Malware Analysis Report

2024-09-23 12:00

Sample ID 240612-rc66gaxfmf
Target a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118
SHA256 c418925ae13f92b6b2f4eed0e0f140ec09f15e7aa50eaa6ea447b7808d71bdb6
Tags
evasion trojan upx discovery persistence bootkit
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c418925ae13f92b6b2f4eed0e0f140ec09f15e7aa50eaa6ea447b7808d71bdb6

Threat Level: Shows suspicious behavior

The file a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion trojan upx discovery persistence bootkit

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Registers COM server for autorun

UPX packed file

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileShredder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FileShredder.exe

"C:\Users\Admin\AppData\Local\Temp\FileShredder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4876-0-0x00007FFC0B1C5000-0x00007FFC0B1C6000-memory.dmp

memory/4876-1-0x000000001BCA0000-0x000000001BD36000-memory.dmp

memory/4876-2-0x000000001C240000-0x000000001C43A000-memory.dmp

memory/4876-3-0x00007FFC0AF10000-0x00007FFC0B8B1000-memory.dmp

memory/4876-4-0x000000001C910000-0x000000001CDDE000-memory.dmp

memory/4876-5-0x00007FFC0AF10000-0x00007FFC0B8B1000-memory.dmp

memory/4876-6-0x000000001D210000-0x000000001D2AC000-memory.dmp

memory/4876-7-0x000000001BC70000-0x000000001BC78000-memory.dmp

memory/4876-8-0x000000001F660000-0x000000001F706000-memory.dmp

memory/4876-9-0x00007FFC0AF10000-0x00007FFC0B8B1000-memory.dmp

memory/4876-10-0x00007FFC0B1C5000-0x00007FFC0B1C6000-memory.dmp

memory/4876-11-0x00007FFC0AF10000-0x00007FFC0B8B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyD8A.tmp\nsDialogs.dll

MD5 f2c993a0c726386d72e4640967cef83e
SHA1 efe88db252b5e9edff2d859e783fcf1a349e553f
SHA256 6739a2c8075cc383620a867e983957de0b4ae9ef0453baadd1469132893d7301
SHA512 3873a87ba360702c72a6d3e853a0b6f2df219593cf5436d12a9d4d169029e939993c45330212008b628184da64ae98d6a7ab42b30d5f82c896acfc89d558169f

\Users\Admin\AppData\Local\Temp\nsyD8A.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 228

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileShredder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FileShredder.exe

"C:\Users\Admin\AppData\Local\Temp\FileShredder.exe"

Network

N/A

Files

memory/2156-0-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

memory/2156-1-0x000000001AFF0000-0x000000001B086000-memory.dmp

memory/2156-2-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2156-3-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2156-4-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2156-5-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 244

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 244

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\SaaYaa.exe = "0" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SaaYaa.exe = "9888" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\SaaYaa.exe = "0" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\SaaYaa.exe = "1" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.htm C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe

"C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.saayaa.com udp
US 8.8.8.8:53 www.6655.com udp
CN 180.76.51.48:80 www.saayaa.com tcp
JP 156.238.15.67:80 www.6655.com tcp
JP 156.238.15.67:443 www.6655.com tcp

Files

memory/1096-0-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\favorite.dat

MD5 433c4330b62c09c6e59e3a1326ced0d6
SHA1 84c7c26f5e6fb1deacb6ecea79709506678a207c
SHA256 129f396e2e4d27b7dc34fdd9479472fd80844e8ace31bc21e53df0de7e2594fa
SHA512 b476a6b7bc04c6102b8f05f05de7b2945a498440983ba863222241ad0ca0e29a099182c3cffcf2c1cc99bfea04441476555a1f9f638d7d23338960229eb0337b

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 02f05d23a1059ed9dabaa361cbd5d56a
SHA1 4fa1eca343d3cbb306163d3b0fc225326a0e07d0
SHA256 4920509c6b224449183a207fbbcebd5c3071377a7c1372f2a1ff144f1278fb43
SHA512 f553d20172968b6f359d928e757a00080b5eabde68f84bec6954dd9f28839dd10106366c276c232011af99a56d46a70cbe7171d78171a9af7989f44816ea4a46

memory/1096-35-0x0000000000640000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 b4e849115a701967501e256ccf18b8a4
SHA1 2d01592c172572e6c2ddd1aa9502e39714826652
SHA256 10c517fb94946ef486116b236768d2e9598633109487fd087a9284c3804b8f98
SHA512 f8d085b0e99d9f86792885cc39e140f0340cff5e3e23b3744f63cdc0a276aa08eff93cb5b1ec079baf9f36086fb845f89c8f1c2ecdacbe9da5991f7dd0a63a45

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 e8c9cfdcb77b99c156abe4e1130b952e
SHA1 66a9f39b4587b6f8c6dac462763df01984939051
SHA256 f327108b4e83d4bb984c9cfe9c3ddd7004be7321db173804b516e26ec9e9a881
SHA512 e6805e0bd536b5ddbc04fcb2c4c43106798c934a74bb38978a5eb2d5107bdfde95e35f51ebfb252942924a5fc68a5769f275f27ce11e3a088d651a1fdd4d8a12

