Malware Analysis Report

2024-10-19 11:02

Sample ID 240524-y4lgeaab29
Target SpySheriff.zip
SHA256 d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d
Tags
adware stealer discovery evasion persistence spyware trojan aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d16dddc1e9ad69c5ef67afd93eb801c74ca5b95ec8b46741786c8c8ec47b1b1d

Threat Level: Known bad

The file SpySheriff.zip was found to be: Known bad.

Malicious Activity Summary

adware stealer discovery evasion persistence spyware trojan aspackv2

Modifies WinLogon for persistence

Modifies AppInit DLL entries

Reads user/profile data of web browsers

Checks computer location settings

ASPack v2.12-2.42

Modifies system executable filetype association

Checks BIOS information in registry

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 20:20

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:21

Platform

win7-20240508-en

Max time kernel

15s

Max time network

18s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SpySheriff.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SpySheriff.zip

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20231129-en

Max time kernel

120s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.dvm C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.dvm\ = "dvm_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\dvm_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b8e37d141d6d99dc6a22b02c0ab153f9
SHA1 5ca3e7bc9d2c6a8eba76480067dafaa4341ee9f7
SHA256 b71e33e665d965cf4cec9b93fe4d75ef9934bc42e904faeb9d5b62a08b38e6e0
SHA512 7d9ac5616445f0a1ae70df8f048a16eb1c8af95260c4bff90e6aa182f957ef043454c0546d85f6980920bb4ec226e9574d99950a0bebf21e887ba367a1ace1a6

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base002.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base002.avd

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "OneSecurity" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID\ = "OneSecurity.IESecurity" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\ = "SpywareNo IE Security 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 1196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Network

N/A

Files

memory/1196-0-0x0000000010000000-0x0000000010207000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

132s

Max time network

105s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\notfound.wav"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\notfound.wav"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\notfound.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 aedbc31504c01d8200b619ca711b6e9d
SHA1 5528aefa3493c74855b1a4160c8b7bcb08257d7b
SHA256 63f039f13c589b40281aa826ba12c930a36de6d6377cbcb35d2147ebdd697539
SHA512 3e680b5da6bee4ec99b31abb1d712e1b8fb102b045538223575b75b246cd538469d2e7a35d1928f5036d7e0a8deca3d55f5ba62f95340576590616f5351337bf

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 563088ad0f20fabf9dd62c6ba8ae1636
SHA1 f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256 eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA512 8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

132s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "OneSecurity" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer\ = "OneSecurity.IESecurity.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\VersionIndependentProgID\ = "OneSecurity.IESecurity" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ = "IGopher" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CLSID\ = "{B85BB239-F685-4547-B0AC-E8835CD8ED24}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ = "One Security IE Security Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\ = "SpywareNo IE Security 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EEAFD15-6A8A-4957-8932-259100D9C18B}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B85BB239-F685-4547-B0AC-E8835CD8ED24}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESecurity.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\TypeLib\ = "{4EEAFD15-6A8A-4957-8932-259100D9C18B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E81A8BAF-B19C-4857-9A78-26419429134D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\OneSecurity.IESecurity C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 2940 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\IESecurity.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2940-0-0x0000000010000000-0x0000000010207000-memory.dmp

memory/2940-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ReadME.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ReadME.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240220-en

Max time kernel

121s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.avd\ = "avd_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.avd C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\avd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base.avd

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\base.avd

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\base.avd"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f0d959b73222959c3c431ccbd08e2389
SHA1 458b5cf957805636b14ffff7cf30f6a7c1b7e2e5
SHA256 3034b6a554d02dc53409d58018a863ea4f0acf5173792ac6bc2340e527bce349
SHA512 d9b185b47eec084932cc2e56a1e7abe8f102adb1af484402c566c40d21f6b32016789abaa4e59c0d3d2039f42a0194cc89f696c6599a356d60ef2119b2b85dab

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base001.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base001.avd

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
BE 2.17.196.106:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

109s

Command Line

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\found.wav"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Processes

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\found.wav"

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\found.wav"

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

Network

Country Destination Domain Proto
US 8.8.8.8:53 wmploc.dll udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 7fb801d8748e94c66175111552cf7716
SHA1 3c1a1fcfe97bb160acaf5670ea16b6ac25b2a8cd
SHA256 585f7ab8acd642978cb063667a510698c98a338cde0daa1a6a5aab3f36a76ff2
SHA512 b4dc80aca071d6934597d37c148fc64ab15de179a14d3144fe1ce07fa2808a81e093d69c0751500646b227d78bdc526ce9ae287edda4cc8fff13985ed85ec9ce

