Analysis Overview
SHA256
5a1f9c57056b9de51eba98ce393b723030605f549c43fec9d9b59c824e9ca47e
Threat Level: Known bad
The file #!SetUp_58391--!PassW0rdz#$$.zip was found to be: Known bad.
Malicious Activity Summary
Amadey
Lumma Stealer
Downloads MZ/PE file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
AutoIT Executable
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Modifies registry class
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 13:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 13:32
Reported
2024-07-09 13:35
Platform
win10v2004-20240704-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3804 set thread context of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4440 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe | C:\Windows\SysWOW64\comp.exe |
| PID 3820 set thread context of 4452 | N/A | C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe | C:\Windows\SysWOW64\comp.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\NVIDIA Container Compatibility.job | C:\Windows\SysWOW64\comp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe
"C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe"
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe
"C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe"
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | foodupdates.shop | udp |
| US | 104.21.48.83:443 | foodupdates.shop | tcp |
| US | 8.8.8.8:53 | 83.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| US | 172.67.209.34:80 | downloaddining2.com | tcp |
| US | 104.21.77.130:80 | downloaddining3.com | tcp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 8.8.8.8:53 | 130.77.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
Files
memory/3804-0-0x00000000007E0000-0x000000000083E000-memory.dmp
memory/3804-1-0x00007FFBC6D50000-0x00007FFBC71C2000-memory.dmp
memory/3804-5-0x00007FFBC6D68000-0x00007FFBC6D69000-memory.dmp
memory/3804-6-0x00007FFBC6D50000-0x00007FFBC71C2000-memory.dmp
memory/3804-7-0x00007FFBC6D50000-0x00007FFBC71C2000-memory.dmp
memory/3804-9-0x00000000007E0000-0x000000000083E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e821f0a0
| MD5 | a1977563197b53e24d59bf10ad460d2f |
| SHA1 | 6883659fefe0218398f60935d0016b7b3b0cfba7 |
| SHA256 | e7da6bf76c444bcf23d173a87d107c3e95df00f617c0af4db0dc084745757868 |
| SHA512 | e97deec577a2ecff82527a159f198646ace5e0af43b04c4c56ce43c0f07ce67781a818865406de14d175e06af9e87939fa13c1cddb5cf4c8fa88501ad86c75d3 |
memory/3596-11-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-13-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-12-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-23-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-22-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-21-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-20-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-19-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-18-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/3596-17-0x00000201B3E40000-0x00000201B3E41000-memory.dmp
memory/652-24-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/652-25-0x0000000075790000-0x0000000075BCC000-memory.dmp
memory/1832-27-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/1832-28-0x0000000000F90000-0x0000000000FE3000-memory.dmp
memory/1832-29-0x0000000000F90000-0x0000000000FE3000-memory.dmp
memory/1832-30-0x0000000000F90000-0x0000000000FE3000-memory.dmp
memory/1804-33-0x0000000000910000-0x000000000096E000-memory.dmp
memory/1804-34-0x00007FFBC6D50000-0x00007FFBC71C2000-memory.dmp
memory/1804-35-0x0000000000910000-0x000000000096E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQMYL8C03QG63JADLJFQ9MA5.exe
| MD5 | 86561270851963e63c6d609caaff47a3 |
| SHA1 | 37dd064af1f150d951a5fbf30b0223ee9a54c082 |
| SHA256 | be94710b2a9cd12ea8e45c7a8c61db878d731f489098c356fcb928bab39fadc6 |
| SHA512 | 93e89ab997464a1573cb4c593e6f622da2ecf28b0971fadfa526a835e81fde5d5ded19a7084ce5da3d2d4cd8270f1574cc8a84b875c8ae4d1e378fc6fa0a0133 |
memory/4440-41-0x0000000000D00000-0x00000000010B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\92e8e25d
| MD5 | 39308a15982790fdcfdc7ec5a813420f |
| SHA1 | 69c79bf5098a2b766ba79ac27f810e7d7d7e4e64 |
| SHA256 | 20991bf16deb823fd6b4c49b5a30352de2622ad3dc888bc945732109dd809656 |
| SHA512 | 3178211378d171a60741533ba81ad49b4a7ed3ec18a72a0934a46f47cdf2e6ff8d582e41c8d5699735d33d6d9c30d963c81fd2ae5979a41ba310abe5abfc5534 |
memory/4440-47-0x00000000732C0000-0x000000007343B000-memory.dmp
memory/4440-48-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YHF495B69Q77CEGDE39KTMKO96TL.exe