C:\Users\Admin\AppData\Local\Temp\data\visited.dat

MD5 9a0a9ea0990abc5f80f8a1ba88299a87
SHA1 2a14298efd5071bcb85ced966c3c115486cea906
SHA256 ca5c7a04c18f2fa324184788da00d4a5abe99efe18fe177f788b6b8847865ee3
SHA512 e50a8fce00565ee2c44507544410369b5fa06641e35eaeb31cf7cc32fe9ffd0a85b38b6e914e422747edc93cad8af05991574cf3169216f2d6f476dae243fa90

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 b7abcfe6bb52517291549ff07e6e021e
SHA1 28c614fa85f897feb33cf509c4f57b6fe589db9d
SHA256 167ce187b224c870bed2e2ef741fb1641509f52212782f85b03ea17cdf1c7eec
SHA512 ee5e4030a93b720102e46b0cc6ac53c8e54fc6a7b849b82fbb8b4bc8c000943fdd56374a00a67f9c3f11aea251e128f3e679217a8f8c0faeb9b17dd93e24f18b

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 a1d5c079ba22cc6cb6250c6376f2dbbb
SHA1 7d7eb3fd9a5a946363aac56821e1d5aba41fd792
SHA256 e708d300edb56ba5e9d92cd1a3623c20a797ba6430507a88fe8654d6c7a68d5a
SHA512 998329b2e9e6f01c74da74748c62cd2b2cc0da02de79350c84fbbf9140b5c74c7cd97682a7b620136758e297513398c8b9e8a5cc200a10ca5441bd82f6565331

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 5c1832c589521beca2cb4dca2a151536
SHA1 608797fd12cc84ab43a250208aadd22db043c21d
SHA256 60caf4cf0a73ed0ef8a0da86ef4ba471d93eb89943927f5643c2ff1718eeb12d
SHA512 b823ccfdf44cd94b04972e2aa4e8290b8796093b6ca0521002288bd2d5ca9b3f67d6332983ef535f5d94ff1ba3910c4a950da383ba282a50fc30882835939df3

C:\Users\Admin\AppData\Local\Temp\CabF21.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar10DC.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\Local\Temp\data\visited.dat

MD5 71161aef350fa2da85631efd61761252
SHA1 c5c80c7dbf057301fe753e9e70f5a799f2055474
SHA256 ad90b005635f4145abd59c13de2054c2a998bc4b6014f895682fdc7a44ede15f
SHA512 094f4e4a924a908b61798b82ae73b34494b87833aeae41f1ea7a8f618f6ace619867cf6849e730b74c3e61fb324ec02a1491d2e330b7d71a5799e30643d2f1e6

memory/1096-177-0x0000000000400000-0x0000000000610000-memory.dmp

memory/1096-179-0x0000000000640000-0x0000000000641000-memory.dmp

memory/1096-180-0x0000000000400000-0x0000000000610000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 232 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3160 -ip 3160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240419-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe"

Signatures

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe

"C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe"

Signatures

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe

"C:\Users\Admin\AppData\Local\Temp\DefragMaster.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 87.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240611-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\SaaYaa.exe = "0" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SaaYaa.exe = "9888" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\SaaYaa.exe = "0" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\SaaYaa.exe = "1" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\ftp\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.url C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.shtml C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.AssocFile.HTM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe,1" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtm\ = "htmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\IE.HTTPS\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.htm C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\htmlfile\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "SaaYaa" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE.HTTPS\shell\SaaYaa\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SaaYaa.AssocFile.HTM\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.htm\ = "htmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP\shell\ = "open" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.htm C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "mhtmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTP\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.AssocFile.HTM\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\htmlfile\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\IE.HTTPS\shell\ = "SaaYaa" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTPS\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.AssocFile.HTM\shell\ = "open" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.AssocFile.HTM\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.htm\Content = "text/html" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\http C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\IE.HTTP\shell\SaaYaa\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTPS\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\IE.FTP\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.html\ = "htmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\https\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe,1" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\mhtmlfile\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE.HTTP\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.AssocFile.HTM\shell\ = "open" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.html\Content = "text/html" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\mhtmlfile\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\DefaultIcon C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\ftp\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTP\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\IE.HTTPS\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.shtml C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.shtm\ = "htmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.AssocFile.HTM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe,1" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.html C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\InternetShortcut\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\https\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.FTP\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.HTTP\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.AssocFile.HTM\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\SaaYaa.AssocFile.HTM\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe"

C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

"C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe" "SetDefaultExplorer-1"

C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

"C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.saayaa.com udp
CN 180.76.51.48:80 www.saayaa.com tcp
US 8.8.8.8:53 www.6655.com udp
JP 156.238.15.47:80 www.6655.com tcp
JP 156.238.15.47:443 www.6655.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsdE45.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