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 adbd8353954edbe5e0620c5bdcad4363
SHA1 aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA256 64eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA512 87bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SpySheriff.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SpySheriff.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:21

Platform

win7-20240508-en

Max time kernel

43s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 372 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 372 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProcMon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base002.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.avd\ = "avd_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.avd C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\avd_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base002.avd

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\base002.avd

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\base002.avd"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 1ea3c4a4636e56f86a950ff80ad6ee70
SHA1 51649991817e7e089f12805a361442180a625350
SHA256 ae16d51129df39ca7931cc11edea7be7ec575093170a47b9cc39f01fb80b3635
SHA512 1c5371a29aeb17babb24207a50c3f09675c03be89054a84c9bcfeb227f77d42ba79354303224f4a5aa81172be47d1969040916ad1d076daf0abce883ef28298b

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

107s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base.avd

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 4368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4368 wrote to memory of 2120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4368 wrote to memory of 2120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4368 wrote to memory of 2120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32 /u iesplugin.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4368-0-0x0000000010000000-0x0000000010026000-memory.dmp

memory/4368-1-0x0000000000BA0000-0x0000000000BCC000-memory.dmp

memory/4368-2-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/4368-10-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/4368-9-0x0000000001080000-0x0000000001081000-memory.dmp

memory/4368-8-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/4368-7-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/4368-11-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/4368-12-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/4368-6-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/4368-5-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/4368-4-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/4368-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Nail.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Network

N/A

Files

memory/2892-0-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-1-0x000000001000A000-0x000000001000B000-memory.dmp

memory/2892-7-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-6-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-5-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-4-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-3-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-2-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-8-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2892-9-0x0000000010000000-0x0000000010023000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:22

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SpySheriff.dvm

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:21

Platform

win7-20240419-en

Max time kernel

71s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SpySheriff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SpySheriff.exe" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00C6D95F-329C-409a-81D7-C46C66EA7F33}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpySheriff\SpySheriff.lnk

MD5 0760609329cdfb48eda99f6106369cd1
SHA1 74833897b9778b3c37d8c08e67dd480d2471fcf4
SHA256 54a573671667e1d68fd92b529b128dd05a08b53d7d8e4dd417c93fbe84068003
SHA512 b1f8ca194f903b5d53f540d7639becc4ecb9855578e00a88f8c76be493601797f30e7580bc2e06cd7bda106a014d32aaa47f9dae6338326b3597b7271e654cc4

memory/1340-9-0x00000000218A0000-0x00000000218C4000-memory.dmp

memory/1340-8-0x0000000020E00000-0x0000000020E23000-memory.dmp

memory/1340-7-0x000000001FA40000-0x000000001FA66000-memory.dmp

memory/1340-6-0x000000001E640000-0x000000001E668000-memory.dmp

memory/1340-5-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1340-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1340-20-0x00000000218A0000-0x00000000218C4000-memory.dmp

memory/1340-19-0x0000000020E00000-0x0000000020E23000-memory.dmp

memory/1340-18-0x000000001FA40000-0x000000001FA66000-memory.dmp

memory/1340-17-0x000000001E640000-0x000000001E668000-memory.dmp

memory/1340-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1340-26-0x0000000000400000-0x0000000001400000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:21

Platform

win10v2004-20240508-en

Max time kernel

63s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpySheriff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SpySheriff.exe" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe

"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

C:\SpySheriff.lnk

MD5 cd1199d77238d2da6d3ace69ac49540e
SHA1 f6ef362acfec7e41d5f379b661f920eaf898c600
SHA256 bf3f1c884d5ea1d8b4f1ba764e9033ca8a2e7c9e15b595f8cf44b8a174cac4b1
SHA512 502cd2117789bc45796d4a87716c4718a5862dba994f8e9317ac22360a98fadb104c467d96c9974df304cbf65d27f52c011d57e9b80ddc721141c2c2dc619c40

memory/4856-8-0x000000001FB30000-0x000000001FB56000-memory.dmp

memory/4856-7-0x000000001E840000-0x000000001E868000-memory.dmp

memory/4856-9-0x0000000021010000-0x0000000021033000-memory.dmp

memory/4856-10-0x0000000021AE0000-0x0000000021B04000-memory.dmp

memory/4856-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4856-12-0x000000001E840000-0x000000001E868000-memory.dmp

memory/4856-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4856-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4856-26-0x0000000021AE0000-0x0000000021B04000-memory.dmp

memory/4856-25-0x0000000021010000-0x0000000021033000-memory.dmp

memory/4856-24-0x000000001FB30000-0x000000001FB56000-memory.dmp

memory/4856-23-0x000000001E840000-0x000000001E868000-memory.dmp

memory/4856-32-0x0000000000400000-0x0000000001400000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\base001.avd

