Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-wr28aabd4w
Target PO874530040021 YIKANG INQUIRY.com.exe
SHA256 b4834413f9bedbc2d64ba07d1401e4d1eb44a54adbca90bb79fc67bf03fa4ab5
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4834413f9bedbc2d64ba07d1401e4d1eb44a54adbca90bb79fc67bf03fa4ab5

Threat Level: Known bad

The file PO874530040021 YIKANG INQUIRY.com.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win7-20240221-en

Max time kernel

22s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\overanalysis\Nonmercenaries39.ini C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe

"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst8A56.tmp\nsDialogs.dll

MD5 eb2c74e05b30b29887b3219f4ea3fdab
SHA1 91173d46b34e7bae57acabdbd239111b5bcc4d9e
SHA256 d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed
SHA512 1bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae

\Users\Admin\AppData\Local\Temp\nst8A56.tmp\UserInfo.dll

MD5 035bdb470a6807313bd005bd98341ffc
SHA1 5017d1e5a23f1c64594f737e6fccd519729c3b3e
SHA256 26fa900e3426b4dd272707e1aaf428b5ee06bdc2cc2bbaecdab6b54f11f38f27
SHA512 f888baed5267b05b13722e839634254393aa99b2adf1a2ae6e799d3a901665e7ebda0fa1202db20a6765a8aff58e2ed6f4e822028be426db732eb10ec783aa05

C:\Users\Public\Desktop\polres.lnk

MD5 d7383304fa565aaf39be92b5b4927ed5
SHA1 45013acc35f206a7e46f67f517d53870b72ffd76
SHA256 f47406223f2e209a0a48cca097906c98e3880159764ae100bc92f4344a643801
SHA512 cb903de5c8cec33c140dbcf7aa5f61301183113dbd7831c3ad86e81c5bce4de2a255a48c3b3ddbbd41c1fab5881b4cd56476bca3eeb871c80ab280bc5ccc72e7

\Users\Admin\AppData\Local\Temp\nst8A56.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

memory/1308-380-0x0000000004EB0000-0x000000000651D000-memory.dmp

memory/1308-381-0x0000000004EB0000-0x000000000651D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win7-20231129-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 240

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4088 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\overanalysis\Nonmercenaries39.ini C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A
File opened for modification C:\Windows\Fonts\Anthidium.Sel114 C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe

"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"

C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe

"C:\Users\Admin\AppData\Local\Temp\PO874530040021 YIKANG INQUIRY.com.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
TH 38.15.131.137:80 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx59AA.tmp\nsDialogs.dll

MD5 eb2c74e05b30b29887b3219f4ea3fdab
SHA1 91173d46b34e7bae57acabdbd239111b5bcc4d9e
SHA256 d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed
SHA512 1bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae

C:\Users\Admin\AppData\Local\Temp\nsx59AA.tmp\UserInfo.dll

MD5 035bdb470a6807313bd005bd98341ffc
SHA1 5017d1e5a23f1c64594f737e6fccd519729c3b3e
SHA256 26fa900e3426b4dd272707e1aaf428b5ee06bdc2cc2bbaecdab6b54f11f38f27
SHA512 f888baed5267b05b13722e839634254393aa99b2adf1a2ae6e799d3a901665e7ebda0fa1202db20a6765a8aff58e2ed6f4e822028be426db732eb10ec783aa05

C:\Users\Public\Desktop\polres.lnk

MD5 d8282e5f6dbd0c2921c52069562e22b3
SHA1 6062e6a0dbf08b79b83301aaa4f47b30e9b24406
SHA256 81234a2404ceb2c66339a7f87083edd7781e5dd75ed90166a036befb04050472
SHA512 6a2954e3e15a7027d9ec206997f4db70c8eaa0e2b4c067e2b681191b405613d54ce861a97090c025d7e0a223c68635d7869c74e317d53edb724b0320eccde875

C:\Users\Admin\AppData\Local\Temp\nsx59AA.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

memory/4088-376-0x0000000005EE0000-0x000000000754D000-memory.dmp

memory/4088-377-0x0000000077101000-0x0000000077221000-memory.dmp

memory/4088-378-0x0000000073F64000-0x0000000073F65000-memory.dmp

memory/2324-379-0x00000000016D0000-0x0000000002D3D000-memory.dmp

memory/4088-380-0x0000000005EE0000-0x000000000754D000-memory.dmp

memory/2324-381-0x0000000077188000-0x0000000077189000-memory.dmp

memory/2324-382-0x00000000771A5000-0x00000000771A6000-memory.dmp

memory/2324-383-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2324-384-0x00000000016D0000-0x0000000002D3D000-memory.dmp

memory/2324-386-0x0000000077101000-0x0000000077221000-memory.dmp

memory/4088-391-0x0000000005EE0000-0x000000000754D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

112s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 1668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 18:10

Reported

2024-05-22 18:12

Platform

macos-20240410-en

Max time kernel

141s

Max time network

147s

Command Line

[sh -c sudo /bin/zsh -c "open /Users/run/Spadestrens/retouchr.app"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Users/run/Spadestrens/retouchr.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Users/run/Spadestrens/retouchr.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Users/run/Spadestrens/retouchr.app]

/bin/zsh

[/bin/zsh -c open /Users/run/Spadestrens/retouchr.app]

/usr/bin/open

[open /Users/run/Spadestrens/retouchr.app]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 151.101.67.6:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
US 23.220.113.166:443 help.apple.com tcp
US 23.220.113.166:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A