Malware Analysis Report

2025-01-03 09:16

Sample ID 240620-pvb2yaxfka
Target 060c254c36654b7bc83a99731a9d5e1c_JaffaCakes118
SHA256 ab8f1636fd3957f1f356b0fef153dbdf685f6d8488eb7919ca7f163c8cad5832
Tags
upx persistence bootkit evasion trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab8f1636fd3957f1f356b0fef153dbdf685f6d8488eb7919ca7f163c8cad5832

Threat Level: Shows suspicious behavior

The file 060c254c36654b7bc83a99731a9d5e1c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence bootkit evasion trojan

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Deletes itself

UPX packed file

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

NSIS installer

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 12:38

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2440 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 596

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 3564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 3564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2000 wrote to memory of 3564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

memory/3564-0-0x0000000000770000-0x00000000007E2000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe

"C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 cda06a7a40d449b8a12842151be4a22a
SHA1 36f1f3a44c89582da07904260f2fd7a59914d8b4
SHA256 97bc81f7ded433e52ec27330c2ebdfd2909503f6a710a6fd7410e2771817980e
SHA512 6db6cf1ae7ab54ffd21516f3731f3bc1cb65733259b3cb296516c6ba1665f89cdeca7eb45b88239838b9594fead2cf900cfb7483caa090c11a2dd4177ceb4274

C:\Users\Admin\AppData\Local\Temp\nsd74B5.tmp\KillProcDLL.dll

MD5 83142eac84475f4ca889c73f10d9c179
SHA1 dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256 ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA512 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsv4865.tmp\InstallOptions.dll

MD5 1d5c649dde35003a618b9679d5d71b92
SHA1 0409bbab3ab34f8c01289cdd847b4d1a32d05b18
SHA256 0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f
SHA512 b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

C:\Users\Admin\AppData\Local\Temp\nsv4865.tmp\ioSpecial.ini

MD5 040c821f1dce7467fb9b209fe6f4aa74
SHA1 49c33f609006001b27d01cdbcd929cbeb1e1dfd0
SHA256 40989d052c2101ddeee64aa8fb229b6f648018bcb0f6fa4fd717fd88d982da35
SHA512 fa8e5f7ef667fe5d846ab6f8e4852fddad5f3632649ae6d2fbfd56c10ec5f38ba538509a45fbdadfc7b45f58abf2bb59df8b7f8969c9461fbcf5f6359c327314

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3556 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3556 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4916 -ip 4916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 624

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20231129-en

Max time kernel

140s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cfishsoft.com udp
HK 45.137.11.59:80 www.cfishsoft.com tcp

Files

memory/2140-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2140-1-0x0000000000AD0000-0x0000000000BCA000-memory.dmp

memory/2140-2-0x0000000002630000-0x0000000002788000-memory.dmp

memory/2140-3-0x0000000000400000-0x00000000004FA000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240220-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XDeskWeather = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDeskWeather.exe" C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe"

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe" checkupdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cfishsoft.com udp
HK 45.137.11.59:80 www.cfishsoft.com tcp
US 8.8.8.8:53 weather.tq121.com.cn udp

Files

memory/2480-0-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2480-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2480-7-0x0000000003DC0000-0x0000000003EBA000-memory.dmp

memory/2480-6-0x0000000003DC0000-0x0000000003DD0000-memory.dmp

memory/2980-8-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2980-9-0x00000000008F0000-0x00000000009EA000-memory.dmp

memory/2980-10-0x0000000003280000-0x00000000033D8000-memory.dmp

memory/2480-11-0x0000000003F00000-0x0000000003F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\save.ini

MD5 bb745d39486ec5553f844658a6eb8953
SHA1 c899cbe1b27101c943a634009efa6a29ce6dbfed
SHA256 2d0b024f232aad62c51a008a6c6d97f6bdee9ef4dd3723a28a2451a3af75a8bb
SHA512 a6612cb3b823997acaebe1ed9bb79c754348966703e83250ca4b2dc3766fc5373b45ad26b1013cbc406f94871eb7af71b48e1ccded91afe0d1cc9d402c54f75a

memory/2980-46-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2480-47-0x0000000000400000-0x0000000000558000-memory.dmp

memory/2480-48-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2480-49-0x0000000003DC0000-0x0000000003DD0000-memory.dmp

memory/2480-50-0x0000000003DC0000-0x0000000003EBA000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