| MD5 | af75546a81e72af61b5d94fdea9306e3 |
| SHA1 | 0f81534dd3707a8a30c800037dc49039827a3840 |
| SHA256 | 67e99e2b7b420b9919443096cae54128f9fd932c0405a1f10fe934e36cb724e4 |
| SHA512 | fa1bbf493279ca170b5a9443d45c0b6de7c6483b5a13f09fd0604d9f9f3ed7b73806a31af3d7477c71184ff014224a4e9a7cd35eed08292a140e4bcddca80434 |
memory/1832-52-0x0000000000F90000-0x0000000000FE3000-memory.dmp
memory/3820-54-0x0000000000400000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\af208fdb
| MD5 | 63618dd22d08db942ef8eb97df47045c |
| SHA1 | 61e2f2fedcc234aa15f968eed516ac97b6d81f60 |
| SHA256 | 88966a2125942f70a46d6b7c5ec8c1ae70485d3ae1ddafdfd1ddbad9b91a7fe6 |
| SHA512 | 367f00668550fbf14e66778e226f3f1276c10652f59a633eb860c1e55d17b5386bbc0803f71909870e61bda71cdc636241c9373f7afb22be955779dbbba2c2b2 |
memory/3820-60-0x00000000732C0000-0x000000007343B000-memory.dmp
memory/3820-61-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/3820-62-0x0000000000400000-0x000000000096C000-memory.dmp
memory/4440-63-0x00000000732C0000-0x000000007343B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\961439b1
| MD5 | 5e2db00d0d576d61e4eb2742d0048b2a |
| SHA1 | 448a22c608caaa53b6c1d582bc88c835c0f3d960 |
| SHA256 | 82d390f1e7292cf9151f8838c841f0316f1753dbc5d05b4f365203a40b916f00 |
| SHA512 | fb58d51a6b739a55da62415f93e5b3f88b58c0d7d801b30e9e1f48e2ebdcabacc7d384dbe6bac800e76634c4b23770087262fcaca4acc507f11a1dea2a330280 |
memory/2964-68-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/3820-69-0x00000000732C0000-0x000000007343B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b240d719
| MD5 | 75b165ce809aa1203f9e5d73240d7fbb |
| SHA1 | b6fc2e00e565574455a5c3d8f6da0bba683b4f5a |
| SHA256 | 1b6ebd973edc96d96c16ab70f2ebc4dfa0b385e7b347c5a954561594a09e1749 |
| SHA512 | 965eb36d22d47c3e1178aa415af208c9965a49e2bedf0deda572592598623bbeee3c60ac62abc9eca5bca0236f7ae0af08fdff577e7abaa0c536566097b1e8ca |
memory/4452-73-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/2964-74-0x00000000732C0000-0x000000007343B000-memory.dmp
C:\Windows\Tasks\NVIDIA Container Compatibility.job
| MD5 | 75fd406e2e4fcdc4618064c15f87aa2f |
| SHA1 | 81115c7a7b9b516bc83af048d64432a2d7959c55 |
| SHA256 | 76e8e7a97add72bddd64e8934f8c562872c723616ad8c07ed0b18c1a187e7cda |
| SHA512 | f66a0a0a86a7f6c2a41882825ef654e2e29ca9fa91f775c30781e25fa28ee27e6f566525fe2894525a66f1a372f11b8cf3f0c150fb166d5fff36d8d279d73ba9 |
memory/4452-84-0x00000000732C0000-0x000000007343B000-memory.dmp
memory/3340-88-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/4084-89-0x00007FFBC76F0000-0x00007FFBC78E5000-memory.dmp
memory/4084-90-0x0000000000600000-0x0000000000670000-memory.dmp
memory/3340-91-0x0000000000CE0000-0x0000000000D47000-memory.dmp
memory/4084-95-0x0000000000600000-0x0000000000670000-memory.dmp
memory/3340-96-0x0000000000CE0000-0x0000000000D47000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 13:32
Reported
2024-07-09 13:35
Platform
win10v2004-20240704-en
Max time kernel
96s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 13:32
Reported
2024-07-09 13:35
Platform
win10v2004-20240704-en
Max time kernel
142s
Max time network
97s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3592-1-0x00007FFF0B680000-0x00007FFF0B6B4000-memory.dmp
memory/3592-0-0x00007FF739A80000-0x00007FF739B78000-memory.dmp
memory/3592-9-0x00007FFF06EA0000-0x00007FFF06EB1000-memory.dmp
memory/3592-8-0x00007FFF06EC0000-0x00007FFF06EDD000-memory.dmp
memory/3592-7-0x00007FFF0AA70000-0x00007FFF0AA81000-memory.dmp
memory/3592-6-0x00007FFF0AA90000-0x00007FFF0AAA7000-memory.dmp
memory/3592-5-0x00007FFF0AAB0000-0x00007FFF0AAC1000-memory.dmp
memory/3592-4-0x00007FFF0C2C0000-0x00007FFF0C2D7000-memory.dmp
memory/3592-11-0x00007FFF06E50000-0x00007FFF06E91000-memory.dmp
memory/3592-3-0x00007FFF0EA40000-0x00007FFF0EA58000-memory.dmp
memory/3592-2-0x00007FFEF74F0000-0x00007FFEF77A6000-memory.dmp
memory/3592-10-0x00007FFEF72E0000-0x00007FFEF74EB000-memory.dmp
memory/3592-17-0x00007FFF06C30000-0x00007FFF06C41000-memory.dmp
memory/3592-16-0x00007FFF06C50000-0x00007FFF06C61000-memory.dmp
memory/3592-15-0x00007FFF06DE0000-0x00007FFF06DF1000-memory.dmp
memory/3592-14-0x00007FFF06E00000-0x00007FFF06E18000-memory.dmp
memory/3592-13-0x00007FFF06E20000-0x00007FFF06E41000-memory.dmp
memory/3592-12-0x00007FFEF6230000-0x00007FFEF72E0000-memory.dmp
memory/3592-48-0x00007FFEF6230000-0x00007FFEF72E0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 13:32
Reported
2024-07-09 13:35
Platform
win10v2004-20240704-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/908-0-0x0000000000400000-0x000000000045E000-memory.dmp