Malware Analysis Report

2024-11-30 05:56

Sample ID 240614-h9ps1stepn
Target a884eab9bbf45b427361e2428b86b15c_JaffaCakes118
SHA256 78b380b77d125d2706935ea4887162ab6c687b16aedd4210a163bccd886ef3db
Tags
upx spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

78b380b77d125d2706935ea4887162ab6c687b16aedd4210a163bccd886ef3db

Threat Level: Shows suspicious behavior

The file a884eab9bbf45b427361e2428b86b15c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx spyware stealer

UPX packed file

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:26

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 4988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4124 wrote to memory of 4988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4124 wrote to memory of 4988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4204,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1104 wrote to memory of 2976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 228

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:28

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1348 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1348 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 624

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 4480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WmiInspector.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 228

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3096 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3096 wrote to memory of 4736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

57s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 364 wrote to memory of 4980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 364 wrote to memory of 4980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 364 wrote to memory of 4980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 604

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1188 -ip 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1672 wrote to memory of 3852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 644

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2588 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8

Network

Files

memory/3056-0-0x0000000010000000-0x000000001000A000-memory.dmp

memory/3056-2-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:28

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 236

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3304 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3304 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2188 -ip 2188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 612

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20231129-en

Max time kernel

136s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\reimage.ini C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2696 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2696 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2696 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2632 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1652 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1696 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1696 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1696 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 1652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq AVupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq AVupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.reimageplus.com udp
US 161.47.7.14:80 www.reimageplus.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\Banner.dll

MD5 e264d0f91103758bc5b088e8547e0ec1
SHA1 24a94ff59668d18b908c78afd2a9563de2819680
SHA256 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63
SHA512 a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nsiE65.tmp

MD5 50e70a54842317b098c93b805cadb5d9
SHA1 ecceef7616206da320f499f21aa6a1a0aeb943c9
SHA256 d880c423332ee2b3fd40466d7e147ba161489f98c827530cc430e99a79db2953
SHA512 c7f0ac90a0832d746c1858de271b7ecf71d46a5ccb0a49359e68ae2fba9c06c0ebde4e70415d2034c5fd772e50fb350c12c0568356d1aaef88211c251ce18562

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5 e289c473c5d096ed9fe4687ffe1beb38
SHA1 69730c2862fab240af72b500e78637b769b77a78
SHA256 502734472e35b0df59f9b8a06eed4ec84d96a0187532b9849d1325ba0bbb8153
SHA512 25c9074e068ced6e432920ff0c98a5fd259aeb64d37eabc4952d7dece76f4077613eed85e114c1d35827e31f557644f86eed0b9508f722fb3c7d171baf256229

memory/2856-47-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsoF70.tmp

MD5 94d682847d574e4531e11b30f56e98c0
SHA1 b0df44152e7097919d02ebcdbc8fc10b448c786c
SHA256 b4af2f2b9260af555487833d27a9d57ccec83ed18f90320f4e47322a2da32995
SHA512 c93498d97727136e1b385b9cb9a12e0d60d47646dfc63179967b2b5b33e4c17068e0ceaa5accf9f0f65a6b901aba72cd6fd3d1f65afd700f3c681a594b3d5da2

memory/2688-70-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsiFED.tmp

MD5 02966b6f2acd3fd90ad5ab9949b88272
SHA1 a011f5588485a01d990509afc95ed10812da8bdd
SHA256 344f5f8a9cab62aa86b246ceecff1403e9f2c396d54332819f8fe39c99f89102
SHA512 1666a1921d127dbcf30968721306afab5f0d6a3963ef5b6074c61bc4b6cb9275e1ba9d07a12866be7b0939db9a1d8caf0501797039b1786dd9a58ace1e9f27d6

memory/2412-93-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5 dea052a2ad11945b1960577c0192f2eb
SHA1 1d02626a05a546a90c05902b2551f32c20eb3708
SHA256 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA512 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

memory/1652-111-0x00000000007B0000-0x00000000007BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/1652-138-0x00000000007B0000-0x00000000007BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyDD8.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

memory/1652-148-0x00000000007B0000-0x00000000007BA000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ButtonEvent.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 600