110s

Max time network

120s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3664-0-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-1-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-2-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-4-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-3-0x00007FFE41ACD000-0x00007FFE41ACE000-memory.dmp

memory/3664-5-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-6-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-9-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-8-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-7-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-10-0x00007FFDFF5B0000-0x00007FFDFF5C0000-memory.dmp

memory/3664-12-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-15-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-14-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-17-0x00007FFDFF5B0000-0x00007FFDFF5C0000-memory.dmp

memory/3664-19-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-18-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-20-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-16-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-13-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-11-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-30-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

memory/3664-51-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-52-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-50-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-53-0x00007FFE01AB0000-0x00007FFE01AC0000-memory.dmp

memory/3664-54-0x00007FFE41A30000-0x00007FFE41C25000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\»¶Ó­·ÃÎÊ×ÀÃæÌìÆøÐãÖ÷Ò³.url

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3976 wrote to memory of 2916 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3976 wrote to memory of 2916 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\»¶Ó­·ÃÎÊ×ÀÃæÌìÆøÐãÖ÷Ò³.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cfishsoft.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5560 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3888 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4916 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5484 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5924 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4564 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6068 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5756 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5744 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.cfishsoft.com udp
US 8.8.8.8:53 www.cfishsoft.com udp
US 8.8.8.8:53 www.cfishsoft.com udp
HK 45.137.11.59:80 www.cfishsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
HK 45.137.11.59:80 www.cfishsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.cfishsoft.com udp
US 8.8.8.8:53 www.cfishsoft.com udp
US 8.8.8.8:53 www.cfishsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.21.189.233:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.20.12.87:443 bzib.nelreports.net tcp
HK 45.137.11.59:443 www.cfishsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
HK 45.137.11.59:443 www.cfishsoft.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 59.11.137.45.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 233.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 87.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 www.cfishsoft.com udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
HK 45.137.11.58:443 comics.veryim.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
HK 45.137.11.58:443 comics.veryim.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 comics.veryim.com udp
US 8.8.8.8:53 comics.veryim.com udp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
US 8.8.8.8:53 58.11.137.45.in-addr.arpa udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 comics.veryim.com udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_bg.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#Ö>ð C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ë“0(S C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#Õ5ð C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\› 4˜Ë C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\‹•-ˆU C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#A,ð C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Q0’ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\£Ã4p C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\û(8Æ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ëÈ+( C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\£Â+p C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\kl*¨¬ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\K-ÈÞ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\S_-àŸ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\£V3p– C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\“ ) ` C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\“6 Î C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\®+o C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ˆ1I C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\+÷1è7 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\!0 â C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\»Y5x™ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Û94Xù C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\c8\°ø C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÃF\P† C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\C´+Ðt C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ûÑ>8 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\«å0h% C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\;Ù0ø C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\K 3Èà C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\;ý5ø= C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Kè6È( C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ã•)0U C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ë+(¿ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\C}*н C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\s?,Àÿ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ûq>X± C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\KW0È— C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ȃ3x C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¬2m C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{«5¸k C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\[&7Øæ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ãº70z C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÃÛ1P C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\“3 Ï C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\³ï3€\ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\›ù2˜9 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ã4PÑ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\«7hÛ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\›7˜] C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ƒ)Ç C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ó;-`û C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ó„-`D C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#ú3ð: C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\K4ÈM C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\sÀ6À C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\;3(øó C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ór*`² C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÛJ*XŠ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#\-ðï C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ó3@] C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\{t4¸´ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\så4À% C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ûó-83 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ëú*H: C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\#ú3ð: C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup_bg.exe

"C:\Users\Admin\AppData\Local\Temp\setup_bg.exe"

Network

N/A

Files

\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll

MD5 e157dde448a189bd7f1d19bc426c19c9
SHA1 d77a49f443506d580aaebb4d0f3b89587978cf3e
SHA256 1cd2bc2ad6d2de92b478d9474f1af08d792fb5feab356863b5a22a5410085e1d
SHA512 ed1a8a162bba983a4bdf6319e19760bfa7f91fbc5012aa015e1945d2e51e4cb90f02d5ee2033b6331142edadf493ba59717be3bea66e370932ce36daf9b6de96

memory/2372-11-0x0000000002C90000-0x0000000002D95000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe

"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3028,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sogou.com udp
SG 119.28.109.132:80 www.sogou.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 pinyin.sogou.com udp
NL 23.62.61.155:443 www.bing.com tcp
HK 129.226.102.244:80 pinyin.sogou.com tcp
US 8.8.8.8:53 132.109.28.119.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 244.102.226.129.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1956-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-1-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-2-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-4-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-5-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-7-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-8-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-9-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-10-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1956-14-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe

"C:\Users\Admin\AppData\Local\Temp\Ð¶ÔØ³ÌÐò.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 cda06a7a40d449b8a12842151be4a22a
SHA1 36f1f3a44c89582da07904260f2fd7a59914d8b4
SHA256 97bc81f7ded433e52ec27330c2ebdfd2909503f6a710a6fd7410e2771817980e
SHA512 6db6cf1ae7ab54ffd21516f3731f3bc1cb65733259b3cb296516c6ba1665f89cdeca7eb45b88239838b9594fead2cf900cfb7483caa090c11a2dd4177ceb4274

\Users\Admin\AppData\Local\Temp\nsd3371.tmp\KillProcDLL.dll

MD5 83142eac84475f4ca889c73f10d9c179
SHA1 dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256 ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA512 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cfishsoft.com udp

Files

memory/4468-0-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4468-1-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/4468-2-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4468-3-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/4468-4-0x00000000006C0000-0x00000000006C1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2148-0-0x000000002F981000-0x000000002F982000-memory.dmp

memory/2148-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2148-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

memory/2148-11-0x0000000071A7D000-0x0000000071A88000-memory.dmp

memory/2148-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 d50b3de3129cfb653e5cbbd336ce0e22
SHA1 793cddc2070e66e16e8ca8e7b29532766fcb53dd
SHA256 5821c9e98f6ca57f7499cfb57e89531ac92cf452097016d0eca38075906f3907
SHA512 d8189729a6b2346881c6bba3af307b43acc3ca339c370a0eda70910288e1a507dc5c23ec3393789ed7b9984a179e0e9b24d29b7b44f52545edee740462f5ed7b

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\t7online_3_coolfire_v1_5.dll,#1

Network

N/A

Files

memory/2984-0-0x00000000001C0000-0x0000000000232000-memory.dmp

memory/2984-1-0x00000000001C0000-0x0000000000232000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1396 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1396 wrote to memory of 1464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1464-0-0x0000000002120000-0x00000000021AA000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\skinTools.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\skinTools.exe

"C:\Users\Admin\AppData\Local\Temp\skinTools.exe"

Network

N/A

Files

memory/2452-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2452-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\°ïÖú.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\°ïÖú.chm

Network

N/A

Files

memory/2684-23-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240611-en

Max time kernel

144s

Max time network

130s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\»¶Ó­·ÃÎÊ×ÀÃæÌìÆøÐãÖ÷Ò³.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000003d3840b37a1c6921c5e71220c3e182c00019e5fe2151e55542da16fde5ed06e4000000000e8000000002000020000000ba2e99886ea1332c832fbe658e4fc65bc29b73f4a361007d8025bd0b05b20f88200000004cddd11b673d05d42a0b6c0d36ec0588d1d7671a72641b66fa1a0e1cc53617e940000000accbe89bfeaf35fb6e259a55b602e5d1e974f23c416779b0b206383ec1d9324e79b844b2d26189e989a62f860ec362614374630b1d6d592731eb6326b0990bb3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600593210fc3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09C4DF81-2F02-11EF-B848-DEDD52EED8E0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425048997" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000095f6fa647d2762e365cf001fe582fff9fb371ebbfd030d5f3e1ffd9e70b5eecc000000000e8000000002000020000000a185682eca456cdcbe0e945d5dafd7cfcf6c9d269892b3679002ef79c69ef9739000000015ea42f1cc12cd984334c6c99d005d7eaea442cb858005d09085f31c849936413b6627cd2fd53b7aedbed396e8a2f67ac5255d69849ad0a1647ee1fb170540ad34cbd7172ab78ffc7fdadf581d8fe8ec358b9304b55685f84245a25d26d5de84ba8876b30a015c719c3570582c3c59786339c854f6134b0c5ee7e67dd8fd89b17435bb6fd1b605c00aea1d4be9be671e40000000e2a45915999de5021937b7aac877de0caac3c96213f0d70fc42239a340aa851c2079f7f3e9d2ca5fffba3723d1b209f9246dfa6d41b19e4780566e0dc748567c C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\»¶Ó­·ÃÎÊ×ÀÃæÌìÆøÐãÖ÷Ò³.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cfishsoft.com udp
HK 45.137.11.59:80 www.cfishsoft.com tcp
HK 45.137.11.59:80 www.cfishsoft.com tcp
US 8.8.8.8:53 comics.veryim.com udp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
US 8.8.8.8:53 hm.baidu.com udp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp
HK 45.137.11.58:80 comics.veryim.com tcp

