Malware Analysis Report

2024-09-11 16:44

Sample ID 240614-raenfaxdjl
Target !#Fileş_#!UŞe~Passw0rd__~.~140613~.~__.zip
SHA256 99201013b3b2fbde089523a6d3dbf9e405f7415fd26055bb1fb4ec9c5721b30a
Tags
stealc vidar stealer discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99201013b3b2fbde089523a6d3dbf9e405f7415fd26055bb1fb4ec9c5721b30a

Threat Level: Known bad

The file !#Fileş_#!UŞe~Passw0rd__~.~140613~.~__.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer discovery spyware

Stealc

Vidar

Detect Vidar Stealer

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:59

Signatures

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20240611-en

Max time kernel

123s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\coml.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2356 wrote to memory of 2104 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2104 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 148

Network

N/A

Files

memory/2016-10-0x000007FEF5508000-0x000007FEF5509000-memory.dmp

memory/2016-11-0x000007FEF54F1000-0x000007FEF5509000-memory.dmp

memory/2016-13-0x000007FEF54F1000-0x000007FEF5509000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b170e35c

MD5 30ca75800382a04a6227212036d703a3
SHA1 5828074f5911c9bac862eba4dd1d41d397c0d95f
SHA256 42633b8f26d6191963dfa8969f9e76b98795e49f1b9c70f62c039a00eccacb87
SHA512 9bedf365563a26e78fda809fa30588b9f121a73cf1bdc21b389567dcf78dfe3e43400692a5ba8e53e7ec0b4bb3d01830b8829e9398fc9428f857606716dba1d5

memory/2356-15-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/2356-18-0x000000007315E000-0x0000000073160000-memory.dmp

memory/2356-17-0x0000000073150000-0x00000000732C4000-memory.dmp

\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2356-22-0x0000000073150000-0x00000000732C4000-memory.dmp

memory/2104-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2104-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2356-26-0x0000000073150000-0x00000000732C4000-memory.dmp

memory/2104-28-0x0000000000920000-0x000000000106C000-memory.dmp

memory/2104-35-0x0000000000920000-0x000000000106C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20240611-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\tray_manager_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\tray_manager_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1176 -s 232

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 1080 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1080 wrote to memory of 1800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1080 wrote to memory of 1800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1080 wrote to memory of 1800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1080 wrote to memory of 1800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1080 wrote to memory of 1800 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1800 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4024 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4024 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\GCGHJEBGHJKE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp

Files

memory/2580-0-0x00007FFB14FC0000-0x00007FFB15132000-memory.dmp

memory/2580-11-0x00007FFB14FD8000-0x00007FFB14FD9000-memory.dmp

memory/2580-12-0x00007FFB14FC0000-0x00007FFB15132000-memory.dmp

memory/2580-13-0x00007FFB14FC0000-0x00007FFB15132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0cd6a58

MD5 f36f0e358f71dbfa89e599f64c5f0600
SHA1 f3a5f5fdd6da5a7d90c9b52d2a57ebd87def1191
SHA256 28ea78d7a4552ebb2ae19f77567db35d852909a427db44b2c0ad6d179a9338f7
SHA512 a4decfc5cb76e5125d99d61c371b95909e0fd85adfd20fa2e6611015b92e9b7ff120942227347d1291d525859c3f057f93c0a1e9d6274bf0e67ee84606697f10

memory/1080-16-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1800-22-0x0000000001200000-0x000000000194C000-memory.dmp

memory/1800-24-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

memory/1800-25-0x0000000001200000-0x000000000194C000-memory.dmp

memory/1800-26-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1800-38-0x0000000001200000-0x000000000194C000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\tray_manager_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\tray_manager_plugin.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20240508-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1964 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1964 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1964 -s 80

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240611-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_windows.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2396 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2396 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_windows.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2396 -s 204

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\windows_single_instance_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\windows_single_instance_plugin.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_windows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_windows.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20231129-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2220 -s 80

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe"

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-string-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240611-en

Max time kernel

97s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 1932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 1696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 220

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240611-en

Max time kernel

126s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3428 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3428 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3892,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\windows_single_instance_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\windows_single_instance_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2176 -s 204

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\HDHelper_[0MB]_[1].exe"

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_desktop_sleep_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2544 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1040 wrote to memory of 2544 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1040 wrote to memory of 2544 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_desktop_sleep_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1040 -s 204

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\url_launcher_windows_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\url_launcher_windows_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\url_launcher_windows_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\url_launcher_windows_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2992 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\vcruntime140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3488 -ip 3488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3488 -ip 3488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\VSLauncher_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

60s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_desktop_sleep_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\flutter_desktop_sleep_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:01

Platform

win7-20240220-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\msvcp140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2904 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2904 wrote to memory of 2924 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\msvcp140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2904 -s 80

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 13:59

Reported

2024-06-14 14:02

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\msvcp140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!#File__#!U_e~Passw0rd__~.~140613~.~__\msvcp140.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A