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.avd C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.avd\ = "avd_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\avd_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\base001.avd

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\base001.avd

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\base001.avd"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 61e2eb400f0fdcead733cfc7724a02f2
SHA1 62b21ae61f95b7823d031f09e3079ba0bd33f828
SHA256 daced6779687734c943bb61ce5c1316f91dbadf28dc40ffc5c96fb0a8c5f2d00
SHA512 94d3693f0253e95418ae1c74d89dcf4890181a65a6a7ea87b42e459d4f2f6e40c5a8565c339e28692c98061332a48e5b8976d6cb42101b02a63abcee6dd676f5

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 2640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Network

N/A

Files

memory/2640-1-0x000000001000F000-0x0000000010010000-memory.dmp

memory/2640-0-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2640-4-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2640-3-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2640-2-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2640-5-0x0000000010000000-0x0000000010028000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur000.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4384-0-0x0000000010000000-0x0000000010028000-memory.dmp

memory/4384-1-0x0000000002B30000-0x0000000002B5C000-memory.dmp

memory/4384-2-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/4384-7-0x0000000001220000-0x0000000001221000-memory.dmp

memory/4384-6-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/4384-4-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/4384-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/4384-3-0x0000000001130000-0x0000000001131000-memory.dmp

memory/4384-9-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/4384-10-0x0000000001140000-0x0000000001141000-memory.dmp

memory/4384-8-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/4384-11-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4384-12-0x0000000002D00000-0x0000000002D01000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ReadME.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ReadME.txt

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240508-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\found.wav"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\found.wav"