Files

memory/2868-0-0x0000000000250000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\20171101170537[1].js

MD5 474f854bf20ad4678c6571941d0e6ccd
SHA1 c02eaa907eb83d70716100b9b731267162f9c15c
SHA256 810742558ab192b061e7407e8f0c4a9e9a723a7d4b687d5d5bb45fbca3269343
SHA512 860895f1d54e3dafcbb1785d5e0ade18b75820d24b1b5e6267362c1b263aac80b3fa29a3c39ba31bea78fc2b7a40345bc31a7763edc1a4bfc8685a8471923b1a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\bottom[1].js

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

C:\Users\Admin\AppData\Local\Temp\Cab6357.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6415.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1854ffa90b6a21e2d1b04b0663e87ba3
SHA1 8c29ad3b5dc67be05f3e583f32edaa72c4c0cb4c
SHA256 c505ce244bb67b07901685ca795081041c29bca23bf9d3ce8f68cae2712c0e78
SHA512 9be5f5cf95242dadaedf3d93e24b81e3425ff7136acb7f77b87ef750ad08b8a340555490e7ec3b57c7e61dde68ec7f263d94ebfe59b04dc6d2adbda3b85f6c4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34535e8217fe6bf7e29473dd5bfa4efa
SHA1 4f63fd5843d36c17d31d0b0855234d69aa962747
SHA256 c6cb00e0ee95548b8b23ba8789341580a04bd0f8ffcd0f83c34fbedbfdc0b9ca
SHA512 5defbcc9841076700873c11c23e3d7ebc829221d0a15383d8c4181db6d87d92d1410f41f00c1301e07d1bf1261e3e0ca3d73fb3e2617a232dcf4cf69b2cf93a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74d97ce58e54d0afb9ab99b5bb4ae362
SHA1 9264038e1fd531a99befaab47632f462d726d273
SHA256 e30bd44bd150f8af0ba1461a81649b644d65ed32d698f293c406807e6852ec88
SHA512 12d85be366364936e160af7c5a4aa3f6230c3c88de9dd542af7f95d9888bb1489c484730590a967d1d1b022de2173393b3cb088a4f8ab544f83f99db30a9fde8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e315fdf98deaf6b5ecc6ced96830e5c2
SHA1 cb38bfc476881d7e443d51acb077671c3fe63196
SHA256 7298785b9be2f97540530c4eb9c3fee2d99a0308a125dfeeecb0611631aea673
SHA512 b55f5c630207112745d0e3027bca7e9fac7c143c352cce607d28768ab6a39467b53f00d1dac9afbce4a242758ae3aab741af81255726e170112cda5f769ad808

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 872ce10c9a4e092d62477ac0364c03d7
SHA1 b8d00874a0aee2fc2467795b3755f9142561a603
SHA256 f7c84821e5e51c1dd9506e92acb09a00f5bc6bd3decc0e381f6f4f5285d8ba2b
SHA512 cb505921556343bbf917c3da8998792d06ae1569758ecd5dce2c1d08217971fe66e6f98720d5aad3fde2ca8a2df68dec478e7f57039085df0005fa145c9c8812

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5949fd6fbe836e52f98eb997a2a9895a
SHA1 fe9b51e383f6b7c98f6c57322476f4a4030f1336
SHA256 02e6321e2bff64079e6473d6ef3c4736c22f8cc964b418553b2d7fe04a3a22e2
SHA512 4b85f9eb7b176df055b4c139c8cba599a0a9d03d3bd33f4ce4663ac688175859e148c44f90f2f9e91d460fe986c0f95fb388b574cf5a03b92e03ebf098159856

