Analysis Overview
SHA256
852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc
Threat Level: Known bad
The file 852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc.jar was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 01:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe
"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4052 -ip 4052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1060
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk3903.tmp\BgImage.dll
| MD5 | 9436196007f65f0ae96f64b1c8b2572e |
| SHA1 | 4b004b5c2865c9450876be83faa8cc96e1d12c01 |
| SHA256 | 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9 |
| SHA512 | 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e |
C:\Users\Admin\AppData\Local\Temp\nsk3903.tmp\nsDialogs.dll
| MD5 | 82c3f38cd34739872af07443c65d0bd8 |
| SHA1 | 1f4ee2d394404a291eda6419f856adaf4b960237 |
| SHA256 | 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311 |
| SHA512 | 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d |
C:\Users\Admin\AppData\Local\Temp\nsk3903.tmp\System.dll
| MD5 | 8b3830b9dbf87f84ddd3b26645fed3a0 |
| SHA1 | 223bef1f19e644a610a0877d01eadc9e28299509 |
| SHA256 | f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37 |
| SHA512 | d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
| MD5 | 09a0e8fd105017f435df611a76abc6ba |
| SHA1 | 652cc35f713838740d968e775f722905975c22ce |
| SHA256 | 4afd0cc39070d2cd073f73aaf9105ff9699f7643ee8d5fd5496bf0e2378c886a |
| SHA512 | 404ce29a674dda5d00f4e6dbb12885f9d6b5f1e28b467749dcd07b610661e6a74843418eb515c25db14046d4c6d607d70ad8d572790e7a3802d8e16598d9431b |
memory/4052-45-0x0000000004350000-0x0000000005FCB000-memory.dmp
memory/4052-46-0x0000000077D81000-0x0000000077EA1000-memory.dmp
memory/4052-47-0x0000000004350000-0x0000000005FCB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win7-20240215-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 4048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 4048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1992 wrote to memory of 4048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 3560 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 3560 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 3560 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3560 -ip 3560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 78.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4852 wrote to memory of 1472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
macos-20240410-en
Max time kernel
144s
Max time network
127s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Users/run/Duramen/Sabbatters.app]
/bin/zsh
[/bin/zsh -c open /Users/run/Duramen/Sabbatters.app]
/usr/bin/open
[open /Users/run/Duramen/Sabbatters.app]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.67.6:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.73.27:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| SE | 104.73.93.106:443 | help.apple.com | tcp |
| SE | 104.73.93.106:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe
"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso19C9.tmp\BgImage.dll
| MD5 | 9436196007f65f0ae96f64b1c8b2572e |
| SHA1 | 4b004b5c2865c9450876be83faa8cc96e1d12c01 |
| SHA256 | 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9 |
| SHA512 | 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e |
\Users\Admin\AppData\Local\Temp\nso19C9.tmp\nsDialogs.dll
| MD5 | 82c3f38cd34739872af07443c65d0bd8 |
| SHA1 | 1f4ee2d394404a291eda6419f856adaf4b960237 |
| SHA256 | 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311 |
| SHA512 | 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d |
\Users\Admin\AppData\Local\Temp\nso19C9.tmp\System.dll
| MD5 | 8b3830b9dbf87f84ddd3b26645fed3a0 |
| SHA1 | 223bef1f19e644a610a0877d01eadc9e28299509 |
| SHA256 | f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37 |
| SHA512 | d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
| MD5 | 2fee8e36e6f1fb6f6908c631a5e2ce0c |
| SHA1 | e69471aa493c2ff281b770701bb1548cbea1d4c8 |
| SHA256 | bc77233827a841b71b4df67bbdad2a9cb657c7e877147194e0e0ea70de989147 |
| SHA512 | 3328021a6999e7492212796afd1111ceece09829b45e1a204b8b61c20606b5fa50d92c099364f7960afd0c34744e3ccc84ec0b43abd5a4263f6d3c7e1225928d |
memory/2192-48-0x0000000003720000-0x000000000539B000-memory.dmp
memory/2192-49-0x0000000077481000-0x0000000077582000-memory.dmp
memory/2192-50-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2192-51-0x0000000003720000-0x000000000539B000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1560 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2496 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2496 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2496 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 01:55
Reported
2024-05-22 01:58
Platform
win7-20240419-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 244