\Users\Admin\AppData\Local\Temp\nsdE45.tmp\processwork.dll

MD5 0a4fa7a9ba969a805eb0603c7cfe3378
SHA1 0f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA256 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512 e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

memory/2192-13-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

\Users\Admin\AppData\Roaming\SaaYaa\Uninstall.exe

MD5 efbd593f671bb27f8f0a7ba02557ff9b
SHA1 a769f5dceba0496349e2a9aa921ec96e8d079f7c
SHA256 c80027bd307bb0f5f305091be90b4dec49c46ae30a71734940cef2796d341614
SHA512 a7ba2e6dcb4ed08c5475a380e080aaec32fe1f66a10ad16996073b93f59078726244fa375862c2e46e47c9c5f177792f520134a1b20d201cb9f2cab907c4a81e

\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

MD5 c22225dbb3c1ea89a5ad348b64901d68
SHA1 ad1b47692e30c8cc8fcd53dc806ea9bcd7173215
SHA256 e387b0a9abe7e2092952a7894079a404d0cb0c122cd22fd80b6fe7a315028ed4
SHA512 924de9454b2fd5d3a6a45e1917665dcd62254f8a96bf129703c278b4ac832edc0fdcc7d083ba4ec9ffc3c789b859a3a1107f029c284afe29e51ca7115ef82338

memory/2192-25-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2192-35-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2192-34-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2192-40-0x0000000003770000-0x0000000003980000-memory.dmp

memory/2784-41-0x0000000000400000-0x0000000000610000-memory.dmp

memory/2784-44-0x0000000000400000-0x0000000000610000-memory.dmp

memory/2548-55-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 93e2a48ae9442c5e0a5b887f66971768
SHA1 c5e76a5dc77a4b5185b0ea6a366b3c18c72f534c
SHA256 89557b5e2c3e55fba548cc37b3ff543913dcb0418855d4389db7342b362ab656
SHA512 b944c921e25e935e6e50974f7b3af5b64f9912988eed29d936d389455a7939da082ecd363e05f2c777c28bcf31ae7b73d8fd5158c29f57c7602481f5fa9d165b

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 662dac75e3b477f08e068e87096b7766
SHA1 367f1432ecf59dfab2a5090394d06868a186efb6
SHA256 b8a1b39d611a72cf618d9f33a7297305f55a1c610160e4fb96dc7bf7113829d8
SHA512 8592ffc6640fa301b57fe18dc052d4e642d0f6dfba0c8b52ea92db05ccf927419966eceb2a176a70451a55eb90b4413ff664b9e2e1d805ede27eef99ce2339ed

C:\Users\Admin\AppData\Roaming\SaaYaa\data\favorite.dat

MD5 433c4330b62c09c6e59e3a1326ced0d6
SHA1 84c7c26f5e6fb1deacb6ecea79709506678a207c
SHA256 129f396e2e4d27b7dc34fdd9479472fd80844e8ace31bc21e53df0de7e2594fa
SHA512 b476a6b7bc04c6102b8f05f05de7b2945a498440983ba863222241ad0ca0e29a099182c3cffcf2c1cc99bfea04441476555a1f9f638d7d23338960229eb0337b

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 db2b4827570a979d529478453c03c366
SHA1 8a1f915a071871edadbf10fcd96f81a69d14a94b
SHA256 2cd745551a0d0bc43d8b9ff0ebbd50e1db56883eeef54c8749b066caeadc2f65
SHA512 e539edcce9908f370b31034610e6fc7f7091c1364937a12c77e8d4bc66d864a42d9b92242e710d454c23fb24b0050a8fbe4c1f91065ac12147dfec6c8d93ec52

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 dc26a24673f3caa5864be17231ed2a66
SHA1 bf76606ac47055699cc3020c5bb400371f45b3f1
SHA256 8b7b46f75870bf39376f55c725f8ecdb68f91779f30bf4d9497ab3aaaca9700c
SHA512 94e05ae0e4b13506d129ae5ce28029b8e5f3d8a32f348dbaa448fc5d8b608a1bd3581a59c865cd1fdefb71abcd7bbab760a83d0f90056830f4083ee29188febd

memory/2548-105-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 a715a0d34d7ec7fa9f5aff82eed81d80
SHA1 66c97ae3b62b97d82d297084b89fb9d07834f4b8
SHA256 da3ad746e035af2fd207893ae5aa240b6c40271316f155253a986a60a0e82b85
SHA512 a2a8d6f84cac90290d3c29021e9db1be0d09a66941a934b7d7dfe023cb0a29f45c037cc2296d8f91a89576c78487b7ecdfc0a3d763c5c5b24219039d790c7ca7

C:\Users\Admin\AppData\Roaming\SaaYaa\data\visited.dat

MD5 b65cee416bb80fc56a7a1ca49026d58b
SHA1 7208b26f2a937c916fb5537d01d9ecdc7635e67b
SHA256 bd96cd681503cac276f6e5f7b7bc372d87bd2be2854065abc7dfc72ae04c77d6
SHA512 6d1bea14e205327138196394b091e5d828765e6e02f2b2e5c6378a3d84c18bf35ff38628596a08ecf0ee0ff67b8a3cf21608dad256469c69dabcdb8ff30fa9bb

