Malware Analysis Report

2024-10-16 06:44

Sample ID 240619-dmdp1sxbmm
Target PS22PS4-GUI.zip
SHA256 86751484f8839d465a2dea02959ed424cda2733aa415b1eb714b28a02be39cd3
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86751484f8839d465a2dea02959ed424cda2733aa415b1eb714b28a02be39cd3

Threat Level: Shows suspicious behavior

The file PS22PS4-GUI.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Launches sc.exe

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 03:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
GB 52.123.242.9:443 tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/1816-0-0x0000000000400000-0x0000000000672000-memory.dmp

memory/1816-1-0x0000000000850000-0x0000000000851000-memory.dmp

memory/1816-2-0x0000000000400000-0x0000000000672000-memory.dmp

memory/1816-4-0x0000000000850000-0x0000000000851000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:08

Platform

macos-20240611-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Iso9660.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Iso9660.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzfse-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzfse-net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\nunit.framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\nunit.framework.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/4844-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Streams.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Streams.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzo.net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzo.net.dll,#1

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\nunit.framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\nunit.framework.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
BE 23.41.178.65:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 65.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Iso9660.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Iso9660.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:08

Platform

win10v2004-20240611-en

Max time kernel

43s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe C:\Windows\system32\cmd.exe
PID 3232 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Program Files\dotnet\dotnet.exe
PID 3040 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Program Files\dotnet\dotnet.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe

"C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c s.bat

C:\Program Files\dotnet\dotnet.exe

dotnet --list-runtimes

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.82:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 82.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3232-0-0x00007FFCCD2C3000-0x00007FFCCD2C5000-memory.dmp

memory/3232-1-0x000001AAB5C90000-0x000001AAB5CE8000-memory.dmp

memory/3232-2-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp

memory/3232-3-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp

memory/3232-4-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s.bat

MD5 d47abb0f1c515fa7ebf6adfe7fd941c0
SHA1 20ead5d2872e2831bc245ca3d34fc43f67775f70
SHA256 07ae7cdd12c6ffdb1173fa5413b894e70ada7ed6f27f3e3d6999a29e6e0f8cf0
SHA512 c93722740beeb71803d92777ffa3584710200291bf6e2bb6aa3f907f6d10b1a5f2e7eae74ff92d580fb66bb6963144c81430e31dff9232ad7a9074ff59bf53c2

memory/3232-8-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r.txt

MD5 7c0ca124b478c82d12bc7b31098573a7
SHA1 6bd2dad140dc7f2baee34804ebf66868b0a20728
SHA256 8d3fb6137fbe6c91f31cd9c01795736adfce7d0535c65dfa77160c85dc60e82f
SHA512 b6fd96ee24b7d9f24dbb33c06b7f68fa14859f119280c1df45ee86f959dd3c4a4d8e1a544b645f0b6993a2679478ec3d00ef1a559cb8c19df7cf45b324f8812a

memory/3232-11-0x00007FFCCD2C0000-0x00007FFCCDD81000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 4028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.82:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 82.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe"

Signatures

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe"

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x0000000000509000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{205359D1-2DE9-11EF-9ED8-52FE85537310} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05b3cf6f5c1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd93e84a7de7854fb8617d3bed6d1382000000000200000000001066000000010000200000004cf5f58f08c1df2fc6d3562d9f3e24411d409a1fb89a0137fb6c3b9690352613000000000e800000000200002000000094c57757f6a6b6ad1d24a14fc3ae353b190a73dd95761abed981fd4421accdbf900000008ffd54e9a4d8fabd02902aa3076cc1ebf14fd37a9ea9ed610227d525bbc2277c208f0b636a39a787e9a0a0f864f9be0a5a5cc015a35719d04a90eaa577c273bb40f29d803be73bec5317e624131683e4feeab1a98aad8ea95da292873595f1e7a62aa9899c247aa85ec0973fef9f52251ca80d110348740464d1afa735212d58bb3a50a3d5c218b9aaba51072bdaf1cc400000008739bb9c96c061c69b488311c9881114b81c00a11c04b4aaae167533b4512eab3d66fac65f11ed5a6f40f581ff464fb56d73ac874d678f472aedae8ea1c4ab54 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd93e84a7de7854fb8617d3bed6d138200000000020000000000106600000001000020000000b30b8dcf33db8074c0c8aa493993ef56966a19384406b6e5e7d94de1d53d4a54000000000e8000000002000020000000dbd647788f9aa18b8917630699b2d94dcdf29c9c5239cb7ab566102eaa5e885e2000000098cebeb7d2433c4b5141a5d9751eb71d7c3efb6d37113f0860624e42f69cf03e400000006d314f1acdb59dc451e1b447ce1a7fa7bd551084aa6b838b76396ff76e1c435f917c40f00ac1f43a71133d39fd43ccb4c65b67cd55e577074e595f3e165cf633 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe