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ddf09acf4ca021c3fffbaafb690b8de
SHA1 c656d0209fd75edf8ad2204b38893891601a4fd0
SHA256 7360c28a530a9f4ab649b8d440152e4ed0da2bf62e704ca52fa40d92a528c52a
SHA512 e064f5afd796b01f70c9f3080a295e965e5075c8e7d345653eaa0542831b12cec3f6570467fe6d4a85a91ef5a38a6884534f1ba410fceef6d7d8db88edc9f2b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0885ee52c741bb91b12332a838b59afb
SHA1 d339fe339baaf9df0619658d46e427f5b93e3f5f
SHA256 f99ffef9724280ad3fd06b95e3655f0d7d24121ccf00a1752bc20935c6594ffb
SHA512 c18634b3bad5f80829fedde853c31a83ef6f9016d2a297a83a991c01c7163463483899f506b8d30e71e91e4eef9a71cbd2f5293aeceb6820269321982004ee67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71c02274c0d976d6c7620d463494460c
SHA1 f64a95ae2f4ec91febeae91524491cb6aefd6d9e
SHA256 a936da16bff6fd82fa040adff0db3aeaf9dadd213c6156eafe7431ff44de0d59
SHA512 90a07e4b9cf9d91c89c5f11b02aacc76d5fb262214e6ccee4716b60850ed8100de74c304e67e5702c074cc02bab5c907956313eb328289e5f87c69875334042c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\favicon[2].ico

MD5 e725d66864070801d7002db772afbe86
SHA1 da258070e63785c241e9c868666d90e1bad77cb8
SHA256 d48f3f338310f5278fc58b4d8c7bb873f6a808921a35cc14aa785bc826b4d919
SHA512 6e133b80aee6f121309d6b550c43ba412cac9aa570e0152bc73f6671b0becc06aebf70393ca258c83b09ee05df2b91b002d89d9f6b55da119644f45bc603b2f7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat