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 f8c93a9d8a468091ba314af8f96bf3af
SHA1 11bd0a9b5afd9bdce792215c135f604829f848e1
SHA256 60cddc3655e43815f79e22d0f5e327323dcf38c364a87fa3f8f7adfbf0365c78
SHA512 741242ad49f0ba754b37c2c5aadf883a3a1733e14371e581a374a8b0ae754771a4ef53b2cb12e0fa533fbdecef939f44447d7eefde9dacb08cd6d1162372ca6b

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 531be4e9e9641c66f67a30cfc14b7fa9
SHA1 b8495979242c4095c67e42867bc9a8d869271edb
SHA256 d254eb42363abb1c05a6523d6562911cfc621f28389b9257ff802b39ed575700
SHA512 2eb1ef085e834d7ae3128920841b1585122cf88f87262e363dbb0008bad64886a11d02e214afc75091369341502b7628b375246cd19e755620c8517e27bbdf05

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 3bd7585cdb124643a8a097ee84c181a8
SHA1 a05b02e9a67b3ee90725c3b1d2c8003152501b56
SHA256 3ff61f4213208f1e943df5427223e076011c4d346ae83206a505869ec1866ee6
SHA512 2c6a3d398c1d8023d681fe39d8fb4575c4f49018f06896336c434acbb99d92fa5dcbc98937f31b4d89e72bfb75fbabe566fb45e830634c30c118775ea59a7dc8

C:\Users\Admin\AppData\Local\Temp\Cab1B51.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1B73.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\SaaYaa\data\visited.dat

MD5 a781a254b42d46d6f74e4fef8688981a
SHA1 34c05c471611c49a712681b35e0fcdf74999804d
SHA256 417eaf59f5ca6973b32d1719fedae3f7db942598d62af0b9581fe09d1a98ef5d
SHA512 dabff9423263115efac3cd4890d186e679bd378529914f07d3724d191dad3a889b11ee4f1e2ac0a2eefd6d831194f4248caabfde2bf7b9509ee3871ba0132d70

memory/2548-232-0x0000000000400000-0x0000000000610000-memory.dmp

memory/2548-234-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2548-235-0x0000000000400000-0x0000000000610000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 1484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 1484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

"C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 www.vista123.com udp

Files

memory/684-0-0x00007FFF671B5000-0x00007FFF671B6000-memory.dmp

memory/684-1-0x000000001B680000-0x000000001BB4E000-memory.dmp

memory/684-2-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-3-0x000000001BBF0000-0x000000001BC8C000-memory.dmp

memory/684-4-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-5-0x000000001B100000-0x000000001B108000-memory.dmp

memory/684-6-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-7-0x0000000021380000-0x0000000021416000-memory.dmp

memory/684-8-0x0000000021770000-0x00000000217B8000-memory.dmp

memory/684-9-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-10-0x0000000021CD0000-0x00000000221DE000-memory.dmp

memory/684-12-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-13-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-11-0x0000000022B80000-0x0000000022C26000-memory.dmp

memory/684-15-0x00007FFF671B5000-0x00007FFF671B6000-memory.dmp

memory/684-16-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-17-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

memory/684-18-0x00007FFF66F00000-0x00007FFF678A1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4860 wrote to memory of 4052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4052 -ip 4052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 3220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4136 wrote to memory of 3220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4136 wrote to memory of 3220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3220 -ip 3220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 2728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

N/A

Files

memory/2728-0-0x00000000002A0000-0x00000000002E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0edc8e43c315a4fa36acd76db7a2c78_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsr3BFC.tmp\nsDialogs.dll

MD5 f2c993a0c726386d72e4640967cef83e
SHA1 efe88db252b5e9edff2d859e783fcf1a349e553f
SHA256 6739a2c8075cc383620a867e983957de0b4ae9ef0453baadd1469132893d7301
SHA512 3873a87ba360702c72a6d3e853a0b6f2df219593cf5436d12a9d4d169029e939993c45330212008b628184da64ae98d6a7ab42b30d5f82c896acfc89d558169f

C:\Users\Admin\AppData\Local\Temp\nsr3BFC.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

Files

memory/1824-0-0x00000000006F0000-0x0000000000731000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe"

Network

Files

memory/2164-0-0x0000000000A50000-0x0000000000ADE000-memory.dmp

memory/2164-1-0x0000000000090000-0x0000000000092000-memory.dmp

memory/2164-2-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2164-3-0x0000000000A50000-0x0000000000ADE000-memory.dmp

memory/2164-10-0x0000000000A50000-0x0000000000ADE000-memory.dmp

memory/2164-14-0x0000000000A50000-0x0000000000ADE000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2324 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 612

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\SaaYaa.exe = "1" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\SaaYaa.exe = "0" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SaaYaa.exe = "9888" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\SaaYaa.exe = "0" C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.htm C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe