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 220

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Reimage.ini C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\reimage.ini C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2228 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2052 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 812 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 812 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2052 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 448 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 448 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
PID 2052 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 532 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 532 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2632 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a884eab9bbf45b427361e2428b86b15c_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_trackid';"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_tracking';"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jlg6ljiw.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'reimageplus.com' and name='_campaign';"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq Reimage.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /C tasklist /FI "IMAGENAME eq AVupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "IMAGENAME eq AVupdate.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 www.reimageplus.com udp
US 161.47.7.14:80 www.reimageplus.com tcp
US 8.8.8.8:53 14.7.47.161.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\LogEx.dll

MD5 0f96d9eb959ad4e8fd205e6d58cf01b8
SHA1 7c45512cbdb24216afd23a9e8cdce0cfeaa7660f
SHA256 57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314
SHA512 9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\Banner.dll

MD5 e264d0f91103758bc5b088e8547e0ec1
SHA1 24a94ff59668d18b908c78afd2a9563de2819680
SHA256 501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63
SHA512 a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nspD218.tmp

MD5 18151c23886c3dd8481dd1fbd07f1971
SHA1 3ec79b1bf13420ea25ee198cb3d307d01fdf4a36
SHA256 f08f879e53b2e8f1e1a29184bd60e6180aaf5e5a007c1cc190cc0df652dc0441
SHA512 5370f3674ec6ac3a49c2a60e33ab9f4bb0d09d0337c9725f8e5cc94903e4f8ab021759376d67f5d34bb5c35e58369394ab814304c1c4040f5878552a335f4f16

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

MD5 e289c473c5d096ed9fe4687ffe1beb38
SHA1 69730c2862fab240af72b500e78637b769b77a78
SHA256 502734472e35b0df59f9b8a06eed4ec84d96a0187532b9849d1325ba0bbb8153
SHA512 25c9074e068ced6e432920ff0c98a5fd259aeb64d37eabc4952d7dece76f4077613eed85e114c1d35827e31f557644f86eed0b9508f722fb3c7d171baf256229

memory/2492-37-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsaD342.tmp

MD5 35fb2111129d1f3ceba2cf51dc8ab690
SHA1 b4d7259f9da2a37ff822e05df70fdea927614ca5
SHA256 ccdf2fc9731cd8fee68b880f0c587e836e1bbec40dd892548ee32fc961167dec
SHA512 998ea5a0528f8bc816778939a0134a6881e489b98475f1588ffea8a84518b657428947a0dcb0533ebbd4f62263820f47d29da0324c0ad2cc282c5e9601188f81

memory/4796-52-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsqD3EF.tmp

MD5 327a9a995eff913b0ee32a108e65fbd5
SHA1 a06d5d8ca7b1cd2a7c842b2cde46e1ad808762c3
SHA256 5db88b7a54aaefee38825ccdccceea1fb405edca166a1ec7d82458c03e18bc28
SHA512 17d1c3a0dc4c8dffe5de2c480265f4f440c0f96c4b02791c95d9c41dca4bcb664c0fb80a0ca4d5ed7b2f2955a7b5eef895a76a4801c1bd40f5405342655f10d8

memory/2344-67-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

MD5 dea052a2ad11945b1960577c0192f2eb
SHA1 1d02626a05a546a90c05902b2551f32c20eb3708
SHA256 943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2
SHA512 5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

memory/2052-84-0x00000000059A0000-0x00000000059AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/2052-92-0x00000000059A0000-0x00000000059AA000-memory.dmp

memory/2052-98-0x00000000059A0000-0x00000000059AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nseD13C.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

memory/2052-106-0x00000000059A0000-0x00000000059AA000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

141s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 228

Network

N/A

Files

memory/2548-0-0x0000000010000000-0x000000001000A000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:28

Platform

win7-20240220-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 220

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4912 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4912 wrote to memory of 2644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\stack.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 240

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20231129-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Banner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LogEx.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 4488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MSIBanner.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 2876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20231129-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 220

Network

N/A

Files

N/A