Malware Analysis Report

2024-10-10 12:02

Sample ID 240610-wsm5ravgmf
Target afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe
SHA256 4245b59eb49f9ea2596ed1791ea2c81173acbfdfa2ceaf8e17ab418ace71d847
Tags
execution upx risepro
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4245b59eb49f9ea2596ed1791ea2c81173acbfdfa2ceaf8e17ab418ace71d847

Threat Level: Known bad

The file afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe was found to be: Known bad.

Malicious Activity Summary

execution upx risepro

Risepro family

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Executes dropped EXE

Command and Scripting Interpreter: JavaScript

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 18:11

Signatures

Risepro family

risepro

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 3120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 612

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240419-en

Max time kernel

135s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
N/A 127.0.0.1:49205 tcp
N/A 127.0.0.1:49207 tcp
US 8.8.8.8:53 fake.fake udp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:49209 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:49211 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:49213 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:49215 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:49217 tcp

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 474a59515c2dbeaf0d7ee72e24ecbe00
SHA1 8aa52d73eae8bf89ee46106ac5e5b41561ebdffd
SHA256 72079e6f9b748fc35a91161bafd28f2f5f183fd91ba86fe4e5c16186b3a26884
SHA512 3e4de23a3039360421daedbd7915951e5e02b1a4e87458f70f48c3ff8167a471eb0a0aaf3f282701ce0fab81a15bb7ff5b4e1e1393522f09d0ec494ba4b198b4

\Users\Admin\AppData\Local\Temp\nsdAEB.tmp\NsLauncher.dll

MD5 e289f003033fb7d3d52ff9afccbd3677
SHA1 2083fb9828ecc87d3b274208be0e8b88ba37136c
SHA256 e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87
SHA512 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

55s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240226-en

Max time kernel

112s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1776 -ip 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 736 -ip 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2212 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 1160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3220 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3220 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240215-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe

"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49194 tcp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.244:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49197 tcp
N/A 127.0.0.1:49199 tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
BE 2.17.107.184:443 app.farlightgames.com tcp
BE 2.17.107.241:443 app.farlightgames.com tcp
BE 2.17.107.184:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
N/A 127.0.0.1:49203 tcp
N/A 127.0.0.1:49206 tcp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsdE93.tmp\NsLauncher.dll

MD5 e289f003033fb7d3d52ff9afccbd3677
SHA1 2083fb9828ecc87d3b274208be0e8b88ba37136c
SHA256 e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87
SHA512 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 4388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 4388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 4388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 612

Network

Files

memory/4388-0-0x0000000075920000-0x0000000075929000-memory.dmp

memory/4388-1-0x0000000075920000-0x0000000075929000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240215-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 220

Network

N/A

Files

memory/2324-2-0x0000000074D70000-0x0000000074D79000-memory.dmp

memory/2324-1-0x0000000074D60000-0x0000000074D69000-memory.dmp

memory/2324-0-0x0000000074D70000-0x0000000074D79000-memory.dmp

memory/2324-3-0x0000000074D60000-0x0000000074D69000-memory.dmp

memory/2324-5-0x0000000074D70000-0x0000000074D79000-memory.dmp

memory/2324-6-0x0000000074D70000-0x0000000074D79000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 220

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
N/A 127.0.0.1:51785 tcp
N/A 127.0.0.1:51787 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:51789 tcp
N/A 127.0.0.1:51791 tcp
N/A 127.0.0.1:51793 tcp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:51795 tcp
N/A 127.0.0.1:51797 tcp
US 8.8.8.8:53 fake.fake udp
US 8.8.8.8:53 fake.fake udp
N/A 127.0.0.1:51799 tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 474a59515c2dbeaf0d7ee72e24ecbe00
SHA1 8aa52d73eae8bf89ee46106ac5e5b41561ebdffd
SHA256 72079e6f9b748fc35a91161bafd28f2f5f183fd91ba86fe4e5c16186b3a26884
SHA512 3e4de23a3039360421daedbd7915951e5e02b1a4e87458f70f48c3ff8167a471eb0a0aaf3f282701ce0fab81a15bb7ff5b4e1e1393522f09d0ec494ba4b198b4

C:\Users\Admin\AppData\Local\Temp\nsi66EA.tmp\NsLauncher.dll

MD5 e289f003033fb7d3d52ff9afccbd3677
SHA1 2083fb9828ecc87d3b274208be0e8b88ba37136c
SHA256 e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87
SHA512 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

62s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1168 wrote to memory of 3528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 604