"C:\Users\Admin\AppData\Local\Temp\SaaYaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 www.saayaa.com udp
US 8.8.8.8:53 www.6655.com udp
CN 180.76.51.48:80 www.saayaa.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
JP 156.238.15.64:80 www.6655.com tcp
JP 156.238.15.64:443 www.6655.com tcp
US 8.8.8.8:53 64.15.238.156.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 87.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/1432-0-0x0000000000400000-0x0000000000610000-memory.dmp

memory/1432-1-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\favorite.dat

MD5 433c4330b62c09c6e59e3a1326ced0d6
SHA1 84c7c26f5e6fb1deacb6ecea79709506678a207c
SHA256 129f396e2e4d27b7dc34fdd9479472fd80844e8ace31bc21e53df0de7e2594fa
SHA512 b476a6b7bc04c6102b8f05f05de7b2945a498440983ba863222241ad0ca0e29a099182c3cffcf2c1cc99bfea04441476555a1f9f638d7d23338960229eb0337b

memory/1432-17-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 b4e849115a701967501e256ccf18b8a4
SHA1 2d01592c172572e6c2ddd1aa9502e39714826652
SHA256 10c517fb94946ef486116b236768d2e9598633109487fd087a9284c3804b8f98
SHA512 f8d085b0e99d9f86792885cc39e140f0340cff5e3e23b3744f63cdc0a276aa08eff93cb5b1ec079baf9f36086fb845f89c8f1c2ecdacbe9da5991f7dd0a63a45

memory/1432-43-0x00000000024A0000-0x00000000024A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 60dcd2f9ba89c6fd643028028e37ec4e
SHA1 bffa44ba0a1549c491ec2f06b61d96fe4f6acf78
SHA256 6ca5bca6d833a5057d0181a0cc3ca0f207b1fd5ad99454833c9b6c1599951dd0
SHA512 23b83d3442ce4aa1205dadbc8345b4cfbf588fb2ecdf78ca39c533d2cdf66c6e801eff8b915c7fa463ace267f501afe38ea714b7fabbe1c8bddb0a1b8cafba9e

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 f4ef5f05f80c7a9e2e9a928c3e049147
SHA1 ef455dde88292e7e200394783682e0d4affe181d
SHA256 11c26cdb373e08d96d49ab424b020c25a38e4e5ebdbbc25ac4f37c398c8622e8
SHA512 0a42486ff245dfae8f4d2d984527657c3a2ab315b866f1544d5b8664d0e970370f683ddc68ada930524b7972e6ed327d18586681c43688d80386f4e88d5bbc00

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 017258f7fa166dca324a22434a8bcb14
SHA1 a5487a43f89f959d2401ecaa1ad864ed63f94c63
SHA256 5c6619fc6b4ce9ca69633418185d1b75b03fec196007216ea5203cb4928815c5
SHA512 cfb7c9dab271cf345785c8392d0297274fe5867491bcf05c8c75772f23921837bb2510c3477e0ec4091111b005bc9a25d072fd90e692a453de7400879539bec4

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 96baa35bdb74e5b0127c1d5fef8d5ef7
SHA1 aad03cf2bae15692f6214d2069f2f23fc84693be
SHA256 7d68825153f86123e245e782dcf10c9abfd3297c97f383a50fb527ca0a0ab17e
SHA512 656bbf8415115e7343bf63b77c2b7b6df1761bb08cc3fa80cca3ebf3e037862ab3027a51713f4665becc15205330d386084a3dc9b3b2729b02a2ddf999489d60

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 b66c406594e15bd1a49b457d07314c6b
SHA1 ea1bcb454e64874fb3f87f52d92f5c6dc34fc61d
SHA256 b40ec2046d1c4e4457a6f2a42783cac1181029b7beb0801d4183ab2dfaec86b6
SHA512 d84cd7323594c995c574ff4bde2c27e04b26518cf3479d788ca6512ae49bb9560990fa9920f77a664711087d89e94964ac5a8413d1042732774e52788723745a

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 4064c7f6a104261c784029304efa923e
SHA1 bd4f5dff3f95cf9f6873af33a148cfc93093f9ce
SHA256 f3fa6d769acb3d64f682e02b1ac533837bf1d707b602bbd7bfca51734b7c684d
SHA512 407eb35f4a27f4704d05ed3537a60fb022b8b6aa03ad17fc150e8408192474a7e18f69d41c9d283b479183dba451ad7967cdb1cffe29eb35dca7691086304658

C:\Users\Admin\AppData\Local\Temp\data\visited.dat

MD5 9f69cc70a89a4df1699b6856c825c131
SHA1 1b6f9894cf04252d3383204ce7cf73bb2189b4cf
SHA256 aad645ca6bdd94a3ac981b8614a346f9d5d684fdd4a1d6066fc08ed8172d4438
SHA512 facbcca181e2c0a595a716e5317611df0e3467041f257b55b64e250b178e2ceaaa529b775c81c98be87eb61b49e4bd5439f2a210eec033a12b7fd21db817cff8

memory/1432-126-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 d47f951345e4c2e473440a51c14b26b0
SHA1 71488d1614f1537dc538d591f1e5de192234417b
SHA256 f1f9eb8b68a546fc495a2ba2066799e74c4331a9e41ef37b4f9466c5a55876c8
SHA512 fca0b0f34e169f75fc4fe34deb7539e3bce98322d2e89ec9dd5e1299e92a5af0b76c8befb55caf1f34f69ce4319d43fe827f0cb0a499661526b461751e487a7c

