Analysis Overview
SHA256
21ad01dc4e71eaabdbb4bc20c1e3caf42d930b6c5dc2ef8fd730dd53784ab0e3
Threat Level: Shows suspicious behavior
The file a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 13:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240611-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 428 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 428 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 428 wrote to memory of 1348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240611-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 240
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 936 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 936 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 936 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2152 -ip 2152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.251.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240419-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2052 wrote to memory of 2104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240220-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Finalize = "C:\\Users\\Admin\\AppData\\Roaming\\InstallW\\Full_Setup.exe /runonce" | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe |
| PID 2192 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe |
| PID 2192 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe |
| PID 2192 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe install
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | data.biphysics.com | udp |
| US | 44.221.84.105:80 | data.biphysics.com | tcp |
| US | 44.221.84.105:80 | data.biphysics.com | tcp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| LT | 93.115.28.104:80 | www.download-servers.com | tcp |
| US | 8.8.8.8:53 | ww1.download-servers.com | udp |
| US | 199.59.243.226:80 | ww1.download-servers.com | tcp |
| US | 44.221.84.105:80 | data.biphysics.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\t1.dll
| MD5 | 058ba8a0916d957d3b91d08ea2e876e2 |
| SHA1 | 1a7c36c50c5bd93f535b624a2882bc3905e7e7f3 |
| SHA256 | 510af8083c0eef8b04e1171a9d6d94c64a1859701bbb106c565d2ec869437661 |
| SHA512 | 24124b45bf42e186a06fcb71ca7e2c1fed3b762b681286185d7cdff53b3800c35b6326a6f21c82e9de59d8bbcb3fdab4a5c1cc9c8683e43ff230b07913d26f02 |
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\WmiInspector.dll
| MD5 | 8531346d16fa5d4768f6530d2eb2b65c |
| SHA1 | 153601d36aa0ddfbc597b1e890917364878791ca |
| SHA256 | a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb |
| SHA512 | f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841 |
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\inetc.dll
| MD5 | f02155fa3e59a8fc48a74a236b2bb42e |
| SHA1 | 6d76ee8f86fb29f3352c9546250d940f1a476fb8 |
| SHA256 | 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999 |
| SHA512 | 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399 |
memory/2192-18-0x0000000002C00000-0x0000000002C01000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\IpConfig.dll
| MD5 | a3ed6f7ea493b9644125d494fbf9a1e6 |
| SHA1 | ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8 |
| SHA256 | ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08 |
| SHA512 | 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1 |
memory/2192-54-0x0000000002150000-0x000000000216C000-memory.dmp
\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe
| MD5 | 79cd0ba3574f3decd2d424fac08025c4 |
| SHA1 | 9c0429c61127ebfd147bff40f6439b50fd2fac29 |
| SHA256 | 8eea14b5404a475245bf79e30c09c59848f1fd5c71535db1e3473a7c4107c801 |
| SHA512 | 39538f6747a74fe719b371f854d7b349f6c23cf7f80a94ffc4fd68d3d088f137989ef9e05c26e722578cab10c87e7128d80ff73c7e8bfebfd334d5282a9e5fed |
memory/2192-78-0x0000000002C00000-0x0000000002C01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | data.biphysics.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.biphysics.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
| US | 8.8.8.8:53 | www.download-servers.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\t1.dll
| MD5 | 058ba8a0916d957d3b91d08ea2e876e2 |
| SHA1 | 1a7c36c50c5bd93f535b624a2882bc3905e7e7f3 |
| SHA256 | 510af8083c0eef8b04e1171a9d6d94c64a1859701bbb106c565d2ec869437661 |
| SHA512 | 24124b45bf42e186a06fcb71ca7e2c1fed3b762b681286185d7cdff53b3800c35b6326a6f21c82e9de59d8bbcb3fdab4a5c1cc9c8683e43ff230b07913d26f02 |
C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\WmiInspector.dll
| MD5 | 8531346d16fa5d4768f6530d2eb2b65c |
| SHA1 | 153601d36aa0ddfbc597b1e890917364878791ca |
| SHA256 | a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb |
| SHA512 | f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841 |
C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\inetc.dll
| MD5 | f02155fa3e59a8fc48a74a236b2bb42e |
| SHA1 | 6d76ee8f86fb29f3352c9546250d940f1a476fb8 |
| SHA256 | 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999 |
| SHA512 | 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 4628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 632
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.251.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 824 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 824 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4284 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.251.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\IWsrv.exe
"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\IWsrv.exe
"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5108 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5108 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5108 wrote to memory of 376 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 376 -ip 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 13:02
Reported
2024-06-13 13:04
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 232