Analysis Overview
SHA256
2a975179e4cbc850602edf860bd6644ddbc4b39587c31860f4c5cf09ff8605a5
Threat Level: Known bad
The file !#!SEtUp_4455_Pa$$W0rD$$!!%!.rar was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Amadey
Downloads MZ/PE file
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 17:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240709-en
Max time kernel
209s
Max time network
209s
Command Line
Signatures
Amadey
Lumma Stealer
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3856 set thread context of 4532 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2444 set thread context of 4352 | N/A | C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1856 set thread context of 208 | N/A | C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe | C:\Windows\SysWOW64\netsh.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\ToolUpdate.job | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\Tasks\MH Beacon Helper.job | C:\Windows\SysWOW64\netsh.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe
"C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe
"C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | foodupdates.shop | udp |
| US | 104.21.48.83:443 | foodupdates.shop | tcp |
| US | 8.8.8.8:53 | 83.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.steamstatic.com | udp |
| GB | 2.16.170.35:443 | cdn.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 35.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| US | 172.67.209.34:80 | downloaddining2.com | tcp |
| US | 104.21.77.130:80 | downloaddining3.com | tcp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 8.8.8.8:53 | contur2fa.recipeupdates.rest | udp |
| US | 104.21.76.173:443 | contur2fa.recipeupdates.rest | tcp |
| US | 8.8.8.8:53 | 130.77.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/3856-0-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp
memory/3856-10-0x00007FFA439C8000-0x00007FFA439C9000-memory.dmp
memory/3856-11-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp
memory/3856-12-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7bbc0863
| MD5 | 688e1ee85adf7b6fc1dbe74fa5a9e930 |
| SHA1 | b12b75fde2b6523e5c63108c1e4d7d7b6c814065 |
| SHA256 | 59315baec5a1193c52651d7485fe61abe1f76ab53f8a6915efba813cd065d86c |
| SHA512 | 30cac4e3fac56a46e532cc78d8ccd2c765f0a0c5da8b4b043844568e2c6ca77f687f54d8f984cf8e30451949f374c56b0899c0bdcc4d1d7ad57cbe5acee5e30a |
memory/4532-15-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/4532-17-0x0000000075BFE000-0x0000000075C00000-memory.dmp
memory/4532-18-0x0000000075BF0000-0x000000007602C000-memory.dmp
memory/4532-16-0x0000000075BF0000-0x000000007602C000-memory.dmp
memory/4532-20-0x0000000075BF0000-0x000000007602C000-memory.dmp
memory/3092-21-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/3092-22-0x00000000006D0000-0x0000000000720000-memory.dmp
memory/3092-23-0x0000000000A9B000-0x0000000000AA2000-memory.dmp
memory/4532-24-0x0000000075BFE000-0x0000000075C00000-memory.dmp
memory/3092-25-0x00000000006D0000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe
| MD5 | d8d3eaf3756ec2fd01063f9fd2623c7e |
| SHA1 | 0e63c687984112e96bbfcf985c1fbf602f1c86e4 |
| SHA256 | 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829 |
| SHA512 | d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c |
memory/2444-30-0x0000000000670000-0x00000000009A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\773f1649
| MD5 | 0bb8b2b96cd95f9a6fb8192883c94ca7 |
| SHA1 | 16b7b4cfcacef943b4824e21b475c295cb4d9dff |
| SHA256 | 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec |
| SHA512 | 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b |
memory/2444-36-0x0000000073AD0000-0x0000000073C4B000-memory.dmp
memory/2444-37-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/3092-38-0x00000000006D0000-0x0000000000720000-memory.dmp
memory/2444-39-0x0000000073AD0000-0x0000000073C4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7972f5ac
| MD5 | 780479723bd568fc7facdf04f26f7394 |
| SHA1 | 70de1ebb084c3ed9ec4e50e7455a3e90fc6a7331 |
| SHA256 | 4eed3d3ac1af84955599ddd544e9f0f7a5c2b0f896158ed74c8ab3b7e5b160d6 |
| SHA512 | 28d755e892145dabd27eabe20735c17c9f0bdf513d28e8ac83b2bf57be44061d5d225d99e875b3382c9df4cf6a032981bcf704b089beb7a69971034c814d30a4 |
C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe
| MD5 | 753234a5fa72cf7ff8c56fd867478f31 |
| SHA1 | 9d689ec16a5da11eea5e60c800ef2bce6f4212f3 |
| SHA256 | 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f |
| SHA512 | f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82 |
memory/3092-45-0x00000000006D0000-0x0000000000720000-memory.dmp
memory/1856-46-0x00000000009D0000-0x0000000000F8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bc839a68
| MD5 | f74f23c47dbb6ed0a1422be1c86ba44d |
| SHA1 | 585956eab70da3892bd82cf21470be142daec324 |
| SHA256 | aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041 |
| SHA512 | 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd |
memory/1856-53-0x0000000073AD0000-0x0000000073C4B000-memory.dmp
memory/1856-54-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/1856-55-0x0000000073AD0000-0x0000000073C4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c0210430
| MD5 | 8b554ad02c946157f4285384a8f0268d |
| SHA1 | b2932ef2ed57e6e1b033fd23e62e4a36b531402c |
| SHA256 | 5e55670faa74d9aeaa43249daa3fe64729361bb48d54f964d8cc8b05ea2476c6 |
| SHA512 | 11e4ce4ca1ec573ce21e2f0b576b5f3ad56829b9a34aaa6c7b5b7d1815e5557eead8adc18a96c1d625f4f3af82137dcd1a3a56a334b7d6d053c05cf5bfb4de0c |