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 d54f514bdb09e6fb20fa674dc52fcabb
SHA1 c4e0e2a7623d38b997ccfb0cc3d75caba08af82c
SHA256 83af9a95a41cdfb0415b9fd5418879dc6247fec6e738e182d9a317db0abfebee
SHA512 c613f24c8c2b519a101aac496affb3f329a914f1df33679c6bcb45f81a67b41d128d3f7670d1cd20461ab99c5276218b7ceddf8eff65b1d9943c2918009150cc

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 f6ac2f4bcb8ba6931c0c9750e5756212
SHA1 1e12adcd478a5291c6c4b34a3f08f0d82b41f300
SHA256 1ec19d7d834332f29d2d7ab7166a719fc1980ae1f942509998a8272d6e663e32
SHA512 e1c202125aaf2508d76072eb29e7a1df26e4a3a4a5dfcecfcf3d6ce5819c97769fedbdae8ebaa5b187de6376e7308fd20fd5ecf57addc1b3b8cb10f006d7fefc

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 819703cf333f1c54733c0bd3086c6320
SHA1 e952c03374d5d120d6faaada2ac4a428512d604d
SHA256 94b622204f6c2558798679beb0e70af97a502eacff64d6d15a671c2f404d8634
SHA512 b5c647e37d7bf3192e9cc3b9e7ea7f369b89c6859511eab1aab5a0ba666dd05eb682430f3e23e97485f5c7d7faaa1187f96245126b488cd0723060419dbee54a

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 28529df04345ba64579784d2ff65a004
SHA1 741aef22fe2a6e96482e180f55de767583f8f08a
SHA256 5e8c9c49ebc29629ddba26ac6812ab7eb5a52cd1e1b212de4dc43cb4eabb8856
SHA512 eea318f6b77d071e71d59f50c130bfaa636bf0a47c01dc6b8dfba0fa47341564bd4a349710718a2013a06cd8da3f176828026589c4f9c962acffbea1b3ef2f42

C:\Users\Admin\AppData\Local\Temp\data\config.dat

MD5 5b9917cb0f49040f8352586a07f60803
SHA1 5db28e7bec6adfc60de3c4dc759fec08f8143ddf
SHA256 20fcb5c3aa2bce7295ad090a8dec0d74566929410a479c9522ca72e02b759e9d
SHA512 d440bc05e7e7e55310ce3b6afa14be8e8121962176c2cfcad9bdd80f48d81efeca6536fab7f0d6b3b15d4bd554ab1873ad804a4c2e860494113a56cc83dbc6d6

memory/1432-267-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\visited.dat

MD5 b631f61b765ecfb1e4c442f34aacc9f2
SHA1 01bb703114994a32ecd1e5f3b2f9310067620736
SHA256 938623fb197b120827c0de662f64f6e071c0b8659e11872ee0357d5de061e1e1
SHA512 29ef27445790460851bca3db9cc0a39fd6c17e25b0bf4bc267b2d56a2db3e4c3df2fd230e3d8d04bc4737d4d77f21ac28c51bf32c579cbec24bd4f8d7b3845c8

memory/1432-356-0x0000000000400000-0x0000000000610000-memory.dmp

memory/1432-357-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1432-358-0x0000000000400000-0x0000000000610000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe

"C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 564

Network

N/A

Files

memory/2444-0-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp

memory/2444-1-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

memory/2444-2-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

memory/2004-3-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2444-4-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\GoogleToolbarInstaller_download_signed.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
GB 172.217.16.238:80 dl.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 csc3-2010-aia.verisign.com udp
SE 192.229.221.95:80 csc3-2010-aia.verisign.com tcp
GB 172.217.16.238:80 dl.google.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 87.121.18.2.in-addr.arpa udp

Files

memory/3952-0-0x0000000000A90000-0x0000000000B1E000-memory.dmp

memory/3952-1-0x0000000001000000-0x0000000001002000-memory.dmp

memory/3952-2-0x0000000001130000-0x0000000001131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Google Toolbar\gtm36CF.tmp

MD5 ab91439b02d6387149770b7a332c3f5a
SHA1 cdf2b3c9f1aad0563663b1740f3fd4f696d2e24d
SHA256 6334987095ba09d2868a22612bbe007574d089adc8b19632e297e8c577c81627
SHA512 bc8b68ac30d13643f6187423b39331bc01e3a804269cc35021bdaeef3f1bad1eae4f9933e0bf670ed980dad6fc491554b628a52de46296c986fe7e882984800c

memory/3952-18-0x0000000000A90000-0x0000000000B1E000-memory.dmp

memory/3952-21-0x0000000000A90000-0x0000000000B1E000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\SaaYaa.exe = "0" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SaaYaa.exe = "9888" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\SaaYaa.exe = "0" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\SaaYaa.exe = "1" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.HTTP\shell\ = "SaaYaa" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.AssocFile.HTM C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.htm C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.html C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell\SaaYaa\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\https C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\https\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\SaaYaa\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\InternetShortcut\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\https\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\https\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ftp C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SaaYaa.HTTP\DefaultIcon C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\SaaYaa.AssocFile.HTM\DefaultIcon C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.shtm\Content = "text/html" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\InternetShortcut\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\https\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IE.FTP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.html\ = "htmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "mhtmlfile" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.FTP\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\SaaYaa.AssocFile.HTM\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\mhtmlfile\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.mhtml C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.FTP\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\https\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\https\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\SaaYaa.HTTP\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.mht C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "SaaYaa" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTPS\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\http\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\IE.HTTPS\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.FTP C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.url C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\http\shell\SaaYaa\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\http\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.FTP\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SaaYaa.HTTP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SaaYaa\\SaaYaa.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ftp\shell\SaaYaa\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\.shtml\Content = "text/html" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell\SaaYaa\ = "用闪游浏览器打开" C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\mhtmlfile\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\ftp\shell\open\command C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.HTTP\shell\open C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.HTTP\shell\SaaYaa C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\IE.FTP\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\htmlfile\shell C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\saayaasetup_5.exe"