Network

N/A

Files

memory/1728-6-0x000007FEFA630000-0x000007FEFA664000-memory.dmp

memory/1728-5-0x000000013F4E0000-0x000000013F5D8000-memory.dmp

memory/1728-8-0x000007FEFB2A0000-0x000007FEFB2B8000-memory.dmp

memory/1728-10-0x000007FEF7EB0000-0x000007FEF7EC1000-memory.dmp

memory/1728-7-0x000007FEF5EB0000-0x000007FEF6166000-memory.dmp

memory/1728-11-0x000007FEF7090000-0x000007FEF70A7000-memory.dmp

memory/1728-9-0x000007FEFAE10000-0x000007FEFAE27000-memory.dmp

memory/1728-12-0x000007FEF7070000-0x000007FEF7081000-memory.dmp

memory/1728-13-0x000007FEF7050000-0x000007FEF706D000-memory.dmp

memory/1728-14-0x000007FEF6690000-0x000007FEF66A1000-memory.dmp

memory/1728-15-0x000007FEF5CA0000-0x000007FEF5EAB000-memory.dmp

memory/1728-17-0x000007FEF65A0000-0x000007FEF65E1000-memory.dmp

memory/1728-20-0x000007FEF6560000-0x000007FEF6571000-memory.dmp

memory/1728-19-0x000007FEF6580000-0x000007FEF6598000-memory.dmp

memory/1728-18-0x000007FEF6660000-0x000007FEF6681000-memory.dmp

memory/1728-21-0x000007FEF6540000-0x000007FEF6551000-memory.dmp

memory/1728-22-0x000007FEF6520000-0x000007FEF6531000-memory.dmp

memory/1728-23-0x000007FEF6500000-0x000007FEF651B000-memory.dmp

memory/1728-24-0x000007FEF64E0000-0x000007FEF64F1000-memory.dmp

memory/1728-27-0x000007FEF4B30000-0x000007FEF4B97000-memory.dmp

memory/1728-26-0x000007FEF4BA0000-0x000007FEF4BD0000-memory.dmp

memory/1728-28-0x000007FEF4AB0000-0x000007FEF4B2C000-memory.dmp

memory/1728-25-0x000007FEF4BD0000-0x000007FEF4BE8000-memory.dmp

memory/1728-29-0x000007FEF4A90000-0x000007FEF4AA1000-memory.dmp

memory/1728-30-0x000007FEF4A30000-0x000007FEF4A87000-memory.dmp

memory/1728-33-0x000007FEF49B0000-0x000007FEF49C8000-memory.dmp

memory/1728-40-0x000007FEF4660000-0x000007FEF4672000-memory.dmp

memory/1728-39-0x000007FEF4680000-0x000007FEF4691000-memory.dmp

memory/1728-38-0x000007FEF4720000-0x000007FEF474F000-memory.dmp

memory/1728-37-0x000007FEFAF30000-0x000007FEFAF40000-memory.dmp

memory/1728-36-0x000007FEF4940000-0x000007FEF4952000-memory.dmp

memory/1728-35-0x000007FEF4960000-0x000007FEF4971000-memory.dmp

memory/1728-34-0x000007FEF4980000-0x000007FEF49A3000-memory.dmp

memory/1728-32-0x000007FEF49D0000-0x000007FEF49F4000-memory.dmp

memory/1728-31-0x000007FEF4A00000-0x000007FEF4A28000-memory.dmp

memory/1728-42-0x000007FEF44C0000-0x000007FEF44D3000-memory.dmp

memory/1728-16-0x000007FEF4BF0000-0x000007FEF5CA0000-memory.dmp

memory/1728-44-0x000007FEF4480000-0x000007FEF4491000-memory.dmp

memory/1728-45-0x000007FEF4460000-0x000007FEF4471000-memory.dmp

memory/1728-43-0x000007FEF44A0000-0x000007FEF44B4000-memory.dmp

memory/1728-46-0x000007FEF4440000-0x000007FEF4451000-memory.dmp

memory/1728-41-0x000007FEF44E0000-0x000007FEF465A000-memory.dmp

memory/1728-47-0x000007FEF4420000-0x000007FEF4436000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies AppInit DLL entries

persistence

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4668-1-0x0000000000C70000-0x0000000000C9C000-memory.dmp

memory/4668-0-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4668-2-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4668-9-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4668-10-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4668-8-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/4668-7-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/4668-6-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4668-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4668-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4668-3-0x0000000000740000-0x0000000000741000-memory.dmp

memory/4668-12-0x0000000002430000-0x0000000002431000-memory.dmp

memory/4668-11-0x0000000002410000-0x0000000002411000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240508-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\notfound.wav"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\notfound.wav"

