Malware Analysis Report

2024-11-13 18:50

Sample ID 240712-q2te8syaqh
Target 3d9e9a8fe8a44ae6158326c129f257c7_JaffaCakes118
SHA256 9471e1b7a13d4cc612c816df5526f79d245684d5af3d8094ea657d1f83a39194
Tags
persistence remcos excel-logs rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9471e1b7a13d4cc612c816df5526f79d245684d5af3d8094ea657d1f83a39194

Threat Level: Known bad

The file 3d9e9a8fe8a44ae6158326c129f257c7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence remcos excel-logs rat

Remcos

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 13:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4072 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4072 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win7-20240705-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

Network

N/A

Files

memory/2060-1-0x0000000074960000-0x0000000074968000-memory.dmp

memory/2060-2-0x0000000074950000-0x0000000074958000-memory.dmp

memory/2060-0-0x0000000074A00000-0x0000000074A08000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2912 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1220 -ip 1220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 736

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1220-0-0x0000000074DA0000-0x0000000074DA8000-memory.dmp

memory/1220-2-0x0000000074DA0000-0x0000000074DA8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win7-20240705-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Excel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Excel\\Excel.exe\"" C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Excel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Excel\\Excel.exe\"" C:\Users\Admin\AppData\Roaming\Excel\Excel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe
PID 672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe
PID 672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe
PID 672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe
PID 672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe
PID 2972 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe C:\Windows\SysWOW64\WScript.exe
PID 2736 wrote to memory of 2556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2556 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2556 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2556 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2624 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2624 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2624 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2624 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe
PID 2624 wrote to memory of 344 N/A C:\Users\Admin\AppData\Roaming\Excel\Excel.exe C:\Users\Admin\AppData\Roaming\Excel\Excel.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Excel\Excel.exe"

C:\Users\Admin\AppData\Roaming\Excel\Excel.exe

C:\Users\Admin\AppData\Roaming\Excel\Excel.exe

C:\Users\Admin\AppData\Roaming\Excel\Excel.exe

C:\Users\Admin\AppData\Roaming\Excel\Excel.exe

Network

Country Destination Domain Proto
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp
VN 103.114.106.35:20987 tcp

Files

\Users\Admin\AppData\Local\Temp\nso2BB3.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll

MD5 9ec36c1f7989533c81de064104ea35ab
SHA1 9a9f608e7bf4e4f06e4804f7b132939d3ee5654d
SHA256 238727a5364853abf73decbd56c4c1e3f3906060e802352b547a296e34dd3646
SHA512 bfb31fd814d2069cf529297c9c4ec4b8d6480012ccbc8f0ea013ce750705d953e47f00f6fa625b95c94c1bcde6763612a6055f91a35428eed0f1e16c6b1bb2e7

memory/672-11-0x0000000074220000-0x0000000074228000-memory.dmp

memory/2972-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/672-16-0x0000000074220000-0x0000000074228000-memory.dmp

memory/2972-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2972-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2972-25-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 53c0ff348853d6380df0b8c16a03d762
SHA1 eda6327849c2c83520e527241156fad9fa634b4a
SHA256 358585a15d72ce0478be92c97b940accf7f7717bf77c29967d4a6fa853f879b2
SHA512 925c2286fd0a370afa3d91d94b503ed01f77467fd2a13edca2e940ee4e8f9420193c9a70a3af0a8b26e62e6c2bd7cf1911059c273f16dc4bf261d54b0f840737

\Users\Admin\AppData\Roaming\Excel\Excel.exe

MD5 2021fec8feb356edbcea0588a270cb6b
SHA1 2e1ff93fe5da8c89508ff5f1aa44d641e25b6823
SHA256 918dede163276d652ee3fc92b2ec93733850b27a31339e6e972536d168990506
SHA512 2598edb08e125bea4016c44385b29c244f24914fdcdc07546c599e3caf68346bd511853ca1422d4ba9019c21c16ccc33201f6495b9c4a22769df1ff33d4d82c2

C:\Users\Admin\AppData\Local\Temp\zskwxxud.ket

MD5 ee820258379f0db08160ef97b38096c3
SHA1 faba7ae96beb0df20306e19498ed9b86dd60f17a
SHA256 66974e8127fd27bfeefc3d23b8534f394fb9e9b3a7c1d1e1db9081445ff10c6c
SHA512 023a6a3420ec43088c692c9d45c7a788560db74c794e869994155761f4c8b6b7ed9f0c1b775eaff7bea17941b11fe251f0d458418e05fe43fb787d782768ea75

memory/2624-44-0x0000000074200000-0x0000000074208000-memory.dmp

memory/344-50-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2624-49-0x0000000074200000-0x0000000074208000-memory.dmp

memory/344-48-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-55-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-59-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Roaming\Excel\logs.dat

MD5 6f723ee8e9a2a775772dc395c18742e7
SHA1 7493aef74cfd13434f36c0545e20f0117ee6fd15
SHA256 01d8938d4fc536a152371e07eb6c4ae5e00958460920bca192526f2856c1e53c
SHA512 d1df252b7b93d68d3db6a2ec58fbe18e958faa3b9d62c1c354ded44c008ad307c790b6cbf75e0a06c0a5474e6dd32b60c866262e359e3240213ab9db85d59744

memory/344-63-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-66-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-71-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-75-0x0000000000400000-0x0000000000421000-memory.dmp

memory/344-81-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win10v2004-20240709-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1736 -ip 1736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 840

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyA931.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

C:\Users\Admin\AppData\Local\Temp\0jxlr2n3sx9a9r.dll

MD5 9ec36c1f7989533c81de064104ea35ab
SHA1 9a9f608e7bf4e4f06e4804f7b132939d3ee5654d
SHA256 238727a5364853abf73decbd56c4c1e3f3906060e802352b547a296e34dd3646
SHA512 bfb31fd814d2069cf529297c9c4ec4b8d6480012ccbc8f0ea013ce750705d953e47f00f6fa625b95c94c1bcde6763612a6055f91a35428eed0f1e16c6b1bb2e7

memory/1736-10-0x0000000074D30000-0x0000000074D38000-memory.dmp

memory/1736-12-0x0000000074D30000-0x0000000074D38000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-12 13:45

Reported

2024-07-12 13:48

Platform

win7-20240705-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 220

Network

N/A

Files

N/A