dmp