C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

"C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe" "SetDefaultExplorer-1"

C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

"C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.saayaa.com udp
US 8.8.8.8:53 www.6655.com udp
CN 180.76.51.48:80 www.saayaa.com tcp
JP 156.238.15.43:80 www.6655.com tcp
JP 156.238.15.43:443 www.6655.com tcp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 43.15.238.156.in-addr.arpa udp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 52.182.143.211:443 tcp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb88E9.tmp\System.dll

MD5 c6f5b9596db45ce43f14b64e0fbcf552
SHA1 665a2207a643726602dc3e845e39435868dddabc
SHA256 4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA512 8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

memory/4972-14-0x00000000021C0000-0x0000000002201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb88E9.tmp\processwork.dll

MD5 0a4fa7a9ba969a805eb0603c7cfe3378
SHA1 0f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA256 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512 e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

C:\Users\Admin\AppData\Roaming\SaaYaa\SaaYaa.exe

MD5 c22225dbb3c1ea89a5ad348b64901d68
SHA1 ad1b47692e30c8cc8fcd53dc806ea9bcd7173215
SHA256 e387b0a9abe7e2092952a7894079a404d0cb0c122cd22fd80b6fe7a315028ed4
SHA512 924de9454b2fd5d3a6a45e1917665dcd62254f8a96bf129703c278b4ac832edc0fdcc7d083ba4ec9ffc3c789b859a3a1107f029c284afe29e51ca7115ef82338

memory/440-34-0x0000000000400000-0x0000000000610000-memory.dmp

memory/440-36-0x0000000000400000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 c52cfd12cb27454eddc5cd0a34b89e99
SHA1 a8690f074058fbb2122bdb2b7bbb6a53c62e4ea8
SHA256 b5f7c093669748c266eb55cecd428feacfe4dbf1957711b0a49cc0683c5a103c
SHA512 666310fca489a0bad13fd8b5a95a4f35ca4f1a21d79ddcb955058ded2a3df9e2ec299631832f9b7fbfb5255c2395662a624878bed9b449893fa15c4a23cf1838

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 6d5b9c555b8dd599cdda1c34f68ed083
SHA1 11d5f8b56b235388c174cd39e5024c5f5fb2fcaa
SHA256 cb6c8bced2bd52a4d5914b7f0a6ded257f48d02a7eebaa81687f4b9727ef236a
SHA512 00b2f886a4929f94b1be3a26c65eb87f7387d335de25af1a99c814dd8586c748677ddffba492809d2acb98558261d41b134100efe2fef9b5fcdb988b382a8fc1

C:\Users\Admin\AppData\Roaming\SaaYaa\data\favorite.dat

MD5 433c4330b62c09c6e59e3a1326ced0d6
SHA1 84c7c26f5e6fb1deacb6ecea79709506678a207c
SHA256 129f396e2e4d27b7dc34fdd9479472fd80844e8ace31bc21e53df0de7e2594fa
SHA512 b476a6b7bc04c6102b8f05f05de7b2945a498440983ba863222241ad0ca0e29a099182c3cffcf2c1cc99bfea04441476555a1f9f638d7d23338960229eb0337b

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 b4e849115a701967501e256ccf18b8a4
SHA1 2d01592c172572e6c2ddd1aa9502e39714826652
SHA256 10c517fb94946ef486116b236768d2e9598633109487fd087a9284c3804b8f98
SHA512 f8d085b0e99d9f86792885cc39e140f0340cff5e3e23b3744f63cdc0a276aa08eff93cb5b1ec079baf9f36086fb845f89c8f1c2ecdacbe9da5991f7dd0a63a45

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 f4ef5f05f80c7a9e2e9a928c3e049147
SHA1 ef455dde88292e7e200394783682e0d4affe181d
SHA256 11c26cdb373e08d96d49ab424b020c25a38e4e5ebdbbc25ac4f37c398c8622e8
SHA512 0a42486ff245dfae8f4d2d984527657c3a2ab315b866f1544d5b8664d0e970370f683ddc68ada930524b7972e6ed327d18586681c43688d80386f4e88d5bbc00

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 78875f5edb1d8ab7a98a343b8e013e83
SHA1 c57a71e8683ec1199ee9dede7825ce80d493efc7
SHA256 829de34b17ee3e34501cd172018a2a7769506f9e145b39dea3389e65d251bb56
SHA512 719d7b1a3fcbccdc9249607b9b9a43b382be6d0d2380a92b9713a08676446b05c8e99820ce3b338b46fff7cf509e6974f051f2b98003a4f1966be9a3d0e5769a

