Malware Analysis Report

2025-04-14 00:58

Sample ID 240530-q9wwbsah51
Target 846328c9641705a25e245812690346b7_JaffaCakes118
SHA256 a6fbbdfd4727a94119a43866f2997b8b0b319a391bab2830d8a217517f882196
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a6fbbdfd4727a94119a43866f2997b8b0b319a391bab2830d8a217517f882196

Threat Level: Shows suspicious behavior

The file 846328c9641705a25e245812690346b7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 35f86495201e758774fa56984e98884a
SHA1 e642a7b5ac6a0cf4c0bfca0fdac23d5d1b732d35
SHA256 10aa89b9dc0e4271f928c08fa656eb94c967cf32c2beefc6b6ec637d326f22dc
SHA512 8ec5e7b2b4611733c25c98a5ec5e4017b48ef3b3136b5d8989b499e5ff5acebca1375e511e172927b1b3cbfaccce273a4a7036824baf0b8ba5991fd172600aed

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$1\$APPDATA\MediaPlayerApplication2\

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 35f86495201e758774fa56984e98884a
SHA1 e642a7b5ac6a0cf4c0bfca0fdac23d5d1b732d35
SHA256 10aa89b9dc0e4271f928c08fa656eb94c967cf32c2beefc6b6ec637d326f22dc
SHA512 8ec5e7b2b4611733c25c98a5ec5e4017b48ef3b3136b5d8989b499e5ff5acebca1375e511e172927b1b3cbfaccce273a4a7036824baf0b8ba5991fd172600aed

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4236,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 20.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240426-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPlayerApplication = "\"C:\\Users\\Admin\\AppData\\Roaming\\MediaPlayerApplication2\\MediaPlayerApplication.exe\"" C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe

"C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe" "HKCU" "Software\MediaPlayerApplication" "zerker"

C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe

C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe

MD5 18226dce3f8a67d3ed65c2d1a9f3b348
SHA1 59e983233a0c9ae32348fed758b14ec29cb1f987
SHA256 c748afc480f03f7e24b3eba8306ef108da235c39ee134a744363e2c22ed7afea
SHA512 46a18c49829afa289795ca4dac85931d60d60a1e52238841ec288d18c802aa2be6f8b3f14130ea25f86c73c37f89875b9b6f4743dcb05959e83614ad1c8b3efd

C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe

MD5 3cdc437ac9a03a6cca99d618cd397da4
SHA1 6a331756c30bb7777c2c7e6c07ca0562d7f500c8
SHA256 de24fb81d20c2aacb66f419c6e523416cf61c5ea5de3af0e25ed4eb301f3a6f2
SHA512 9aad7f0bdbe7d126b32fca359c3498888820edef9d23d866e5a481be877cd59e4da4944869ccd022581b332945ebecb9fb21d82cddf319a6480c722a23fc7015

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerInstallerStuff.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 2972 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe
PID 1516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe C:\Windows\SysWOW64\WerFault.exe
PID 1516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe C:\Windows\SysWOW64\WerFault.exe
PID 1516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe C:\Windows\SysWOW64\WerFault.exe
PID 1516 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe

"C:\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe" "HKCU" "Software\MediaPlayerApplication" "zerker"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 128

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy148B.tmp\MediaPlayerInstallerStuff.exe

MD5 18226dce3f8a67d3ed65c2d1a9f3b348
SHA1 59e983233a0c9ae32348fed758b14ec29cb1f987
SHA256 c748afc480f03f7e24b3eba8306ef108da235c39ee134a744363e2c22ed7afea
SHA512 46a18c49829afa289795ca4dac85931d60d60a1e52238841ec288d18c802aa2be6f8b3f14130ea25f86c73c37f89875b9b6f4743dcb05959e83614ad1c8b3efd

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe

"C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/4020-0-0x00000000004AB000-0x00000000004AC000-memory.dmp

memory/4020-1-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-2-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-3-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-4-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-5-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-6-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-7-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-8-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-9-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-10-0x0000000000400000-0x000000000084A000-memory.dmp

memory/4020-11-0x0000000000400000-0x000000000084A000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe

"C:\Users\Admin\AppData\Local\Temp\$1\MediaPlayerApplication.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 4612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 4612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 4612 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-30 13:58

Reported

2024-05-30 14:00

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe

"C:\Users\Admin\AppData\Local\Temp\$R1\mplayerc.exe"

Network

N/A

Files

memory/1952-0-0x00000000758A4000-0x00000000758A5000-memory.dmp

memory/1952-1-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-2-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-4-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-3-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-5-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-6-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-7-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-8-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-9-0x0000000075890000-0x00000000759A0000-memory.dmp

memory/1952-10-0x0000000075890000-0x00000000759A0000-memory.dmp