Analysis Overview
SHA256
632e8898c0cff2983b67fe4e8e4b17a13e4e6a5d0b6e12835b74793d23e46654
Threat Level: Known bad
The file 632e8898c0cff2983b67fe4e8e4b17a13e4e6a5d0b6e12835b74793d23e46654 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-10 23:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240705-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2536 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2536 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2536 -s 88
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
15s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
61s
Max time network
64s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Libs\Paring_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\Libs\Paring_[1MB]_[1].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
63s
Max time network
67s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
18s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2912 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2912 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2912 wrote to memory of 2452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2912 -s 80
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
63s
Max time network
65s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
2s
Max time network
7s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240704-en
Max time kernel
23s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240708-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\License.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240705-en
Max time kernel
15s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 224
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 3732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4904 wrote to memory of 3732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4904 wrote to memory of 3732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240708-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\AlphaFS.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240704-en
Max time kernel
23s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2276 wrote to memory of 1948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win7-20240704-en
Max time kernel
15s
Max time network
21s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Libs\Paring_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\Libs\Paring_[1MB]_[1].exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
62s
Max time network
63s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 199.232.214.172:80 | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
20s
Max time network
17s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2092 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2092 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2092 -s 92
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\Newtonsoft.Json.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240705-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2260 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2260 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2260 wrote to memory of 2096 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2260 -s 80
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
2s
Max time network
7s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Injecting.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
64s
Max time network
67s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 220 set thread context of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 220 wrote to memory of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 220 wrote to memory of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 220 wrote to memory of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 800 wrote to memory of 4876 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 800 wrote to memory of 4876 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 800 wrote to memory of 4876 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 800 wrote to memory of 4876 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.81.21.104.in-addr.arpa | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/220-0-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp
memory/220-10-0x00007FFA7B4D8000-0x00007FFA7B4D9000-memory.dmp
memory/220-11-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp
memory/220-12-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\49624d85
| MD5 | ae5dbebf5a8ebe14cec80907b9021963 |
| SHA1 | f12f075f74540372f7a644bd57ec9f140fbc424f |
| SHA256 | 9d609f2557e519c61e49f0626d7ee51955912e08a1485409208cc6f322cb26af |
| SHA512 | 8738f9fb65a76b069932fdd0188d09e9d27be3c3b34eb55e1835c89e1419492cd75843513ee2d6bb450e163f293d39d06620d5489d34bfc00fa873b139138420 |
memory/800-15-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp
memory/800-17-0x0000000076BBE000-0x0000000076BC0000-memory.dmp
memory/800-16-0x0000000076BB0000-0x0000000076FEC000-memory.dmp
memory/800-18-0x0000000076BB0000-0x0000000076FEC000-memory.dmp
memory/800-20-0x0000000076BB0000-0x0000000076FEC000-memory.dmp
memory/4876-21-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp
memory/4876-22-0x0000000000830000-0x0000000000897000-memory.dmp
memory/4876-23-0x00000000001FB000-0x0000000000202000-memory.dmp
memory/4876-24-0x0000000000830000-0x0000000000897000-memory.dmp
memory/800-25-0x0000000076BBE000-0x0000000076BC0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240705-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
95s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
33s
Max time network
35s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\Extreme.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 1276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 1276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1952 -s 84
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win10v2004-20240709-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240705-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Debugs\VersionStable.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:43
Platform
win10v2004-20240709-en
Max time kernel
63s
Max time network
68s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2396 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2396 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-10 23:42
Reported
2024-07-10 23:44
Platform
win7-20240704-en
Max time kernel
15s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1