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 4064c7f6a104261c784029304efa923e
SHA1 bd4f5dff3f95cf9f6873af33a148cfc93093f9ce
SHA256 f3fa6d769acb3d64f682e02b1ac533837bf1d707b602bbd7bfca51734b7c684d
SHA512 407eb35f4a27f4704d05ed3537a60fb022b8b6aa03ad17fc150e8408192474a7e18f69d41c9d283b479183dba451ad7967cdb1cffe29eb35dca7691086304658

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 d47f951345e4c2e473440a51c14b26b0
SHA1 71488d1614f1537dc538d591f1e5de192234417b
SHA256 f1f9eb8b68a546fc495a2ba2066799e74c4331a9e41ef37b4f9466c5a55876c8
SHA512 fca0b0f34e169f75fc4fe34deb7539e3bce98322d2e89ec9dd5e1299e92a5af0b76c8befb55caf1f34f69ce4319d43fe827f0cb0a499661526b461751e487a7c

C:\Users\Admin\AppData\Roaming\SaaYaa\data\visited.dat

MD5 27c347a1e21eb1b4f59bdb8207300079
SHA1 c52c99597d8715c9e0412abc0730c70764a52f08
SHA256 30084d8cde7d7b5958921a4210dcfc9b562894dab73ecdcda35fb1862adce032
SHA512 9f77250bac2c0663c0a2b6246a1fdb3a45c8595cdc87fe95c3aa3b13181af5e48c3d0545eb2b216047086cc7eaae481eacffb8ba58902876512bdecb2ec4ea44

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 f3f76e1a378724af5733f9a9f862696e
SHA1 428b9f5db6c20e953cc487bee8e20e7e258ee2d2
SHA256 ecdf54455485cf0a4982f7ee4cc1396d98d3493f17d3342bcaf98bf35106bf81
SHA512 9c1ae75d50dc6228e730aed2f1ec1379788d4ed91a0cf8956973e9c12e80ea6c6c95d99041ceeec83c92bc3eeb6a3966c536d0b4457136777c18aed9a7499ea4

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 79d7dfdf85b3e0ef9e35669b94ba9dbd
SHA1 a471faff1dcf8788c9374cc761cbccb90c515ced
SHA256 1e687dabd10f68206001f8685eeabe4bcba25742b4208d3b87acffba6cd1d62a
SHA512 fa1e0f0bc7cff679bec50bd9a96f7d18bbdcb95bf10455d0c5f730a1115646c3d1a265d719439776ca8fcec582bf09d54393682c9bd4b7e7161bd1ea28a57d70

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 819703cf333f1c54733c0bd3086c6320
SHA1 e952c03374d5d120d6faaada2ac4a428512d604d
SHA256 94b622204f6c2558798679beb0e70af97a502eacff64d6d15a671c2f404d8634
SHA512 b5c647e37d7bf3192e9cc3b9e7ea7f369b89c6859511eab1aab5a0ba666dd05eb682430f3e23e97485f5c7d7faaa1187f96245126b488cd0723060419dbee54a

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 28529df04345ba64579784d2ff65a004
SHA1 741aef22fe2a6e96482e180f55de767583f8f08a
SHA256 5e8c9c49ebc29629ddba26ac6812ab7eb5a52cd1e1b212de4dc43cb4eabb8856
SHA512 eea318f6b77d071e71d59f50c130bfaa636bf0a47c01dc6b8dfba0fa47341564bd4a349710718a2013a06cd8da3f176828026589c4f9c962acffbea1b3ef2f42

C:\Users\Admin\AppData\Roaming\SaaYaa\data\config.dat

MD5 5b9917cb0f49040f8352586a07f60803
SHA1 5db28e7bec6adfc60de3c4dc759fec08f8143ddf
SHA256 20fcb5c3aa2bce7295ad090a8dec0d74566929410a479c9522ca72e02b759e9d
SHA512 d440bc05e7e7e55310ce3b6afa14be8e8121962176c2cfcad9bdd80f48d81efeca6536fab7f0d6b3b15d4bd554ab1873ad804a4c2e860494113a56cc83dbc6d6

C:\Users\Admin\AppData\Roaming\SaaYaa\data\visited.dat

MD5 6b9434ff4a81a1ccf58abcd56a8553d3
SHA1 badd1f0bf8369c1027870a907e6cafd849182a85
SHA256 e91a53a3efbd5ae78bbb191c25d34d760b49c8098e74983c3502b7d105fd1f6a
SHA512 6120706bc0e246184a7ac64740a8763dbdcb5f0fc0a90ab3502ffbe5908c5e4527340f1cbecdac47e52bf14c2aaaa9667caf32a66be00f57137435bda0c25f29

memory/3928-384-0x0000000000400000-0x0000000000610000-memory.dmp

memory/3928-386-0x0000000000400000-0x0000000000610000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 4808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 4808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 612

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240508-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 244

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2588 -ip 2588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 612

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 14:03

Reported

2024-06-12 14:06

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 224

Network

N/A

Files

N/A