MD5 d5f05aba4ed888c9c36ed3b7405bd6a0
SHA1 c69d728f8b52c15ebbfcfd91d9d2df884f78853f
SHA256 1d7d146adfaed1085a44e1549a672d79c21b7655e47a70b48b47fe0d66d251fe
SHA512 be585bded65ed36f0047f26c396d04aa0bb1e7ddd4530d15e00694ec88dca2290e5c0124010adab9b0046987a19ceabc40985c67e8f9208ef52c264ab80822d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16631065604025d7b3f9783a24d182b1
SHA1 0dea3ac99bcf5dbbd12cc4b09220e2a2fe63a216
SHA256 4e82a9ee83f03ae32bc0eaba4b131d70e54cde4954309a5857cbfa631a99f3a8
SHA512 4aa3d2bb66b74f1d050fbced838e0ce37d07b3370aad77ff50ee2514c97386536723c4591bb8f4141740842c9d8f980d60e58111c3e02b468a956843eae85f3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a511d0303fba2903ec450f4fdba1146
SHA1 d471e3338844305cdb0469259beef06e507b016a
SHA256 8c65a5c532e3e72a7d8df862b687814c65130ae1402baf99bee45e23014407e1
SHA512 37840b1f12f317a113c72905552c3f382497cf6cc206728ab40f30f8c65cdf900e0382cf27f24f5d3e70c60786d1b5d46d81f860bd761239e3ea377358c62db6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61d6bb81db7cfa092c7ecd17a76142a6
SHA1 381171957dfe0b773f8a24563b50616cbac7afca
SHA256 a873fb29b03704bebddeb637eb76b46898c557aaa043a572a1eaeac3d531eff2
SHA512 bf4446ed69f70e20c340d3bde281612c752e1d6b6168d81301c4cfc61ec33a0a87e1bc65afb83bf181571060e0a11fd5664b4a448ae59ff46d2fbc0c7643a9bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d2b3cc877b788a654c496d806271398
SHA1 4ed5a39e8b955e1bf1fd469cc248495fd89e4acd
SHA256 65cab07c329be8dff45967bc8a1b41ffae111d00193d437123fb3de3767a3f3c
SHA512 8622b3724b87dc08fd3337a01a9331f5d325e7b24b3865889f38766475586300b7f73c89e096e3a77d63bd9eac9a0075b28f909810fe5e137602d50b67ba2d8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85ec8ddcaf4cf2ac2678eb43083957ea
SHA1 72595d729488d758766f573adfe768f21857dd28
SHA256 9ae9bf4b8698308d6f71c4a494a37382019e37c3f03ba515196726d3dae6d4c5
SHA512 7716faa274b425e8cfc1f4da064b80ae737850719f5956c4f63cc24dbcba8efc8a15cb461c72812e18bf49999450d5ca54aa435e4c6f3307e94af4529481d3fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af35a88f87eb271e0832b3543a58353f
SHA1 55e45b96ce86fef083bcb4a5093ddf94da6e96df
SHA256 ece2b2bbfda93f51643daa15d2cd12ba45c4aaa92d0274cc051c07807ef3e1ec
SHA512 71115f2de588c837e6332139f754e7824ed6fbe0fd07e5427a4e257691a781c8f7d3511ec496613e0b59a582b3128792bf083206903055ac313db5d216d85d66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e39ff1160a5b6e88fac4b390ad86bf1
SHA1 9f0da7e6a68adada0fee15b79f14fc029287774e
SHA256 96d98e7c4dea0c8de01cb8277e31df3c3fed36488a4f55e77e5950617adeda7b
SHA512 de242981b693e1714ba15c2dc2951979bd0aaa3be5b0898ec161a2e2ec05508874fb71ee82b99444862a3766af5f7f8b05a3538074c35ae7a2c66074373aac22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58e3c5de7757dc4221972e86a83036f6
SHA1 33da1d71a5b9cde8ed9623609dd527964dc60885
SHA256 2b647c4c960979d73da30c7b83c5273dd169a64d8cac0c3c251d5bae28e06f3d
SHA512 076dc4d1c51a78de15a466cae12dbc27131ca947186856d705dba2a6ecb5e5a0f3478979049cc68b9c84a293609d6ad3a30e9efda1549525e8d96ec5deb8d3db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46bc0ab299c917a4f17c1caa9d419803
SHA1 7f50aac9a20650f89db5afc787857b0c11cf146a
SHA256 564c630fdf6044b117278d490bed83d57719f132a0fde41294280974baa3df6c
SHA512 0794ce90ac526fd7156f31cdfdab608b6c692bd9afd7c6dfbfc58a84d78958982cb624ef2162f7bae2648cfa44126dcd1b989efb4a39efdccbe3a4848b6da823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec4f8d566e3fd2b4b0c3714f8405b320
SHA1 e3ddaf7a04671a6b368930f42261c10914ab4001
SHA256 42c68a57a44a86f25377496f0296cf4fa126edc8522d6936e29b8c72707ffb18
SHA512 17830ed078832640fece32583e02b30dc6138800130925b3f97c6e577d4ba6e05ecfcd3231df222a3eae14ecd6c68df9f8a8979eb7f2d1d0814f3768d9b6f015

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240611-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 248

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XDeskWeather = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDeskWeather.exe" C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 weather.tq121.com.cn udp

Files

memory/516-0-0x0000000000400000-0x0000000000558000-memory.dmp

memory/516-1-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/516-6-0x0000000005620000-0x00000000056AA000-memory.dmp

memory/516-7-0x0000000005620000-0x00000000056AA000-memory.dmp

memory/516-8-0x0000000000400000-0x0000000000558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\save.ini

MD5 bb745d39486ec5553f844658a6eb8953
SHA1 c899cbe1b27101c943a634009efa6a29ce6dbfed
SHA256 2d0b024f232aad62c51a008a6c6d97f6bdee9ef4dd3723a28a2451a3af75a8bb
SHA512 a6612cb3b823997acaebe1ed9bb79c754348966703e83250ca4b2dc3766fc5373b45ad26b1013cbc406f94871eb7af71b48e1ccded91afe0d1cc9d402c54f75a

memory/516-44-0x0000000000400000-0x0000000000558000-memory.dmp

memory/516-45-0x0000000000C60000-0x0000000000C61000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

