Malware Analysis Report

2024-10-10 12:07

Sample ID 240613-p9vgtszdmb
Target a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118
SHA256 21ad01dc4e71eaabdbb4bc20c1e3caf42d930b6c5dc2ef8fd730dd53784ab0e3
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

21ad01dc4e71eaabdbb4bc20c1e3caf42d930b6c5dc2ef8fd730dd53784ab0e3

Threat Level: Shows suspicious behavior

The file a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240611-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 240

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 936 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 936 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240220-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Finalize = "C:\\Users\\Admin\\AppData\\Roaming\\InstallW\\Full_Setup.exe /runonce" C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe

C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe install

C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe

C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 data.biphysics.com udp
US 44.221.84.105:80 data.biphysics.com tcp
US 44.221.84.105:80 data.biphysics.com tcp
US 8.8.8.8:53 www.download-servers.com udp
LT 93.115.28.104:80 www.download-servers.com tcp
US 8.8.8.8:53 ww1.download-servers.com udp
US 199.59.243.226:80 ww1.download-servers.com tcp
US 44.221.84.105:80 data.biphysics.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsiC42.tmp\t1.dll

MD5 058ba8a0916d957d3b91d08ea2e876e2
SHA1 1a7c36c50c5bd93f535b624a2882bc3905e7e7f3
SHA256 510af8083c0eef8b04e1171a9d6d94c64a1859701bbb106c565d2ec869437661
SHA512 24124b45bf42e186a06fcb71ca7e2c1fed3b762b681286185d7cdff53b3800c35b6326a6f21c82e9de59d8bbcb3fdab4a5c1cc9c8683e43ff230b07913d26f02

\Users\Admin\AppData\Local\Temp\nsiC42.tmp\WmiInspector.dll

MD5 8531346d16fa5d4768f6530d2eb2b65c
SHA1 153601d36aa0ddfbc597b1e890917364878791ca
SHA256 a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb
SHA512 f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841

\Users\Admin\AppData\Local\Temp\nsiC42.tmp\inetc.dll

MD5 f02155fa3e59a8fc48a74a236b2bb42e
SHA1 6d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA512 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

memory/2192-18-0x0000000002C00000-0x0000000002C01000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsiC42.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

memory/2192-54-0x0000000002150000-0x000000000216C000-memory.dmp

\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe

MD5 79cd0ba3574f3decd2d424fac08025c4
SHA1 9c0429c61127ebfd147bff40f6439b50fd2fac29
SHA256 8eea14b5404a475245bf79e30c09c59848f1fd5c71535db1e3473a7c4107c801
SHA512 39538f6747a74fe719b371f854d7b349f6c23cf7f80a94ffc4fd68d3d088f137989ef9e05c26e722578cab10c87e7128d80ff73c7e8bfebfd334d5282a9e5fed

memory/2192-78-0x0000000002C00000-0x0000000002C01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 data.biphysics.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 data.biphysics.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp
US 8.8.8.8:53 www.download-servers.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\t1.dll

MD5 058ba8a0916d957d3b91d08ea2e876e2
SHA1 1a7c36c50c5bd93f535b624a2882bc3905e7e7f3
SHA256 510af8083c0eef8b04e1171a9d6d94c64a1859701bbb106c565d2ec869437661
SHA512 24124b45bf42e186a06fcb71ca7e2c1fed3b762b681286185d7cdff53b3800c35b6326a6f21c82e9de59d8bbcb3fdab4a5c1cc9c8683e43ff230b07913d26f02

C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\WmiInspector.dll

MD5 8531346d16fa5d4768f6530d2eb2b65c
SHA1 153601d36aa0ddfbc597b1e890917364878791ca
SHA256 a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb
SHA512 f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841

C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp\inetc.dll

MD5 f02155fa3e59a8fc48a74a236b2bb42e
SHA1 6d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA512 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 824 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 824 wrote to memory of 4748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\t1.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4284 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\IWsrv.exe

"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\IWsrv.exe

"C:\Users\Admin\AppData\Local\Temp\IWsrv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 225.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 13:02

Reported

2024-06-13 13:04

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 232

Network

N/A

Files

N/A