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 260

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
US 163.181.154.244:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49190 tcp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
SG 101.33.48.102:443 pc.crashsight.wetest.net tcp
US 8.8.8.8:53 app.farlightgames.com udp
US 8.8.8.8:53 app.farlightgames.com udp
BE 2.17.107.184:443 app.farlightgames.com tcp
BE 2.17.107.184:443 app.farlightgames.com tcp
US 8.8.8.8:53 static-gl.farlightgames.com udp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 34.104.34.239:443 static-gl.farlightgames.com tcp
US 8.8.8.8:53 static-gl.lilithgame.com udp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49194 tcp
N/A 127.0.0.1:49196 tcp
N/A 127.0.0.1:49202 tcp
N/A 127.0.0.1:49206 tcp
N/A 127.0.0.1:49209 tcp
N/A 127.0.0.1:49212 tcp
N/A 127.0.0.1:49224 tcp
N/A 127.0.0.1:49227 tcp
N/A 127.0.0.1:49231 tcp
N/A 127.0.0.1:49245 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 8.8.8.8:53 psp-api.farlightgames.com udp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
SG 18.141.97.108:443 psp-api.farlightgames.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49257 tcp
N/A 127.0.0.1:49259 tcp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49275 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49278 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49286 tcp
US 8.8.8.8:53 d1s9fa96v0yqzs.cloudfront.net udp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49289 tcp
BE 2.17.107.184:443 app.farlightgames.com tcp
N/A 127.0.0.1:49292 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49295 tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49298 tcp
N/A 127.0.0.1:49305 tcp
N/A 127.0.0.1:49308 tcp
N/A 127.0.0.1:49315 tcp
N/A 127.0.0.1:49322 tcp
N/A 127.0.0.1:49325 tcp
N/A 127.0.0.1:49328 tcp
N/A 127.0.0.1:49331 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49342 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49345 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49348 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49355 tcp
N/A 127.0.0.1:49358 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49365 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49368 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49374 tcp
N/A 127.0.0.1:49378 tcp
N/A 127.0.0.1:49385 tcp
N/A 127.0.0.1:49388 tcp
N/A 127.0.0.1:49391 tcp
N/A 127.0.0.1:49402 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49405 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49408 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49411 tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49418 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
NL 18.239.82.2:443 d1s9fa96v0yqzs.cloudfront.net tcp
N/A 127.0.0.1:49425 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49428 tcp
N/A 127.0.0.1:49431 tcp
N/A 127.0.0.1:49442 tcp
N/A 127.0.0.1:49447 tcp
N/A 127.0.0.1:49454 tcp
N/A 127.0.0.1:49457 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49464 tcp
N/A 127.0.0.1:49467 tcp
N/A 127.0.0.1:49474 tcp
N/A 127.0.0.1:49477 tcp
N/A 127.0.0.1:49484 tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
US 163.181.154.234:443 static-gl.lilithgame.com tcp
N/A 127.0.0.1:49487 tcp
N/A 127.0.0.1:49494 tcp
N/A 127.0.0.1:49497 tcp

Files

memory/1728-2-0x0000000002F00000-0x0000000002F27000-memory.dmp

memory/1728-4-0x0000000076280000-0x0000000076290000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
N/A 127.0.0.1:51671 tcp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
US 8.8.8.8:53 static-gl.farlightgames.com udp
US 8.8.8.8:53 pc.crashsight.wetest.net udp
N/A 127.0.0.1:51675 tcp
N/A 127.0.0.1:51678 tcp
US 8.8.8.8:53 static1-gl.farlightgames.com udp
US 8.8.8.8:443 tcp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:51681 tcp
N/A 127.0.0.1:51683 tcp
N/A 127.0.0.1:51685 tcp
N/A 127.0.0.1:51687 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:443 tcp
US 52.111.227.11:443 tcp

Files

memory/400-2-0x0000000004740000-0x00000000047BE000-memory.dmp

memory/400-4-0x0000000075D10000-0x0000000075D20000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hpatchz.exe

"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 219.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hpatchz.exe

"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe

"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 imv2-gl.farlightgames.com udp
N/A 127.0.0.1:49832 tcp
GB 79.133.176.171:443 imv2-gl.farlightgames.com tcp
N/A 127.0.0.1:49835 tcp
N/A 127.0.0.1:49836 tcp
US 8.8.8.8:53 app.farlightgames.com udp
BE 2.17.107.184:443 app.farlightgames.com tcp
BE 2.17.107.184:443 app.farlightgames.com tcp
US 8.8.8.8:53 171.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 184.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
N/A 127.0.0.1:49848 tcp
BE 2.17.107.184:443 app.farlightgames.com tcp
US 8.8.8.8:53 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com udp
US 34.36.110.19:443 tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com tcp
N/A 127.0.0.1:49852 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.110.36.34.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsg2112.tmp\NsLauncher.dll

MD5 e289f003033fb7d3d52ff9afccbd3677
SHA1 2083fb9828ecc87d3b274208be0e8b88ba37136c
SHA256 e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87
SHA512 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 228

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-10 18:11

Reported

2024-06-10 18:14

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js

Network

Files

N/A