Network

N/A

Files

memory/2980-6-0x000007FEFACC0000-0x000007FEFACF4000-memory.dmp

memory/2980-5-0x000000013FAF0000-0x000000013FBE8000-memory.dmp

memory/2980-8-0x000007FEFB9E0000-0x000007FEFB9F8000-memory.dmp

memory/2980-9-0x000007FEFAD10000-0x000007FEFAD27000-memory.dmp

memory/2980-10-0x000007FEFACA0000-0x000007FEFACB1000-memory.dmp

memory/2980-11-0x000007FEFA940000-0x000007FEFA957000-memory.dmp

memory/2980-12-0x000007FEF7760000-0x000007FEF7771000-memory.dmp

memory/2980-14-0x000007FEF7620000-0x000007FEF7631000-memory.dmp

memory/2980-13-0x000007FEF7640000-0x000007FEF765D000-memory.dmp

memory/2980-7-0x000007FEF5F80000-0x000007FEF6236000-memory.dmp

memory/2980-15-0x000007FEF5D70000-0x000007FEF5F7B000-memory.dmp

memory/2980-17-0x000007FEF6F30000-0x000007FEF6F71000-memory.dmp

memory/2980-19-0x000007FEF6EE0000-0x000007FEF6EF8000-memory.dmp

memory/2980-18-0x000007FEF6F00000-0x000007FEF6F21000-memory.dmp

memory/2980-20-0x000007FEF68D0000-0x000007FEF68E1000-memory.dmp

memory/2980-21-0x000007FEF68B0000-0x000007FEF68C1000-memory.dmp

memory/2980-22-0x000007FEF6890000-0x000007FEF68A1000-memory.dmp

memory/2980-23-0x000007FEF6870000-0x000007FEF688B000-memory.dmp

memory/2980-24-0x000007FEF4CA0000-0x000007FEF4CB1000-memory.dmp

memory/2980-25-0x000007FEF4C80000-0x000007FEF4C98000-memory.dmp

memory/2980-26-0x000007FEF4C50000-0x000007FEF4C80000-memory.dmp

memory/2980-27-0x000007FEF4BE0000-0x000007FEF4C47000-memory.dmp

memory/2980-28-0x000007FEF4B60000-0x000007FEF4BDC000-memory.dmp

memory/2980-29-0x000007FEF4B40000-0x000007FEF4B51000-memory.dmp

memory/2980-31-0x000007FEF4AB0000-0x000007FEF4AD8000-memory.dmp

memory/2980-30-0x000007FEF4AE0000-0x000007FEF4B37000-memory.dmp

memory/2980-35-0x000007FEF4A10000-0x000007FEF4A21000-memory.dmp

memory/2980-34-0x000007FEF4A30000-0x000007FEF4A53000-memory.dmp

memory/2980-37-0x000007FEFAD60000-0x000007FEFAD70000-memory.dmp

memory/2980-36-0x000007FEF49F0000-0x000007FEF4A02000-memory.dmp

memory/2980-16-0x000007FEF4CC0000-0x000007FEF5D70000-memory.dmp

memory/2980-33-0x000007FEF4A60000-0x000007FEF4A78000-memory.dmp

memory/2980-32-0x000007FEF4A80000-0x000007FEF4AA4000-memory.dmp

memory/2980-38-0x000007FEF47D0000-0x000007FEF47FF000-memory.dmp

memory/2980-39-0x000007FEF47B0000-0x000007FEF47C1000-memory.dmp

memory/2980-40-0x000007FEF4790000-0x000007FEF47A6000-memory.dmp

memory/2980-41-0x000007FEF4770000-0x000007FEF4785000-memory.dmp

memory/2980-42-0x000007FEF4730000-0x000007FEF4741000-memory.dmp

memory/2980-43-0x000007FEF4710000-0x000007FEF4722000-memory.dmp

memory/2980-44-0x000007FEF4590000-0x000007FEF470A000-memory.dmp

memory/2980-45-0x000007FEF4570000-0x000007FEF4583000-memory.dmp

memory/2980-46-0x000007FEF4550000-0x000007FEF4564000-memory.dmp

memory/2980-47-0x000007FEF4530000-0x000007FEF4541000-memory.dmp

memory/2980-48-0x000007FEF4510000-0x000007FEF4521000-memory.dmp

memory/2980-49-0x000007FEF44F0000-0x000007FEF4501000-memory.dmp

memory/2980-50-0x000007FEF44D0000-0x000007FEF44E6000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur001.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32 /u iesplugin.dll

Network

N/A

Files

memory/2576-0-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2576-2-0x000000001000C000-0x000000001000D000-memory.dmp

memory/2576-5-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2576-4-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2576-3-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2576-1-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2576-6-0x0000000010000000-0x0000000010026000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Nail.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Nail.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 216 wrote to memory of 4688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur002.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
BE 2.17.196.106:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 106.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4688-1-0x0000000001000000-0x000000000102C000-memory.dmp

memory/4688-7-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/4688-6-0x0000000000F20000-0x0000000000F21000-memory.dmp

memory/4688-5-0x0000000001070000-0x0000000001071000-memory.dmp

memory/4688-4-0x0000000001080000-0x0000000001081000-memory.dmp

memory/4688-3-0x0000000001090000-0x0000000001091000-memory.dmp

memory/4688-2-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/4688-0-0x0000000010000000-0x0000000010023000-memory.dmp

memory/4688-19-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/4688-18-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/4688-17-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/4688-16-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/4688-15-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/4688-14-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

memory/4688-13-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

memory/4688-12-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/4688-11-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/4688-10-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/4688-9-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/4688-8-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/4688-20-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/4688-21-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/4688-29-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/4688-28-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/4688-27-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/4688-25-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/4688-23-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/4688-22-0x0000000002B20000-0x0000000002B21000-memory.dmp

C:\Windows\Nail.txt

MD5 042981b3aba77cdf67bce3700276819d
SHA1 77139f9abf5becf2b04ba121ce7566b63c167c8f
SHA256 1db51bd47ff4a706056dfabce412478a50ce044ca1b9cb91c0d18b6bb303e9d1
SHA512 f0cff95e2d8c15f850894587ba1b02e263d8678ad4a6c89604c51d296e36414dea6de251e2f3e2fca89fabc09d692caf6d08984178fc5e833500d541b5d9bc9f

memory/4688-33-0x0000000010000000-0x0000000010023000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-24 20:20

Reported

2024-05-24 20:23

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies AppInit DLL entries

persistence

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#1

Network

N/A

Files

memory/1892-9-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-8-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-7-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-6-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-5-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-4-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-3-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-2-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-1-0x000000001000B000-0x000000001000C000-memory.dmp

memory/1892-0-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1892-10-0x0000000001F00000-0x0000000001F01000-memory.dmp