Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-rvh7csed59
Target a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
SHA256 a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
Tags
guloader downloader persistence collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f

Threat Level: Known bad

The file a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence collection spyware stealer

Guloader,Cloudeye

NirSoft WebBrowserPassView

NirSoft MailPassView

Nirsoft

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:30

Reported

2024-05-22 14:33

Platform

win7-20240221-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2784 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

Network

Country Destination Domain Proto
BG 194.59.31.149:80 194.59.31.149 tcp
US 8.8.8.8:53 iwarsut775laudrye2.duckdns.org udp
AU 192.253.251.227:57484 iwarsut775laudrye2.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

C:\Users\Admin\Pictures\belejrernes.lnk

MD5 b7587f5155c372c444f16a4440646869
SHA1 17e3b2a17cf705a5446d5a64661adcd53d3849f8
SHA256 d34f554d253fc59e51ce24fe37ff1b71588a299f720ad67312e5701eb270c6f2
SHA512 9c13e79fe47e21c9405877ccc85c5e91843e26ec5afa4b2dc43b1a1c18a66875b224b3586dec182e3587ffdefd297a620aaf2720f26818ace95d620a987f62ca

\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\System.dll

MD5 fc3772787eb239ef4d0399680dcc4343
SHA1 db2fa99ec967178cd8057a14a428a8439a961a73
SHA256 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA512 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

memory/2784-291-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/1572-292-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/1572-294-0x00000000004B0000-0x0000000001512000-memory.dmp

memory/1572-295-0x0000000001520000-0x0000000006D7F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:30

Reported

2024-05-22 14:33

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
PID 2516 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\civfegacpvnkrdyckf"

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\mciyfyldddfxurmgtpremf"

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\wenrgrwxrlxcexiklalypsxpv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
BG 194.59.31.149:80 194.59.31.149 tcp
US 8.8.8.8:53 149.31.59.194.in-addr.arpa udp
US 8.8.8.8:53 iwarsut775laudrye2.duckdns.org udp
AU 192.253.251.227:57484 iwarsut775laudrye2.duckdns.org tcp
US 8.8.8.8:53 227.251.253.192.in-addr.arpa udp
AU 192.253.251.227:57484 iwarsut775laudrye2.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\Pictures\belejrernes.lnk

MD5 74b4f5007ca19ebbad58c8ae7fadaef9
SHA1 f4622459a6dffb685a2bab7583fdb2054be47c12
SHA256 a0ef460996ac6521bb345950436edec397db28947224415effebb8f86861f1f6
SHA512 ec9c6f3dda2e9fcc1f725b51dc19a93215cd2ea11b5b92bf2832ab57369ae5ba4d2ae623ad8ff62b8ae006482eea288186844e6b0dd80b8546efbc3277f61efc

C:\Users\Admin\AppData\Local\Temp\nshE3BB.tmp\System.dll

MD5 fc3772787eb239ef4d0399680dcc4343
SHA1 db2fa99ec967178cd8057a14a428a8439a961a73
SHA256 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed
SHA512 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

memory/1056-290-0x0000000077CB1000-0x0000000077DD1000-memory.dmp

memory/1056-291-0x0000000010004000-0x0000000010005000-memory.dmp

memory/2516-292-0x0000000077D38000-0x0000000077D39000-memory.dmp

memory/2516-293-0x0000000077CB1000-0x0000000077DD1000-memory.dmp

memory/2516-295-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-296-0x0000000077CB1000-0x0000000077DD1000-memory.dmp

memory/2516-298-0x00000000004E4000-0x00000000004E5000-memory.dmp

memory/2516-299-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-300-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-301-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-297-0x0000000001710000-0x0000000006F6F000-memory.dmp

memory/2516-302-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-303-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-304-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-305-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-306-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-310-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-311-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-312-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-313-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-314-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-315-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-317-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-318-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-319-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-320-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-321-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-322-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-323-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-324-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/988-327-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5004-329-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3396-335-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3396-339-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3396-338-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3396-336-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5004-334-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5004-330-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5004-328-0x0000000000400000-0x0000000000462000-memory.dmp

memory/988-326-0x0000000000400000-0x0000000000478000-memory.dmp

memory/988-325-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2516-350-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-353-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/988-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2516-341-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-359-0x0000000038430000-0x0000000038449000-memory.dmp

memory/2516-358-0x0000000038430000-0x0000000038449000-memory.dmp

memory/2516-355-0x0000000038430000-0x0000000038449000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\civfegacpvnkrdyckf

MD5 91227a2f05c7f74f6ebd1535a3f05b7b
SHA1 1ce317a272d67e3ac284948e49e6bc0acaee2e6d
SHA256 2967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2
SHA512 9ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40

memory/2516-360-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-362-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-363-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-364-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-365-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-366-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-367-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-368-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-369-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-370-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-372-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-373-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-374-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-375-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-376-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-377-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-378-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-379-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-380-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-382-0x0000000077CB1000-0x0000000077DD1000-memory.dmp

memory/2516-384-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-385-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-386-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-387-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-388-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-389-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-390-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-391-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-392-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-393-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-394-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-396-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-397-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-398-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-399-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-400-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-402-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-401-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-403-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-404-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-405-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-406-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-407-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-408-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-409-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-410-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-411-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/2516-413-0x00000000004B0000-0x0000000001704000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 14:30

Reported

2024-05-22 14:33

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 14:30

Reported

2024-05-22 14:33

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3644 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3644 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A