MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 01:57

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country	Destination	Domain	Proto
GB	172.217.169.74:443		tcp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	13.107.253.64:443		tcp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	8.179.89.13.in-addr.arpa	udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	73.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	0.205.248.87.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53		udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	101.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	208.238.32.23.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	52.111.229.43:443		tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

Signatures

Detect Vidar Stealer

stealer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Detects executables containing potential Windows Defender anti-emulation checks

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Reads data files stored by FTP clients

spyware stealer

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\coml.au3	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4804 set thread context of 1824	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	C:\Windows\SysWOW64\netsh.exe

Checks installed software on the system

discovery

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	N/A

Enumerates physical storage devices

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\Users\Admin\AppData\Local\Temp\coml.au3	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\timeout.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2668 wrote to memory of 4804	N/A	C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 2668 wrote to memory of 4804	N/A	C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe
PID 4804 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	C:\Windows\SysWOW64\netsh.exe
PID 4804 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	C:\Windows\SysWOW64\netsh.exe
PID 4804 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	C:\Windows\SysWOW64\netsh.exe
PID 4804 wrote to memory of 1824	N/A	C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe	C:\Windows\SysWOW64\netsh.exe
PID 1824 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\netsh.exe	C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1824 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\netsh.exe	C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1824 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\netsh.exe	C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1824 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\netsh.exe	C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1824 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\netsh.exe	C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2628 wrote to memory of 5108	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 5108	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 5108	N/A	C:\Users\Admin\AppData\Local\Temp\coml.au3	C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 4404	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 5108 wrote to memory of 4404	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe
PID 5108 wrote to memory of 4404	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\pythonw.exe"

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\BAECFHJEBAAF" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	feeldog.xyz	udp
US	52.111.227.14:443		tcp

Files

memory/2668-0-0x00007FFF9E640000-0x00007FFF9E7B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Httva\pythonw.exe

MD5	9a4cc0d8e7007f7ef20ca585324e0739
SHA1	f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256	040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA512	54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

C:\Users\Admin\AppData\Roaming\Httva\python310.dll

MD5	e31064ef0869d01beb4841879a87a391
SHA1	7c26d7c27215afa8304df18a7a6bc4a03eaf70c5
SHA256	2c9b70db08be7e17ee33130cc8ace2d02d381f7fd9a5cc3b52be9a2e4727c006
SHA512	50036e765f8c95f8511f6961888e42378225c98cf0f57423c3c91a6b154d2220be251e38f1ab04f59cace563c6a8701b08097762f71f875b371655dbdb560622

C:\Users\Admin\AppData\Roaming\Httva\VCRUNTIME140.dll

MD5	49c96cecda5c6c660a107d378fdfc3d4
SHA1	00149b7a66723e3f0310f139489fe172f818ca8e
SHA256	69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512	e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\AppData\Roaming\Httva\ear.eml

MD5	58b327325f4203803325c7901fb16ccd
SHA1	6fa0f727ebdaf965744ecf0c67cc6b3fcc745620
SHA256	83477ae6d1da7c9f4a88f067b9f15691c66c51c4c82078ab468cc0c04d0d426c
SHA512	a1c85c473490f4eb5008a45a8af9909cb1caf0dd84602ed7ea08c593091a979d0814cd3c7a2cf6681790162e13315f482a05f53477428b1c946e2d96740eb307

C:\Users\Admin\AppData\Roaming\Httva\towel.vhd

MD5	5b9a5e459770a6dd896c725ba08a1e95
SHA1	546e8af7d2c72661ff63e9f57ab3ff009b863041
SHA256	fff2204de2ce109fe1d8e014e9508368c38d40d9f863678bcf3129978f9db424
SHA512	cc4673cb0b411a26a89a9c22241b5fca0107a11ecf1c8dfad1ec65060e64894fc7b2668cfd8ba1f18236b67fb21985fb8cbf5c3c7213d5040ecbad59d9ef6c22

memory/4804-14-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp

memory/4804-15-0x00007FFF9EA78000-0x00007FFF9EA79000-memory.dmp

memory/4804-16-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp

memory/4804-17-0x00007FFF9EA60000-0x00007FFF9EBD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ed5ce50

MD5	d81f39cdad84738e004757bc319c03b8
SHA1	23f374ee188879ef7f0e05177e38fcd9d04d4b82
SHA256	51b26d1f5b676ad1cb3b5a13a958ea0635c35ea44883ab3992d29c1af31b36b9
SHA512	c7a7fb4db6d0222f240812df2bb94aa15e2063fbb4da83d2aa09675b48f8aab9391efc814b85f881b9494dc1691bb0369c4f0d375594729db879ccbc9082d91d

memory/1824-20-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp

memory/1824-22-0x000000007450E000-0x0000000074510000-memory.dmp

memory/1824-23-0x0000000074501000-0x000000007450F000-memory.dmp

memory/1824-27-0x0000000074501000-0x000000007450F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5	c56b5f0201a3b3de53e561fe76912bfd
SHA1	2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256	237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512	195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2628-29-0x0000000000E30000-0x000000000157C000-memory.dmp

memory/2628-31-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp

memory/2628-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2628-44-0x0000000000E30000-0x000000000157C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	76.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	45.56.20.217.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	0.205.248.87.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	208.238.32.23.in-addr.arpa	udp
US	8.8.8.8:53	13.173.189.20.in-addr.arpa	udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	21.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53		udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-locale-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	20.231.121.79:80		tcp
US	8.8.8.8:53	67.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	13.107.246.64:443		tcp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2496 wrote to memory of 960	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 960	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 960	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 960 -ip 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 604

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	101.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	99.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53		udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-string-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
BE	88.221.83.187:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	187.83.221.88.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	138.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
BE	88.221.83.187:443	www.bing.com	tcp
US	8.8.8.8:53	99.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	187.83.221.88.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	21.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240220-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	208.238.32.23.in-addr.arpa	udp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-util-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-core-util-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4484,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	133.32.126.40.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	101.58.20.217.in-addr.arpa	udp
IE	52.111.236.22:443		tcp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\python310.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\python310.dll,#1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	67.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	208.238.32.23.in-addr.arpa	udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1988 wrote to memory of 2772	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\rundll32.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\rundll32.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\rundll32.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2768	N/A	C:\Windows\SysWOW64\rundll32.exe	C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 220

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

127s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\HDHelper_[0MB]_[1].exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1720,i,18320353784098040629,17273168055569331828,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	73.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	101.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	99.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	219.238.32.23.in-addr.arpa	udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\python310.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\python310.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2960 wrote to memory of 2412	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\system32\WerFault.exe
PID 2960 wrote to memory of 2412	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\system32\WerFault.exe
PID 2960 wrote to memory of 2412	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2960 -s 84

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 536

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	219.238.32.23.in-addr.arpa	udp
US	8.8.8.8:53	12.173.189.20.in-addr.arpa	udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win7-20240508-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\VSLauncher_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-15 01:57

Reported

2024-06-15 02:00

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SETAP_9090__Pa$$W0rdS~!!\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8

Network

Country	Destination	Domain	Proto
NL	52.142.223.178:80		tcp

Files

N/A

Sample ID	240615-cdhf6svgmc
Target	a575539b1d321f7608c041ce115828d7d3615f8011e0f879e39bd83b8ef2bd8c.zip
SHA256	a575539b1d321f7608c041ce115828d7d3615f8011e0f879e39bd83b8ef2bd8c
Tags	stealc vidar discovery spyware stealer

Malware Analysis Report

2024-09-11 16:49

Table of Contents