Malware Analysis Report

2025-01-06 09:00

Sample ID 240601-ea5teagg6w
Target VSTPlugins.rar
SHA256 c0c017f18b0afe8d9fd84617fb87153ac2ffd01f93db2e9b13144f3e242277da
Tags
evasion pdf link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0c017f18b0afe8d9fd84617fb87153ac2ffd01f93db2e9b13144f3e242277da

Threat Level: Shows suspicious behavior

The file VSTPlugins.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion pdf link

Identifies Wine through registry keys

HTTP links in PDF interactive object

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:52

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Graillon_2-64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Graillon_2-64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240221-en

Max time kernel

8s

Max time network

65s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Panagement_2-64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Panagement_2-64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240508-en

Max time kernel

121s

Max time network

153s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC FreqAnalyst 2 VST(Mono).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC FreqAnalyst 2 VST(Mono).dll"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

138s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:56

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

172s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access (1).dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access (1).dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/5072-0-0x0000000180000000-0x000000018464B000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240508-en

Max time kernel

142s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1188 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1188 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1188 -s 196

Network

N/A

Files

memory/1188-0-0x0000000180000000-0x000000018464B000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

172s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Stereo).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Stereo).dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:56

Platform

win10v2004-20240426-en

Max time kernel

119s

Max time network

178s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auburn Sounds Graillon 2-64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auburn Sounds Graillon 2-64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240220-en

Max time kernel

20s

Max time network

23s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_EFX.dll,#1

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Wine\Fonts C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_EFX.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

173s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC FreqAnalyst 2 VST(Mono).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC FreqAnalyst 2 VST(Mono).dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20231129-en

Max time kernel

121s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bg.tga

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.tga C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.tga\ = "tga_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\tga_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bg.tga

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bg.tga

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bg.tga"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6f3e6fe6b734847102c66ae8d3b40b93
SHA1 c79d38438864491c503ddf662f5852dad8e1b267
SHA256 ab50934705216c176d82d47cd9934650de9f7f572932708cdd7015834ff83341
SHA512 0eb1b39e739de260bf69149bc4df40739553f581daae32d870e9ab8037d05fe985f53653f4833a622a9e61195b1273065a6bf790caa2437ea8234f2ad218413d

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anvil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anvil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:56

Platform

win10v2004-20240426-en

Max time kernel

120s

Max time network

179s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Azurite x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Azurite x64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:58

Platform

win7-20240221-en

Max time kernel

5s

Max time network

62s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Mono).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Mono).dll"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240221-en

Max time kernel

120s

Max time network

147s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Stereo).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Stereo).dll"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240419-en

Max time kernel

122s

Max time network

154s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Free Amp VST.dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Free Amp VST.dll"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:56

Platform

win7-20240508-en

Max time kernel

144s

Max time network

37s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\VSTPlugins.rar"

Network

N/A

Files

memory/3052-33-0x000007FEFB2B0000-0x000007FEFB2C7000-memory.dmp

memory/3052-32-0x000007FEFB2D0000-0x000007FEFB2E8000-memory.dmp

memory/3052-31-0x000007FEF6370000-0x000007FEF6626000-memory.dmp

memory/3052-30-0x000007FEFB2F0000-0x000007FEFB324000-memory.dmp

memory/3052-29-0x000000013FBC0000-0x000000013FCB8000-memory.dmp

memory/3052-38-0x000007FEF7760000-0x000007FEF7771000-memory.dmp

memory/3052-37-0x000007FEF83F0000-0x000007FEF840D000-memory.dmp

memory/3052-36-0x000007FEF8410000-0x000007FEF8421000-memory.dmp

memory/3052-35-0x000007FEFB270000-0x000007FEFB287000-memory.dmp

memory/3052-39-0x000007FEF5EE0000-0x000007FEF60EB000-memory.dmp

memory/3052-34-0x000007FEFB290000-0x000007FEFB2A1000-memory.dmp

memory/3052-60-0x000007FEF4BF0000-0x000007FEF4C02000-memory.dmp

memory/3052-59-0x000007FEF4C10000-0x000007FEF4C21000-memory.dmp

memory/3052-58-0x000007FEF4C30000-0x000007FEF4C53000-memory.dmp

memory/3052-57-0x000007FEF4C60000-0x000007FEF4C78000-memory.dmp

memory/3052-56-0x000007FEF4C80000-0x000007FEF4CA4000-memory.dmp

memory/3052-55-0x000007FEF4CB0000-0x000007FEF4CD8000-memory.dmp

memory/3052-54-0x000007FEF4CE0000-0x000007FEF4D37000-memory.dmp

memory/3052-53-0x000007FEF69A0000-0x000007FEF69B1000-memory.dmp

memory/3052-52-0x000007FEF4D40000-0x000007FEF4DBC000-memory.dmp

memory/3052-51-0x000007FEF4DC0000-0x000007FEF4E27000-memory.dmp

memory/3052-50-0x000007FEF69C0000-0x000007FEF69F0000-memory.dmp

memory/3052-49-0x000007FEF69F0000-0x000007FEF6A08000-memory.dmp

memory/3052-48-0x000007FEF6A10000-0x000007FEF6A21000-memory.dmp

memory/3052-47-0x000007FEF6A30000-0x000007FEF6A4B000-memory.dmp

memory/3052-46-0x000007FEF6A50000-0x000007FEF6A61000-memory.dmp

memory/3052-45-0x000007FEF6A70000-0x000007FEF6A81000-memory.dmp

memory/3052-44-0x000007FEF6A90000-0x000007FEF6AA1000-memory.dmp

memory/3052-43-0x000007FEF76C0000-0x000007FEF76D8000-memory.dmp

memory/3052-42-0x000007FEF76E0000-0x000007FEF7701000-memory.dmp

memory/3052-41-0x000007FEF7710000-0x000007FEF7751000-memory.dmp

memory/3052-40-0x000007FEF4E30000-0x000007FEF5EE0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240419-en

Max time kernel

19s

Max time network

29s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anvil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3020 wrote to memory of 2100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anvil.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3020 -s 212

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20231129-en

Max time kernel

26s

Max time network

23s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Graillon_2-64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2952 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2952 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Graillon_2-64.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2952 -s 124

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240426-en

Max time kernel

126s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3916-0-0x0000000180000000-0x000000018464B000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_EFX.dll,#1

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Wine\Fonts C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auto-Tune_EFX.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

168s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bg.tga

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bg.tga

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240508-en

Max time kernel

24s

Max time network

24s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKExpander_x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKExpander_x64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKExpander_x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKExpander_x64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240221-en

Max time kernel

23s

Max time network

24s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auburn Sounds Graillon 2-64.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2472 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2472 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auburn Sounds Graillon 2-64.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2472 -s 124

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240221-en

Max time kernel

142s

Max time network

24s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access (1).dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3028 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3028 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Auto-Tune_Access (1).dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3028 -s 196

Network

N/A

Files

memory/3028-0-0x0000000180000000-0x000000018464B000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20231129-en

Max time kernel

118s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1884 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoTuneVST.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:56

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Panagement_2-64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Auburn_Sounds_Panagement_2-64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win7-20240215-en

Max time kernel

28s

Max time network

21s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Azurite x64.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2916 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2916 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Azurite x64.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2916 -s 172

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

126s

Max time network

173s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Mono).dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Chorus 4 VST(Mono).dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

168s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Free Amp VST.dll"

Signatures

N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\BC Free Amp VST.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A