Malware Analysis Report

2024-09-23 11:24

Sample ID 240614-vvq4ratckn
Target aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118
SHA256 f048d6c021a1f189e86a0bb99b5010c3b43c7ca326e6f7aef1ef85c56060ff6f
Tags
bootkit persistence discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f048d6c021a1f189e86a0bb99b5010c3b43c7ca326e6f7aef1ef85c56060ff6f

Threat Level: Shows suspicious behavior

The file aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence discovery

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 17:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 244

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 224

Network

N/A

Files

memory/2856-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2856-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 1688 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
PID 2036 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe
PID 2036 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe
PID 2036 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe
PID 2036 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 a.clickdata.37wan.com udp

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

MD5 e77f23f79a593441197de7f9554aeabf
SHA1 5b7496c2229953452d8f381bd37b761bea53fd96
SHA256 1a6d1bae47abef8db6d33ab4f9efc451b2a99d432fe012208e88e6b27f2aa845
SHA512 d4bfb1ad630dfde11a2cdad656c59eb82f05dd79bd7c724cab89916bda5b04039e6c6f62f066de09a6b4947897da4e6e557d68be9f386e636e403b10cdff3648

\Users\Admin\AppData\Local\Temp\nst4F3A.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2036-12-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst4F3A.tmp\inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 d0a92540c2001f18e6c71e53e58c82be
SHA1 4e0fe0aa248aee5e68cd20ea3da76930ff764d50
SHA256 fe2d2e692392d490ef951757969d7de40b9666d20b9dd1f4e527010b558d5600
SHA512 686a355a6a2b95d359cf20ac4e55efa2b553c83266679d9d5156beef1413ed029fc5c764dede7c1d983e33ae4d56c90e5c306e231bd549ba8ef5e7487e26164e

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2788-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2788-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2996 wrote to memory of 952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a.clickdata.37wan.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nso5100.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

C:\Users\Admin\AppData\Local\Temp\nso5100.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/5048-15-0x00000000048D1000-0x00000000048D2000-memory.dmp

memory/5048-14-0x00000000048D0000-0x00000000048D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\qz\config.ini

MD5 3a8ac6b3f7bbdae9198c1a9624172e24
SHA1 0bb84341a3dc4b17f2da3b0a9b774ab539591941
SHA256 975a566ca19b836bdf4c375cbed44a48dbf303dbd58ca1c7f6998198d8ab36f9
SHA512 afc4f01309aede00c49bd96bedf34519c705761df9acc81eead5e6fa351626fe747758b4b3f0794ee22865435460e3a805d051deb72693b9e2faa0e51d02e5b3

C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe

MD5 40c208e08b1442ce16683584757a553e
SHA1 fb9d56c453ee3d6f53941dae7a46aa46d4a403c4
SHA256 9eb97093a6e455ddd48b964b8d798da841c2fcb6bcc389826bb87b50dafe9c12
SHA512 1be251466b79ba40f04848c9db16ccc51f30730f689ea5d9783e15103da09a026b3b6392fbc17d1bf6277b5d63a001319b30ff3881c489a92e8a0cd4801f7177

C:\Users\Admin\AppData\Local\Temp\nso5100.tmp\StdUtils.dll

MD5 0061a96c8ff17ad0927aae65b5dfe06b
SHA1 9d1bd69d930ccda683e6b7c2c0d1dbe3b54861fe
SHA256 2aaef1ed8a25097b3a807568daeffd3320fa29d6de66df90a57beaa8df8949cf
SHA512 c6b887a4e1682ba1e126c93bc4d886c7f1ce392f97866e631c5b8a945824cbefc9af2429a14c2dac3b16d97bd33195d4378a7e92ae53fdeb47197452d4d90fc4

memory/5048-55-0x00000000048D1000-0x00000000048D2000-memory.dmp

memory/5048-54-0x00000000048D0000-0x00000000048D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\qz\config.dll

MD5 b4d19749adaf9f2c42f06eff71b003cb
SHA1 6cae6493aca04be3b721df0c34f7b54b9b4f48ba
SHA256 d05b2b15a2338adbb2202ec480a5c9689247df4c175ee41a20ce1d03422193f2
SHA512 54a22826314925a7ea5b154dd81f880bfd33dd0fea238761c4a7d166248ffd0a0cb088f901f3fcadf03573ed7dc89353d96fefa8a236608535773d15ffbe834e

memory/5048-65-0x00000000048D1000-0x00000000048D2000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4960 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4960 wrote to memory of 2436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2436 -ip 2436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/2436-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2436-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 600

Network

Files

memory/1604-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1604-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2460 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 2.17.107.121:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 121.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aadfd9f322ba0dbd314c98e50c897427_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe" /setupsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp

Files

\Users\Admin\AppData\Local\Temp\nst199B.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

\Users\Admin\AppData\Local\Temp\nst199B.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2196-13-0x0000000002790000-0x0000000002793000-memory.dmp

memory/2196-14-0x0000000002791000-0x0000000002792000-memory.dmp

\Users\Admin\AppData\Roaming\qz\douyou_duan-qzd.exe

MD5 40c208e08b1442ce16683584757a553e
SHA1 fb9d56c453ee3d6f53941dae7a46aa46d4a403c4
SHA256 9eb97093a6e455ddd48b964b8d798da841c2fcb6bcc389826bb87b50dafe9c12
SHA512 1be251466b79ba40f04848c9db16ccc51f30730f689ea5d9783e15103da09a026b3b6392fbc17d1bf6277b5d63a001319b30ff3881c489a92e8a0cd4801f7177

C:\Users\Admin\AppData\Roaming\qz\config.ini

MD5 3a8ac6b3f7bbdae9198c1a9624172e24
SHA1 0bb84341a3dc4b17f2da3b0a9b774ab539591941
SHA256 975a566ca19b836bdf4c375cbed44a48dbf303dbd58ca1c7f6998198d8ab36f9
SHA512 afc4f01309aede00c49bd96bedf34519c705761df9acc81eead5e6fa351626fe747758b4b3f0794ee22865435460e3a805d051deb72693b9e2faa0e51d02e5b3

\Users\Admin\AppData\Local\Temp\nst199B.tmp\StdUtils.dll

MD5 0061a96c8ff17ad0927aae65b5dfe06b
SHA1 9d1bd69d930ccda683e6b7c2c0d1dbe3b54861fe
SHA256 2aaef1ed8a25097b3a807568daeffd3320fa29d6de66df90a57beaa8df8949cf
SHA512 c6b887a4e1682ba1e126c93bc4d886c7f1ce392f97866e631c5b8a945824cbefc9af2429a14c2dac3b16d97bd33195d4378a7e92ae53fdeb47197452d4d90fc4

memory/2196-45-0x0000000002990000-0x0000000002992000-memory.dmp

C:\Users\Admin\AppData\Roaming\qz\config.dll

MD5 b4d19749adaf9f2c42f06eff71b003cb
SHA1 6cae6493aca04be3b721df0c34f7b54b9b4f48ba
SHA256 d05b2b15a2338adbb2202ec480a5c9689247df4c175ee41a20ce1d03422193f2
SHA512 54a22826314925a7ea5b154dd81f880bfd33dd0fea238761c4a7d166248ffd0a0cb088f901f3fcadf03573ed7dc89353d96fefa8a236608535773d15ffbe834e

memory/2196-56-0x00000000028D1000-0x00000000028D2000-memory.dmp

memory/2196-55-0x00000000028D0000-0x00000000028D3000-memory.dmp

memory/2196-64-0x0000000002791000-0x0000000002792000-memory.dmp

memory/2196-65-0x00000000028D1000-0x00000000028D2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5032 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3960,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config.ini C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

N/A

Files

memory/1176-26-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-28-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-27-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-25-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-24-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-23-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-22-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-21-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-20-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-19-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-18-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-17-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-16-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-15-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-14-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-13-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-12-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-11-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-10-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-9-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-8-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-7-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-6-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-5-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-3-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-2-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-1-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1176-0-0x00000000025E0000-0x00000000025E1000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 4532 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.20:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
US 8.8.8.8:53 20.101.113.138.in-addr.arpa udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

MD5 e77f23f79a593441197de7f9554aeabf
SHA1 5b7496c2229953452d8f381bd37b761bea53fd96
SHA256 1a6d1bae47abef8db6d33ab4f9efc451b2a99d432fe012208e88e6b27f2aa845
SHA512 d4bfb1ad630dfde11a2cdad656c59eb82f05dd79bd7c724cab89916bda5b04039e6c6f62f066de09a6b4947897da4e6e557d68be9f386e636e403b10cdff3648

C:\Users\Admin\AppData\Local\Temp\nsb55D2.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/3328-10-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb55D2.tmp\inetc.dll

MD5 50fdadda3e993688401f6f1108fabdb4
SHA1 04a9ae55d0fb726be49809582cea41d75bf22a9a
SHA256 6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512 e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

C:\Users\Admin\AppData\Local\Temp\config.ini

MD5 6d8ca9a1c4d8e0775264f90e10624c7a
SHA1 c4fa2c151fb8b16431ae4f51ef31bd9e567f50f0
SHA256 559abb0a46e94894615b5accc605d048e01caf97a3e2514aef427645e9b17d1a
SHA512 9c7d1b2dd34ae10075c052d79b0ae1a168006a71f61cbc9543f5339e25c3ee706f830a288afe9b073213355522bcbfe14960ec6f590fa1ad077748b04a65b44c

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 224

Network

N/A

Files

memory/2164-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2164-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 224

Network

N/A

Files

memory/2564-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2564-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2564-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1080 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2012-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2012-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp

Files

memory/2248-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe

"C:\Users\Admin\AppData\Local\Temp\douyou_duan-qzd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 193.112.84.233:80 gameapp.37.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3768-3-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/3768-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

N/A

Files

memory/1372-0-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-1-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-2-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-3-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-4-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-5-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-6-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-9-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-27-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-30-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-29-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-28-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-26-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-25-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-8-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-24-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-23-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-22-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-21-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-20-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-19-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-18-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-17-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-16-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-15-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-14-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-13-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-12-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-11-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-10-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1372-7-0x0000000002620000-0x0000000002621000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 224

Network

N/A

Files

memory/2296-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2296-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2296-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3704 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3704 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 612

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 240

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win7-20240611-en

Max time kernel

119s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 17:18

Reported

2024-06-14 17:21

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 876 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 876 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A