memory/4352-58-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/208-61-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/4080-65-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/1384-67-0x00007FFA45770000-0x00007FFA45965000-memory.dmp
memory/4080-68-0x0000000000850000-0x00000000008B7000-memory.dmp
memory/1384-69-0x0000000000910000-0x0000000000981000-memory.dmp
memory/4080-73-0x0000000000850000-0x00000000008B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 0fb684cc15d197c0b937e5528359d7c8 |
| SHA1 | 7d963246f52f42012bdcddb31214283c84c954ed |
| SHA256 | e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260 |
| SHA512 | c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c |
memory/3088-87-0x0000000002D70000-0x0000000002DA6000-memory.dmp
memory/3088-88-0x0000000005940000-0x0000000005F68000-memory.dmp
memory/3088-89-0x00000000056D0000-0x00000000056F2000-memory.dmp
memory/3088-90-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/3088-91-0x0000000006050000-0x00000000060B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dw4xh2ky.hze.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3088-101-0x00000000061C0000-0x0000000006514000-memory.dmp
memory/3088-102-0x0000000006670000-0x000000000668E000-memory.dmp
memory/3088-103-0x00000000066B0000-0x00000000066FC000-memory.dmp
memory/1384-105-0x0000000000910000-0x0000000000981000-memory.dmp
memory/3088-106-0x0000000007640000-0x0000000007672000-memory.dmp
memory/3088-107-0x0000000073340000-0x000000007338C000-memory.dmp
memory/3088-117-0x0000000006C60000-0x0000000006C7E000-memory.dmp
memory/3088-118-0x0000000007680000-0x0000000007723000-memory.dmp
memory/3088-119-0x0000000007FF0000-0x000000000866A000-memory.dmp
memory/3088-120-0x00000000079D0000-0x00000000079EA000-memory.dmp
memory/3088-121-0x0000000007A10000-0x0000000007A1A000-memory.dmp
memory/3088-122-0x0000000007C40000-0x0000000007CD6000-memory.dmp
memory/3088-123-0x0000000007BA0000-0x0000000007BB1000-memory.dmp
memory/3088-124-0x0000000007BE0000-0x0000000007BEE000-memory.dmp
memory/3088-125-0x0000000007BF0000-0x0000000007C04000-memory.dmp
memory/3088-126-0x0000000007CE0000-0x0000000007CFA000-memory.dmp
memory/3088-127-0x0000000007C20000-0x0000000007C28000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1288 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1288 wrote to memory of 1256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1288 -s 80
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win7-20240704-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 1072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2052 wrote to memory of 1072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2052 wrote to memory of 1072 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2052 -s 80
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win10v2004-20240709-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win10v2004-20240709-en
Max time kernel
120s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win7-20240705-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2780 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2780 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2780 -s 80
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240709-en
Max time kernel
95s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win7-20240705-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 2420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2404 wrote to memory of 2420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2404 wrote to memory of 2420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2404 -s 156
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win10v2004-20240709-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win7-20240704-en
Max time kernel
46s
Max time network
16s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2524 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2524 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2524 wrote to memory of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2524 -s 92
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win7-20240704-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dxf\ = "dxf_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dxf | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2772 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2772 wrote to memory of 2880 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2880 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2880 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\handstand.dxf
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\handstand.dxf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 548e62b5d6f3955f008735ab5e1b3993 |
| SHA1 | 407ceb3645f3d1596d4b027d3c0c3e79a71938b3 |
| SHA256 | 52f00ca02264c5ab2fb8a3019e90b41f6e354ba19b079117e9796fa82a9fe592 |
| SHA512 | ae713fae67982345a72191ae7e3120b6006bdb5cf2f74ae9ba1b9ad1bc70c00aacab15c1854404274dc05553dc5fd44b007f5d4c6969104745f61dfefd51ef97 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240709-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2144 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2144 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2144 -s 156
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240709-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:46
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-09 17:43
Reported
2024-07-09 17:47
Platform
win10v2004-20240704-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |