Analysis Overview
SHA256
05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3
Threat Level: Known bad
The file jpgcamscanner_20240521_0072345_JPEG.bat.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Guloader,Cloudeye
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 18:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 1312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1312 -ip 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2912 wrote to memory of 2000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win7-20240419-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 220
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 240
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 368 wrote to memory of 1144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 368 wrote to memory of 1144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 368 wrote to memory of 1144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1144 -ip 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win7-20240221-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
AgentTesla
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1744 set thread context of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe
"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe
"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | veysiseker.com | udp |
| US | 192.250.227.27:80 | veysiseker.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsd3322.tmp\BgImage.dll
| MD5 | 143c1b18ccd1ab2ceed02caf0e06ef8a |
| SHA1 | b59d780e0a85f816b41aa657d4a643d77bd20a99 |
| SHA256 | 8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7 |
| SHA512 | 91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39 |
\Users\Admin\AppData\Local\Temp\nsd3322.tmp\nsDialogs.dll
| MD5 | eac1c3707970fe7c71b2d760c34763fa |
| SHA1 | f275e659ad7798994361f6ccb1481050aba30ff8 |
| SHA256 | 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3 |
| SHA512 | 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09 |
\Users\Admin\AppData\Local\Temp\nsd3322.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
memory/1744-34-0x0000000004150000-0x0000000005820000-memory.dmp
memory/1744-35-0x0000000077941000-0x0000000077A42000-memory.dmp
memory/1744-36-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/2792-37-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/2792-38-0x0000000000470000-0x00000000014D2000-memory.dmp
memory/1744-39-0x0000000004150000-0x0000000005820000-memory.dmp
memory/2792-40-0x0000000000470000-0x00000000004B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
AgentTesla
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4744 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
| PID 4744 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
| PID 4744 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
| PID 4744 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
| PID 4744 wrote to memory of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe | C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe
"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe
"C:\Users\Admin\AppData\Local\Temp\jpgcamscanner_20240521_0072345_JPEG.bat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | veysiseker.com | udp |
| US | 192.250.227.27:80 | veysiseker.com | tcp |
| US | 8.8.8.8:53 | 27.227.250.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\BgImage.dll
| MD5 | 143c1b18ccd1ab2ceed02caf0e06ef8a |
| SHA1 | b59d780e0a85f816b41aa657d4a643d77bd20a99 |
| SHA256 | 8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7 |
| SHA512 | 91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39 |
C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\nsDialogs.dll
| MD5 | eac1c3707970fe7c71b2d760c34763fa |
| SHA1 | f275e659ad7798994361f6ccb1481050aba30ff8 |
| SHA256 | 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3 |
| SHA512 | 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09 |
C:\Users\Admin\AppData\Local\Temp\nseCF67.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
memory/4744-30-0x0000000004C20000-0x00000000062F0000-memory.dmp
memory/4744-31-0x00000000779F1000-0x0000000077B11000-memory.dmp
memory/4744-32-0x0000000074854000-0x0000000074855000-memory.dmp
memory/832-33-0x00000000016D0000-0x0000000002DA0000-memory.dmp
memory/832-34-0x0000000077A78000-0x0000000077A79000-memory.dmp
memory/4744-35-0x0000000004C20000-0x00000000062F0000-memory.dmp
memory/832-36-0x0000000077A95000-0x0000000077A96000-memory.dmp
memory/832-37-0x0000000000470000-0x00000000016C4000-memory.dmp
memory/4744-38-0x0000000004C20000-0x00000000062F0000-memory.dmp
memory/832-39-0x0000000000470000-0x00000000004B2000-memory.dmp
memory/832-40-0x0000000035680000-0x0000000035C24000-memory.dmp
memory/832-41-0x00000000355A0000-0x0000000035606000-memory.dmp
memory/832-43-0x0000000036480000-0x00000000364D0000-memory.dmp
memory/832-44-0x00000000364E0000-0x0000000036572000-memory.dmp
memory/832-45-0x00000000365A0000-0x00000000365AA000-memory.dmp
memory/832-46-0x00000000016D0000-0x0000000002DA0000-memory.dmp
memory/832-48-0x00000000779F1000-0x0000000077B11000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 18:05
Reported
2024-05-22 18:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| SE | 192.229.221.95:80 | tcp |