Malware Analysis Report

2024-10-10 12:09

Sample ID 240613-sgegpaxhnp
Target a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118
SHA256 e17b42395fa01c19748960be047473e10a3ce9de5b60198bbb44035b6b10bb95
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e17b42395fa01c19748960be047473e10a3ce9de5b60198bbb44035b6b10bb95

Threat Level: Shows suspicious behavior

The file a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240221-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitrope.com udp
US 54.161.222.85:80 bitrope.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\inetc.dll

MD5 1fc1fbb2c7a14b7901fc9abbd6dbef10
SHA1 4d9ed86f31075a3d3f674ff78f39c190a4098126
SHA256 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
SHA512 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

\Users\Admin\AppData\Local\Temp\nsiD2B.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1732 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SkinMagic.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 232

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 1360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 700 wrote to memory of 1360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 700 wrote to memory of 1360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1360 -ip 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe

"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"

Network

Files

memory/3344-1-0x0000000000BA0000-0x0000000000C2A000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"

Network

N/A

Files

memory/840-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

memory/840-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

memory/840-2-0x00000000747C0000-0x0000000074D6B000-memory.dmp

memory/840-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240611-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 240

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe

"C:\Users\Admin\AppData\Local\Temp\BitRope P2P Accelerator.exe"

Network

N/A

Files

memory/2820-0-0x0000000000300000-0x000000000038A000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3500 -ip 3500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 624

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe

"C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2608-0-0x0000000074822000-0x0000000074823000-memory.dmp

memory/2608-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/2608-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

memory/2608-4-0x0000000074820000-0x0000000074DD1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\packet.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a62c1ee3e9a381f5ea7932bf0890a5ab_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitrope.com udp
US 52.86.6.113:80 bitrope.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 113.6.86.52.in-addr.arpa udp
US 8.8.8.8:53 191.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\inetc.dll

MD5 1fc1fbb2c7a14b7901fc9abbd6dbef10
SHA1 4d9ed86f31075a3d3f674ff78f39c190a4098126
SHA256 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
SHA512 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

C:\Users\Admin\AppData\Local\Temp\nsv3B64.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"

Signatures

Checks installed software on the system

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 1608 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe
PID 2876 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe
PID 2876 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe
PID 2876 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe
PID 2876 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"

C:\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe

.\installer.exe

C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe

C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe husertype=Admin

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 flow.lavasoft.com udp
US 8.8.8.8:53 flow.lavasoft.com udp

Files

\Users\Admin\AppData\Local\Temp\7zS84652936\installer.exe

MD5 79e0c128a1ebbf0de98f4bd18c523f70
SHA1 53541473d3f27066170452e95da8516e39f1c947
SHA256 a230720e5a75d7ee763b9f740e51fd2a3e5d29f9c053e9f9c7f2814718a5dd7b
SHA512 166fb07d17a34e07ea90e75f41d5db4ee292c487798bbc286e6b3778c8049942026a205443caa5c5763b3ea890dc1956a584e687564d017db0ed3d0bf93e76ca

C:\Users\Admin\AppData\Local\Temp\7zS84652936\BundleConfig.xml

MD5 c0a417b3394c1f645bde55008662cf86
SHA1 b9034daf2a7080cb7ebf57e33f3867202fe2d4e9
SHA256 35a59daed91192145f06fbeda58938613ada800027008566fd15446cdd4ebd9d
SHA512 47324c80eb0f8076287bf4fb7e5ea543ebedc654190d543416d20037ccb1b0163a122d3dab6b83ea450545cd76b76589f8a53af3eff3da4d77682c0906d23c14

C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe.config

MD5 40e903f70b1412febaa4b889092bdd4f
SHA1 636fbfebf16dbb61be458614295d715783d06744
SHA256 d335033bc27c28ae3a4e22313d4c26f9b3f6b78c44acef4a2d8ba3c5a5d9f9a1
SHA512 c1defae5579282facdf91396a8ef2da299f1860580cf804a30b939fddebbfa75327ff82dbe1aa2c302303de963248eee73c2524c36ee39a651502fcff4aefc60

\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe

MD5 a9aa4270caa788444d552f2d3578e539
SHA1 bf9f679b34742698ba5321f257522c88f61c6e38
SHA256 347ed24929f54062ef229bad598f5184ed3d601de3f3da8912c6c964c57100c1
SHA512 39c9bd2f323b2a4c9470a1e3d52259389fb3f97cd6c37ab4732a002cdda68a40385fdc055982600259b08d84d1fb79da7b5a71758ec7a595bf5b8eccc28e5ea1

