Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-rzckdaee78
Target f611a512d65053f68baee97be8cbda5e0539fe061032466a1937c9a1659c2791.img
SHA256 f611a512d65053f68baee97be8cbda5e0539fe061032466a1937c9a1659c2791
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f611a512d65053f68baee97be8cbda5e0539fe061032466a1937c9a1659c2791

Threat Level: Known bad

The file f611a512d65053f68baee97be8cbda5e0539fe061032466a1937c9a1659c2791.img was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:37

Reported

2024-05-22 14:40

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kaleb.ini C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2416 set thread context of 2800 N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\skitserer.ini C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 magnocomx.ru.com udp

Files

C:\Windows\SysWOW64\kaleb.ini

MD5 9dfd97e7025bf54441fe6759f87e5ddf
SHA1 0f04ae6a7bc2213255fc72898f339b12bd743f24
SHA256 eea1bdc93e5a8fcbca0aea236d83b487ad2af028095a0d0107f02d397b4372fb
SHA512 08ea09b23814906f040060b46d919d45f6aee0c96b27d0baa88813bc46032c274546adb89e354b78f659c962a8588adbbd49966951e1f1b097e2484a07678f44

\Users\Admin\AppData\Local\Temp\nst1C59.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 cde63b34c142af0a38cbe83791c964f8
SHA1 ece2b194b486118b40ad12c1f0e9425dd0672424
SHA256 65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d
SHA512 0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 50484c19f1afdaf3841a0d821ed393d2
SHA1 c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b
SHA256 6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c
SHA512 d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 67cfa7364c4cf265b047d87ff2e673ae
SHA1 56e27889277981a9b63fcf5b218744a125bbc2fa
SHA256 639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713
SHA512 17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 2b3884fe02299c565e1c37ee7ef99293
SHA1 d8e2ef2a52083f6df210109fea53860ea227af9c
SHA256 ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858
SHA512 aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

C:\Users\Admin\AppData\Local\Temp\nso2032.tmp

MD5 9a53fc1d7126c5e7c81bb5c15b15537b
SHA1 e2d13e0fa37de4c98f30c728210d6afafbb2b000
SHA256 a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92
SHA512 b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

memory/2416-841-0x0000000003800000-0x0000000004A35000-memory.dmp

memory/2416-842-0x0000000077861000-0x0000000077962000-memory.dmp

memory/2416-843-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2800-844-0x0000000077860000-0x0000000077A09000-memory.dmp

memory/2416-845-0x0000000003800000-0x0000000004A35000-memory.dmp

memory/2800-846-0x0000000000490000-0x00000000014F2000-memory.dmp

memory/2416-852-0x0000000003800000-0x0000000004A35000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:37

Reported

2024-05-22 14:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kaleb.ini C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4476 set thread context of 4968 N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\skitserer.ini C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe

"C:\Users\Admin\AppData\Local\Temp\SCAN.AWB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp
US 8.8.8.8:53 magnocomx.ru.com udp

Files

C:\Windows\SysWOW64\kaleb.ini

MD5 9dfd97e7025bf54441fe6759f87e5ddf
SHA1 0f04ae6a7bc2213255fc72898f339b12bd743f24
SHA256 eea1bdc93e5a8fcbca0aea236d83b487ad2af028095a0d0107f02d397b4372fb
SHA512 08ea09b23814906f040060b46d919d45f6aee0c96b27d0baa88813bc46032c274546adb89e354b78f659c962a8588adbbd49966951e1f1b097e2484a07678f44

C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

MD5 bad78a997013818e85c1091ce1f575e0
SHA1 fa7b6b576c9b365194a222dfd1d3805121544fd3
SHA256 e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d
SHA512 c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

MD5 e456acec0ef7fda3aef06b03bb007e2f
SHA1 a7168146dd22139e81563b24beb736179d1c8370
SHA256 73842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607
SHA512 c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475

C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

MD5 42e9d16f22a223f11084f22b94b42210
SHA1 7f4dcba6193c831687f6a1cac9b60231be8a6a1a
SHA256 0717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91
SHA512 a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3

C:\Users\Admin\AppData\Local\Temp\nsk52B5.tmp

MD5 11598c9bea98b902fd23f62d92e2c755
SHA1 5abf26b3891bde2c11143deac679d44d5af7dde4
SHA256 e57e26e68b9ee25d136d2b440e28ffc09be1233efac52ec2f050c098a7e8090c
SHA512 aa6045bade9bee63b80e2822d1e17ed4186202c8ba840af93f4d14dad4a2d32790e1ffd7448b4cbc8b92891967174cf70a54d2aa5957f3b266da7bb61d8f6b7c

