Analysis Overview
SHA256
852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc
Threat Level: Known bad
The file 852a0d477d29d18d5b7c419e4d64a90761e04c908fc7171e2faab5ad40021fbc.jar was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Resource Forking
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 14:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win10v2004-20240508-en
Max time kernel
96s
Max time network
97s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe
"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 512 -ip 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1060
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\BgImage.dll
| MD5 | 9436196007f65f0ae96f64b1c8b2572e |
| SHA1 | 4b004b5c2865c9450876be83faa8cc96e1d12c01 |
| SHA256 | 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9 |
| SHA512 | 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e |
C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\nsDialogs.dll
| MD5 | 82c3f38cd34739872af07443c65d0bd8 |
| SHA1 | 1f4ee2d394404a291eda6419f856adaf4b960237 |
| SHA256 | 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311 |
| SHA512 | 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d |
C:\Users\Admin\AppData\Local\Temp\nsd67B4.tmp\System.dll
| MD5 | 8b3830b9dbf87f84ddd3b26645fed3a0 |
| SHA1 | 223bef1f19e644a610a0877d01eadc9e28299509 |
| SHA256 | f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37 |
| SHA512 | d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
| MD5 | d574991a4df6d0d76d59b5c65ab0423f |
| SHA1 | ebac8847ca2fb8610bfff14c315761ef5870b1e6 |
| SHA256 | 3ded11541e82aa7b94e2dd827b63f2de4db589ee5914b906085d4ddfbbadb695 |
| SHA512 | 89ab4ca99730bfedd36802281fe4f723d1b9cbca2acae999b7b5d5672567d94b00294d1e1a94acba135a750d2b267d46e01356b0dae89e553a9da34defc68925 |
memory/512-45-0x0000000004320000-0x0000000005F9B000-memory.dmp
memory/512-46-0x0000000077191000-0x00000000772B1000-memory.dmp
memory/512-47-0x0000000004320000-0x0000000005F9B000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win7-20240508-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 224
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 244
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 396 wrote to memory of 3248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 396 wrote to memory of 3248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 396 wrote to memory of 3248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win7-20240215-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe
"C:\Users\Admin\AppData\Local\Temp\xerox322200524.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nst1F64.tmp\BgImage.dll
| MD5 | 9436196007f65f0ae96f64b1c8b2572e |
| SHA1 | 4b004b5c2865c9450876be83faa8cc96e1d12c01 |
| SHA256 | 286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9 |
| SHA512 | 5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e |
\Users\Admin\AppData\Local\Temp\nst1F64.tmp\nsDialogs.dll
| MD5 | 82c3f38cd34739872af07443c65d0bd8 |
| SHA1 | 1f4ee2d394404a291eda6419f856adaf4b960237 |
| SHA256 | 59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311 |
| SHA512 | 3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d |
\Users\Admin\AppData\Local\Temp\nst1F64.tmp\System.dll
| MD5 | 8b3830b9dbf87f84ddd3b26645fed3a0 |
| SHA1 | 223bef1f19e644a610a0877d01eadc9e28299509 |
| SHA256 | f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37 |
| SHA512 | d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk
| MD5 | 51fa4aa550487f844278f2d4214cbd70 |
| SHA1 | 57c9cd1cea75d4b446cdd4e14e6f8069bfb0ba85 |
| SHA256 | f459f9a9fb45277c316e410f16dc15e8eda27a8ee31d200135efffaf50726024 |
| SHA512 | 948a2d95ec2f78e8a206d1d3340c50f692d9f7d62a95ae5bb17eef6fdbe45d44bab12e4e4d65b3417b01586c68bed678678babb8f2106843571706d897482b02 |
memory/2932-48-0x0000000003880000-0x00000000054FB000-memory.dmp
memory/2932-49-0x0000000077061000-0x0000000077162000-memory.dmp
memory/2932-50-0x0000000077060000-0x0000000077209000-memory.dmp
memory/2932-51-0x0000000003880000-0x00000000054FB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1508 wrote to memory of 1596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 4924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1716 wrote to memory of 4924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1716 wrote to memory of 4924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win7-20240215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2004 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3352 wrote to memory of 4356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3352 wrote to memory of 4356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3352 wrote to memory of 4356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 14:29
Reported
2024-05-22 14:31
Platform
macos-20240410-en
Max time kernel
136s
Max time network
142s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Users/run/Duramen/Sabbatters.app"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Users/run/Duramen/Sabbatters.app]
/bin/zsh
[/bin/zsh -c open /Users/run/Duramen/Sabbatters.app]
/usr/bin/open
[open /Users/run/Duramen/Sabbatters.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.suggestd]
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.knowledge-agent]
/usr/libexec/knowledge-agent
[/usr/libexec/knowledge-agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.siri.context.service]
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.newsyslog]
/usr/sbin/newsyslog
[/usr/sbin/newsyslog]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp | |
| US | 8.8.8.8:53 | onedscolprdeus06.eastus.cloudapp.azure.com | udp |
| US | 20.42.73.25:443 | onedscolprdeus06.eastus.cloudapp.azure.com | tcp |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| NL | 23.209.125.28:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| NL | 72.246.172.153:443 | tcp | |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| NL | 23.209.125.22:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| SE | 104.73.93.106:443 | help.apple.com | tcp |
| SE | 104.73.93.106:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.77.203:443 | gsp-ssl.ls.apple.com | tcp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 0efb23b182562b87d329e5c0a0a4a900 |
| SHA1 | 9f9fe1123ff227e6233ec7566577fe27b4322aaa |
| SHA256 | b407147e7986ea47649ba6ec039fba535672ef27e41e5ed80738520fd669419a |
| SHA512 | 4cbc46b8624a32a4ed29ff52e9942b0e0316979d49bdc200678dcbbb345ba8427fa90129addbad0df064a369ad3bf124179a07072b2ba00da415689b8fce9d7b |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | 50a0460fbc95d20eea145cb248565cae |
| SHA1 | 20fe5f7424ca831d165254ab6a849fa034f442d7 |
| SHA256 | 42ed3730a63216925f8e9a0c65f66726e823c065604f90bad62ac2184928a800 |
| SHA512 | d5c64cce25ee865ff4bb36ae127a518dd313c23b64453d1e3aac0e26da6a50e1f503aaa319bc195a5c202dd61c168c00ca69cf8f4a2134905d3ad70e5224e9dc |