"C:\Users\Admin\AppData\Local\Temp\PS22PS4-GUI.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=PS22PS4-GUI.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar40BF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53b2a3d4938cb88e9a7e5843d85b97d0
SHA1 1ede9638529dcd2007650092e55c3152449aa875
SHA256 795aef9f6c4b1fea217c86d53e2eaf3416d4eab87aff9afa250f9e4069d1ee75
SHA512 87d1b8b0fc7e86a82fd650e441e1b71c687bb3a82c11284b9c7860f986fffcc03151fa3c238471869746a812865c73803cd76dbec09c9cf0187abc763c832f24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a079122b054f3d740c79801dbaccd1b
SHA1 3a7572f94396fdda2826b8ab4c2c23f444df02c4
SHA256 7c945e4d0f26f9683dacd0ef4710bf68ccc2c5e99e6fb6f068f58e25a0026684
SHA512 6f06c474047d0b48c770adbf63bddecc61cd9b2324746ca7fe0c6e55e6e1eedb7735a693d98f2e0ae818549bffe47cd30060e9a54b37cfe460f5d91aeb5c2108

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b5126e86628aefdd794caa5a9cc9b14
SHA1 1a50a47b0b93bfab9ddb72d6f9b55bd4c4e51780
SHA256 f3f6aabb355c0e151595bb99be11a3db02584360655fd6443a9c18e9cebeb211
SHA512 6f931dc4a236418d3d24e495593b2d86c917c6295357a0761634d5d4bf3ee8c905c95256040571ab82def89f782ecc8c2d52f31e8847fc495cc0e2133072bd4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86383064a64416763eaf538bb4f41b8c
SHA1 6740aaf2fd4840618bd4344e09ab4682a6d9a717
SHA256 a397df86f4b6c20e98a47506e1c5d19df340077d974795f03330e82578c074fa
SHA512 7a2b36c0b5206f34ca9250e04c65b6daf9ff7bbc4b00cc08cf681078446fab63dbc548933f54f7d63eabd7b6f536270619b28121ec87074e5f0f6959cf9fd55f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa093683dbff2c40c70d6ad47cca6f02
SHA1 b319792acdbd7767743709f78dcd368ad1f3313b
SHA256 9eed54f24eb15308fd301df36ee7a814cfe639d62b485ee40730bed9c118ec1a
SHA512 222249c2190714f28aeb2d7fe54ba147cfacea6ac79b3c32ebe7790c0a22bac6fdda32f8750b0a34ecb7201bd8fd67b8e224952a63a3664a7c7320220d550e7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0128553b04340a76aca9883b18d2394
SHA1 5f710a7787b66787720b0984fdfe8f2765de3996
SHA256 bff51b5c468da50ee816feb80096c8ed8f2ac3a1dbf137d565c40a4d763b5acf
SHA512 7e2a586b8c62e142c361e2bba30800df0ff840b8019833d2d4c31855029c573264f7e0dad043a0fa7871b9af057fc42f909e551566a38253c08f400361b42a25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0786878ec464f2b28f2318eb8d2ec8c
SHA1 d6c4e74176afd39b1fc09ee64b14f7850301b95b
SHA256 6a039170db506a2e96a5f8d503db0120d99a57f09f78e0c27c4b988a63d77e5a
SHA512 8bdcafca82bd79d2193ab9858b14853305d158b60d4a7c96072ef0462784fdae1e0dc40e979cf8d699153052bf48d7ac9c7f353616d9dd566c9638b568b06228

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2fb71ffd0e54e2f37e48f3c37466adb
SHA1 253a1dda64c8f3bdd2cf31f7cb8f1602658d7aed
SHA256 c19dcf50ff961239d35508ff10fb80415c292bcccfca9a0cfaff2ca059f274ce
SHA512 bdb3b0bb6438ebbd111aa40971a55d3b2b360803807467a46ca3ed00f325cbd0a643dcaab70fe66c6b3a643f1687786b417c124a0816f425fc116ec7545e4ade

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24c95f5ad956fe9fb9dbdf8aec8060ae
SHA1 762ce5b3a1bbc33afc4bef8b123b0757c1f8d0d6
SHA256 3775fd5e32c95392d2919b5b51cbba8b2504d6d37efc686025ab77db86a793bd
SHA512 e4a38803d1c7f2c6f6ba4731a8a6797d3dfab592f8cc3a173e1c25ccba2de708cc42a6ecbd8aac425af9e7cead2ef47c8cc16e7c4ad9a78ba7d821069f5270a2

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240611-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 3000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\libatrac9.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4_patch.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4_patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4_patch.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4_patch.exe"

Network

N/A

Files

memory/1992-0-0x0000000000400000-0x0000000000672000-memory.dmp

memory/1992-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1992-2-0x0000000000400000-0x0000000000672000-memory.dmp

memory/1992-4-0x00000000002C0000-0x00000000002C1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.65:443 www.bing.com tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 65.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\HtmlAgilityPack.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\HtmlAgilityPack.dll,#1

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\di.exe"

Network

N/A

Files

memory/1992-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe"

Signatures

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\ext\sc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 23.41.178.82:443 www.bing.com tcp
US 8.8.8.8:53 82.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1088-0-0x0000000000400000-0x0000000000509000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Streams.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Streams.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Registry.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Registry.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 215.169.36.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzfse-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzfse-net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Registry.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Registry.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

61s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Core.dll,#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\HtmlAgilityPack.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\HtmlAgilityPack.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzo.net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\lzo.net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe

"C:\Users\Admin\AppData\Local\Temp\bin\tools\gengp4.exe"

Network

N/A

Files

memory/2212-0-0x0000000000400000-0x0000000000672000-memory.dmp

memory/2212-1-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2212-2-0x0000000000400000-0x0000000000672000-memory.dmp

memory/2212-4-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 03:07

Reported

2024-06-19 03:10

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\dlls\DiscUtils.Core.dll,#1

Network

N/A

Files

N/A