Network

N/A

Files

memory/2992-0-0x00000000009F0000-0x0000000000A78000-memory.dmp

memory/2992-1-0x00000000009F0000-0x0000000000A78000-memory.dmp

memory/2992-2-0x00000000009F0000-0x0000000000A78000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_bg.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\BaiduInstall = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\baidu\\bar\\BaiduBar.dll,Install" C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Lê C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ ˆ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\|n C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!0\$B C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!ð\„ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!ð~\l© C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð~\̉ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!p\”( C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!0€\ä“ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð~\œ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\d C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ôo C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!0€\ Ê C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T7 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File created C:\Program Files (x86)\baidu\bar\BDBar_tmp\img\logo.bmp C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð~\Œm C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Dž C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ё\œu C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T8 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!\|‹ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ё\ê C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð~\\È C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\lŒ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!\ 8 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¤¡ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ѐ\T  C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\4 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ܺ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ìw C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!€\Ôf C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð\ÜG C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\,¹ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!0\| C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\| C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!\Üi C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!p\<Ý C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ä C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ú C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ƒ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\, C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Œ¾ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\„Þ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!P€\l_ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\tÖ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!0\¤  C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!\,Ž C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ìS C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!P~\Ž C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\´< C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!\Ð C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\„K C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\|“ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\”\ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ìk C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!P~\ܵ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!ð\d C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ÔI C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\œ  C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\¬7 C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\ä, C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\Ô% C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ð\<¹ C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup_bg.exe

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ё\: C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A
File opened for modification C:\Program Files (x86)\baidu\bar\BDBar_tmp\T!Ё\l: C:\Users\Admin\AppData\Local\Temp\setup_bg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup_bg.exe

"C:\Users\Admin\AppData\Local\Temp\setup_bg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 740

Network

Files

C:\Program Files (x86)\baidu\bar\BDBar_tmp\BaiduBar.dll

MD5 e157dde448a189bd7f1d19bc426c19c9
SHA1 d77a49f443506d580aaebb4d0f3b89587978cf3e
SHA256 1cd2bc2ad6d2de92b478d9474f1af08d792fb5feab356863b5a22a5410085e1d
SHA512 ed1a8a162bba983a4bdf6319e19760bfa7f91fbc5012aa015e1945d2e51e4cb90f02d5ee2033b6331142edadf493ba59717be3bea66e370932ce36daf9b6de96

memory/3140-16-0x0000000002170000-0x0000000002275000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240419-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\XDeskWeather_Setup.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsi1D04.tmp\ioSpecial.ini

MD5 81896514198a3c4b2ff5eac7b50f1d17
SHA1 288459d60b2714c6142a959d180bbd86d436272e
SHA256 ba43d443f955b4759cd77cb5a6b9536806f91e3fa34d490b1ca2edc1d35e6e3d
SHA512 b8b3371b489364f4723eb7e7b9d0070d5763d09590125e0ca6fb6057f6b61573fcc7379f3afb38c91b1ab570e8f9ee7db054156b4c50c65ca99da50d12d7b2f8

\Users\Admin\AppData\Local\Temp\nsi1D04.tmp\InstallOptions.dll

MD5 1d5c649dde35003a618b9679d5d71b92
SHA1 0409bbab3ab34f8c01289cdd847b4d1a32d05b18
SHA256 0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f
SHA512 b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\gdiplus.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

Network

N/A

Files

memory/2564-0-0x00000000006D0000-0x0000000000750000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 3176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 3176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weathercn_6_Matrix_v1_6.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3176-0-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

61s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\skinTools.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\skinTools.exe

"C:\Users\Admin\AppData\Local\Temp\skinTools.exe"

Network

Files

memory/1392-0-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1392-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\°ïÖú.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\°ïÖú.chm

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_china_6_Dong_v1_5.dll,#1

Network

N/A

Files

memory/3008-0-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3008-2-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3008-1-0x0000000000400000-0x000000000048A000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\weather_sohu.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1580-0-0x0000000000850000-0x00000000008D8000-memory.dmp

memory/1580-1-0x0000000000850000-0x00000000008D8000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-20 12:38

Reported

2024-06-20 12:41

Platform

win7-20240220-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe

"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_mini_3275.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sogou.com udp
SG 119.28.109.132:80 www.sogou.com tcp
US 8.8.8.8:53 pinyin.sogou.com udp
HK 129.226.103.145:80 pinyin.sogou.com tcp

Files

memory/1292-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-2-0x0000000000240000-0x000000000026C000-memory.dmp

memory/1292-1-0x0000000000240000-0x000000000026C000-memory.dmp

memory/1292-4-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-5-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-7-0x0000000000240000-0x000000000026C000-memory.dmp

memory/1292-8-0x0000000000240000-0x000000000026C000-memory.dmp

memory/1292-9-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-10-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-11-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-14-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-15-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-16-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-17-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-18-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-19-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1292-20-0x0000000000400000-0x000000000042C000-memory.dmp