C:\Users\Admin\AppData\Local\Temp\nsk52B6.tmp\System.dll

MD5 8b3830b9dbf87f84ddd3b26645fed3a0
SHA1 223bef1f19e644a610a0877d01eadc9e28299509
SHA256 f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512 d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

MD5 a24188ce6d4a713d3508b4c0ec4860ff
SHA1 1e4b331b57d9d633687b5ecdaf35b0ab55c72e44
SHA256 0910aef0152e26373651bd0550d8d61e3f1e72820e69c3fec56ae50cd225a493
SHA512 427e9635aed314bb5e5b90ba32c55d78922b3ba8276bc185889e3d3c635925c9148e1bf12d289b0a3c0fc8bbbe78b52f223d550d39b67682f2007b625db0331e

C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

MD5 f302a24fc452fd85d13ad30a272d6f35
SHA1 3b9153f575b70084ae04fd55d5c86169eaa60916
SHA256 2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a
SHA512 477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

MD5 d5c1c43dcbca7900a2751441b73a1402
SHA1 2ad884601eb948b72f2e980a05e6c05bfc4f04d7
SHA256 334995ac57ad095abcfa5ba0e9216285fc87f9026ea3ef2c67a42d1ed7ddf855
SHA512 1627d2cd136c30ba55dd3a336c05f20f90432bb0340ee75d2782328e2edc45e1213f9a315f7b5b61ce5340412f88109d5d13c833116835c3251d1751fce8854c

C:\Users\Admin\AppData\Local\Temp\nsa53B1.tmp

MD5 3e930ca30f900b15da4ef96902f9b347
SHA1 92c4cd5b76b9be895152fdb3adcd165192daa552
SHA256 688f5bdbcde116a168af5f0ea57296f14181abe8fb92292eaf11febd498e3d42
SHA512 40bcbeea8dcf22201d275e68be32deadc953a2383f11788947d10aabf4469d61d8e3b86ded7e7369a9d413974d90e628aa1a4a6e6bc2b60c2de20bbd896fd489

C:\Users\Admin\AppData\Local\Temp\nsa544E.tmp

MD5 25bc6654798eb508fa0b6343212a74fe
SHA1 15d5e1d3b948fd5986aaff7d9419b5e52c75fc93
SHA256 8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc
SHA512 5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

C:\Users\Admin\AppData\Local\Temp\nsa544E.tmp

MD5 4e27f2226785e9abbe046fc592668860
SHA1 28b18a7f383131df509f7191f946a32c5a2e410c
SHA256 01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d
SHA512 2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

MD5 8ce4b16b22b58894aa86c421e8759df3
SHA1 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c
SHA256 8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a
SHA512 2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

MD5 e2fecc970546c3418917879fe354826c
SHA1 63f1c1dd01b87704a6b6c99fd9f141e0a3064f16
SHA256 ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0
SHA512 3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

MD5 c3cb69218b85c3260387fb582cb518dd
SHA1 961c892ded09a4cbb5392097bb845ccba65902ad
SHA256 1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101
SHA512 2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

C:\Users\Admin\AppData\Local\Temp\nsq55E5.tmp

MD5 6c66825018fd508f24a7fbadc1423e82
SHA1 70106bab899e783bdfa308a20ef827c54bcd56d9
SHA256 00cbd644d8124cab4ffd5db46f360b0eed2e59c414d6812f5945b20c83e6be39
SHA512 d387ba4b54b42c8992c693551e098580ad6fcbfebfd0c074ebd9e49cd1cf6c02344193cbceb6981052fba4ef0444180874b82c00af5d3e10e6b63c0fec6f3603

C:\Users\Admin\AppData\Local\Temp\nsb575D.tmp

MD5 4957153fabb445fb18c9ebc9c311f34d
SHA1 d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632
SHA256 fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91
SHA512 4c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9

C:\Users\Admin\AppData\Local\Temp\nsb575D.tmp

MD5 f15bfdebb2df02d02c8491bde1b4e9bd
SHA1 93bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256 c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA512 1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

memory/4476-839-0x0000000004320000-0x0000000005555000-memory.dmp

memory/4476-840-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/4476-841-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4968-842-0x00000000016F0000-0x0000000002925000-memory.dmp

memory/4476-843-0x0000000004320000-0x0000000005555000-memory.dmp

memory/4968-844-0x0000000077448000-0x0000000077449000-memory.dmp

memory/4968-845-0x0000000000490000-0x00000000016E4000-memory.dmp

memory/4968-847-0x00000000016F0000-0x0000000002925000-memory.dmp

memory/4968-848-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/4476-853-0x0000000004320000-0x0000000005555000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 14:37

Reported

2024-05-22 14:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 14:37

Reported

2024-05-22 14:40

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A