Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-wn6rasbc2w
Target jpgcamscanner_20240521_0072345_JPEG.bat.exe
SHA256 05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3
Tags
agenttesla guloader downloader keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3

Threat Level: Known bad

The file jpgcamscanner_20240521_0072345_JPEG.bat.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla guloader downloader keylogger spyware stealer trojan

AgentTesla

Guloader,Cloudeye

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 1312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1312 -ip 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 2000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win7-20240419-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 240

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 368 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 368 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 368 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win7-20240221-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1744 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 veysiseker.com udp
US 192.250.227.27:80 veysiseker.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd3322.tmp\BgImage.dll

MD5 143c1b18ccd1ab2ceed02caf0e06ef8a
SHA1 b59d780e0a85f816b41aa657d4a643d77bd20a99
SHA256 8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7
SHA512 91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39

\Users\Admin\AppData\Local\Temp\nsd3322.tmp\nsDialogs.dll

MD5 eac1c3707970fe7c71b2d760c34763fa
SHA1 f275e659ad7798994361f6ccb1481050aba30ff8
SHA256 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
SHA512 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

\Users\Admin\AppData\Local\Temp\nsd3322.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

memory/1744-34-0x0000000004150000-0x0000000005820000-memory.dmp

memory/1744-35-0x0000000077941000-0x0000000077A42000-memory.dmp

memory/1744-36-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/2792-37-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/2792-38-0x0000000000470000-0x00000000014D2000-memory.dmp

memory/1744-39-0x0000000004150000-0x0000000005820000-memory.dmp

memory/2792-40-0x0000000000470000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4744 set thread context of 832 N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe

"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 veysiseker.com udp
US 192.250.227.27:80 veysiseker.com tcp
US 8.8.8.8:53 27.227.250.192.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\BgImage.dll

MD5 143c1b18ccd1ab2ceed02caf0e06ef8a
SHA1 b59d780e0a85f816b41aa657d4a643d77bd20a99
SHA256 8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7
SHA512 91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39

C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\nsDialogs.dll

MD5 eac1c3707970fe7c71b2d760c34763fa
SHA1 f275e659ad7798994361f6ccb1481050aba30ff8
SHA256 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
SHA512 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

memory/4744-30-0x0000000004C20000-0x00000000062F0000-memory.dmp

memory/4744-31-0x00000000779F1000-0x0000000077B11000-memory.dmp

memory/4744-32-0x0000000074854000-0x0000000074855000-memory.dmp

memory/832-33-0x00000000016D0000-0x0000000002DA0000-memory.dmp

memory/832-34-0x0000000077A78000-0x0000000077A79000-memory.dmp

memory/4744-35-0x0000000004C20000-0x00000000062F0000-memory.dmp

memory/832-36-0x0000000077A95000-0x0000000077A96000-memory.dmp

memory/832-37-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/4744-38-0x0000000004C20000-0x00000000062F0000-memory.dmp

memory/832-39-0x0000000000470000-0x00000000004B2000-memory.dmp

memory/832-40-0x0000000035680000-0x0000000035C24000-memory.dmp

memory/832-41-0x00000000355A0000-0x0000000035606000-memory.dmp

memory/832-43-0x0000000036480000-0x00000000364D0000-memory.dmp

memory/832-44-0x00000000364E0000-0x0000000036572000-memory.dmp

memory/832-45-0x00000000365A0000-0x00000000365AA000-memory.dmp

memory/832-46-0x00000000016D0000-0x0000000002DA0000-memory.dmp

memory/832-48-0x00000000779F1000-0x0000000077B11000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 18:05

Reported

2024-05-22 18:07

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
SE 192.229.221.95:80 tcp

Files

N/A