Analysis Overview
SHA256
9fac22e098a25975b035b01c42f1412d4daa60ffe0cffc51b71c2c8d65bec9a6
Threat Level: Shows suspicious behavior
The file a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Executes dropped EXE
Loads dropped DLL
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 15:11
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win7-20240611-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 1744 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 1744 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 1744 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
Network
Files
\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | 1c662492180514144db462edca9f9d20 |
| SHA1 | aa0c2cc7365c514ab75f5be46b0e73f07417c87d |
| SHA256 | dffb8c5f3b46e41e1a1815f12b8df5f10b05ff71b94bc7d243cab33d13eaa625 |
| SHA512 | 3a049cf4c9cadc7af1b4c1443c5f05f878a77ee07a9292faa9c49763ebfcb528370c35b97b7062ab3eb02d49a2df8a23f16a868230d36bcf6308183a663d411e |
C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL
| MD5 | e4ec57e8508c5c4040383ebe6d367928 |
| SHA1 | b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06 |
| SHA256 | 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f |
| SHA512 | 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822 |
memory/2420-15-0x0000000010000000-0x0000000010013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R2RJUCE.dll
| MD5 | c4b4991d621f406e49d86757ee01dd40 |
| SHA1 | 0570fb52e33f2434373ad74851c5811e8fb158d5 |
| SHA256 | 7142f93fa14137d57971611435c0faac9a1eb9e2b628df26242eeb095558c968 |
| SHA512 | b38baa568ea77e77ff34c894f892bc868b321f6a7c481091c7d48e986fe078482b0ecf6123066bbe2f4d6d60aeb4e4c498cb2add2dd60dd876200b18d80b69f8 |
memory/2420-17-0x0000000074510000-0x0000000074556000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bgm.xm
| MD5 | 539e356c53b64aeb65475f21711729c2 |
| SHA1 | 5a1b659f39206162e1c542f44d1e51ce48e7d846 |
| SHA256 | 34fe3a4db959f96a80835552ecf0c505fa3f5d694512342dcd59903fa830520c |
| SHA512 | d207663d81d8a1f51a365c0b76fcc3a4f668ef51f475723972dc55c8a651c7d72039db29ab6c8465e7fa9a142c8d99aa79ddaf73d89d242726124461743eda99 |
memory/2420-19-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-20-0x0000000074510000-0x0000000074556000-memory.dmp
memory/2420-21-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-23-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-25-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-26-0x0000000074510000-0x0000000074556000-memory.dmp
memory/2420-27-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-29-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-31-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-33-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-35-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-37-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-39-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-40-0x0000000074510000-0x0000000074556000-memory.dmp
memory/2420-41-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-43-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-45-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2420-47-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win7-20240508-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
Network
Files
memory/2456-0-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2456-1-0x0000000010012000-0x0000000010013000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3476 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3476 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3476 wrote to memory of 1140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1140-0-0x0000000075470000-0x00000000754B6000-memory.dmp
memory/1140-1-0x0000000075470000-0x00000000754B6000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win7-20240611-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"
Network
Files
memory/2108-1-0x00000000745E0000-0x0000000074626000-memory.dmp
memory/2108-0-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-2-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-3-0x00000000745E0000-0x0000000074626000-memory.dmp
memory/2108-4-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-6-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-8-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-9-0x00000000745E0000-0x0000000074626000-memory.dmp
memory/2108-10-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-12-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-18-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-20-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-22-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-23-0x00000000745E0000-0x0000000074626000-memory.dmp
memory/2108-24-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-26-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-28-0x0000000010000000-0x0000000010013000-memory.dmp
memory/2108-30-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
129s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 1400 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
| PID 1400 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\keygen.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Users\Admin\AppData\Local\Temp\keygen.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x40c
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\keygen.exe
| MD5 | 1c662492180514144db462edca9f9d20 |
| SHA1 | aa0c2cc7365c514ab75f5be46b0e73f07417c87d |
| SHA256 | dffb8c5f3b46e41e1a1815f12b8df5f10b05ff71b94bc7d243cab33d13eaa625 |
| SHA512 | 3a049cf4c9cadc7af1b4c1443c5f05f878a77ee07a9292faa9c49763ebfcb528370c35b97b7062ab3eb02d49a2df8a23f16a868230d36bcf6308183a663d411e |
C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL
| MD5 | e4ec57e8508c5c4040383ebe6d367928 |
| SHA1 | b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06 |
| SHA256 | 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f |
| SHA512 | 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822 |
C:\Users\Admin\AppData\Local\Temp\R2RJUCE.dll
| MD5 | c4b4991d621f406e49d86757ee01dd40 |
| SHA1 | 0570fb52e33f2434373ad74851c5811e8fb158d5 |
| SHA256 | 7142f93fa14137d57971611435c0faac9a1eb9e2b628df26242eeb095558c968 |
| SHA512 | b38baa568ea77e77ff34c894f892bc868b321f6a7c481091c7d48e986fe078482b0ecf6123066bbe2f4d6d60aeb4e4c498cb2add2dd60dd876200b18d80b69f8 |
memory/4004-11-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-12-0x0000000074E50000-0x0000000074E96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bgm.xm
| MD5 | 539e356c53b64aeb65475f21711729c2 |
| SHA1 | 5a1b659f39206162e1c542f44d1e51ce48e7d846 |
| SHA256 | 34fe3a4db959f96a80835552ecf0c505fa3f5d694512342dcd59903fa830520c |
| SHA512 | d207663d81d8a1f51a365c0b76fcc3a4f668ef51f475723972dc55c8a651c7d72039db29ab6c8465e7fa9a142c8d99aa79ddaf73d89d242726124461743eda99 |
memory/4004-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-15-0x0000000074E50000-0x0000000074E96000-memory.dmp
memory/4004-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-17-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-19-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-20-0x0000000074E50000-0x0000000074E96000-memory.dmp
memory/4004-21-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-23-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-25-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-27-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-29-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-31-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-33-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-35-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-37-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-39-0x0000000010000000-0x0000000010013000-memory.dmp
memory/4004-41-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3152 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3152 wrote to memory of 2484 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1
Network
Files
memory/2484-0-0x0000000010000000-0x0000000010013000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2072 wrote to memory of 2028 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 15:11
Reported
2024-06-13 15:13
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
51s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x340
Network
Files
memory/984-0-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-1-0x0000000074DF0000-0x0000000074E36000-memory.dmp
memory/984-3-0x0000000074DF0000-0x0000000074E36000-memory.dmp
memory/984-2-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-4-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-7-0x0000000074DF0000-0x0000000074E36000-memory.dmp
memory/984-6-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-8-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-10-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-12-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-14-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-16-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-18-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-20-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-22-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-24-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-26-0x0000000010000000-0x0000000010013000-memory.dmp
memory/984-29-0x0000000074DF0000-0x0000000074E36000-memory.dmp
memory/984-28-0x0000000010000000-0x0000000010013000-memory.dmp