C:\Users\Admin\AppData\Local\Temp\7zS84652936\GenericSetup.exe.config

MD5 76ef253427ea5f0150850f4197ad39ff
SHA1 fd19dbbb2013d42993205a4d2a4c0ee574c62f77
SHA256 efa7b32246dc3bf588454d629695f4a7f292d95ce42c927584e62facfffef062
SHA512 5a0e913f98b4ddf9a63f6ba33b07705cb946151067252c5f6e49ab66c94d423bee9f84d9b732ff0df77fb7cd0f058de0d001bba81bfec88e2307cac4ce33123a

memory/1192-39-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

memory/1192-41-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1192-43-0x0000000001E50000-0x0000000001EB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS84652936\DevLib.dll

MD5 6ef90166cd0485d28f9041d95c1893a9
SHA1 be16f54ff32b3a15fc8ee22fa8cdcf783c196c9b
SHA256 b1e20529054b4f884e6e60eb0159a38520a36d90a57f3384e12f7f4351ea2ebe
SHA512 cd849a4555bec3befd78ca5ce582e899fe08d75093a6e69f6ce1de1081471a4f9aba912a8ee5947a9ff6b29a25f403058ba22c32adbdd6b05ff014ff7d65a75a

memory/1192-44-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/1192-49-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

memory/1192-50-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 15:05

Reported

2024-06-13 15:08

Platform

win10v2004-20240508-en

Max time kernel

40s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"

Signatures

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PW001.exe"

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe

.\installer.exe

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe husertype=Admin

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 flow.lavasoft.com udp
US 8.8.8.8:53 flow.lavasoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\installer.exe

MD5 79e0c128a1ebbf0de98f4bd18c523f70
SHA1 53541473d3f27066170452e95da8516e39f1c947
SHA256 a230720e5a75d7ee763b9f740e51fd2a3e5d29f9c053e9f9c7f2814718a5dd7b
SHA512 166fb07d17a34e07ea90e75f41d5db4ee292c487798bbc286e6b3778c8049942026a205443caa5c5763b3ea890dc1956a584e687564d017db0ed3d0bf93e76ca

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\BundleConfig.xml

MD5 c0a417b3394c1f645bde55008662cf86
SHA1 b9034daf2a7080cb7ebf57e33f3867202fe2d4e9
SHA256 35a59daed91192145f06fbeda58938613ada800027008566fd15446cdd4ebd9d
SHA512 47324c80eb0f8076287bf4fb7e5ea543ebedc654190d543416d20037ccb1b0163a122d3dab6b83ea450545cd76b76589f8a53af3eff3da4d77682c0906d23c14

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe.config

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe

MD5 a9aa4270caa788444d552f2d3578e539
SHA1 bf9f679b34742698ba5321f257522c88f61c6e38
SHA256 347ed24929f54062ef229bad598f5184ed3d601de3f3da8912c6c964c57100c1
SHA512 39c9bd2f323b2a4c9470a1e3d52259389fb3f97cd6c37ab4732a002cdda68a40385fdc055982600259b08d84d1fb79da7b5a71758ec7a595bf5b8eccc28e5ea1

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\GenericSetup.exe.config

MD5 2820f49b45395438974338a7a065045d
SHA1 6a1ebc8205ed8a3b395f30f39b1265185307a9a2
SHA256 11a89337357b8b40b8c577e30e342b4840229fa098e3aab8c512d07364dfe66c
SHA512 de04ece30e952206376e30b04e7e623668f83e2614199d640d0a328fca9515b80fb58086ddb6d1d32c445573e7fa965df32625e9ebd16536089c1fa6a1ba3633

memory/3184-36-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS852470C7\DevLib.dll

MD5 6ef90166cd0485d28f9041d95c1893a9
SHA1 be16f54ff32b3a15fc8ee22fa8cdcf783c196c9b
SHA256 b1e20529054b4f884e6e60eb0159a38520a36d90a57f3384e12f7f4351ea2ebe
SHA512 cd849a4555bec3befd78ca5ce582e899fe08d75093a6e69f6ce1de1081471a4f9aba912a8ee5947a9ff6b29a25f403058ba22c32adbdd6b05ff014ff7d65a75a

memory/3184-38-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/3184-40-0x000000001B9C0000-0x000000001BA28000-memory.dmp

memory/3184-41-0x000000001BE30000-0x000000001BE80000-memory.dmp

memory/3184-46-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/3184-47-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

memory/3184-48-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp