Malware Analysis Report

2024-09-22 10:46

Sample ID 240719-x1c57azane
Target crowdstrike-hotfix.zip
SHA256 c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
Tags
hawkeye remcos fudstub keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2

Threat Level: Known bad

The file crowdstrike-hotfix.zip was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos fudstub keylogger rat spyware stealer trojan

HawkEye

Remcos

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-19 19:18

Signatures

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240704-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 268

Network

N/A

Files

memory/2696-0-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2696-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2696-2-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240611-en

Max time kernel

129s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

Network

N/A

Files

memory/1720-0-0x0000000059800000-0x000000005986E000-memory.dmp

memory/1720-2-0x0000000057000000-0x000000005703F000-memory.dmp

memory/1720-3-0x0000000050120000-0x000000005030D000-memory.dmp

memory/1720-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1720-4-0x0000000057800000-0x0000000057812000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240704-en

Max time kernel

140s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 224

Network

N/A

Files

memory/3064-0-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

141s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 696

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

memory/4140-0-0x0000000050310000-0x0000000050349000-memory.dmp

memory/4140-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4140-2-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2772 set thread context of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Network

Country Destination Domain Proto
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 58.130.5.213.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
FR 213.5.130.58:443 tcp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp

Files

memory/2772-0-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/2772-1-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp

memory/2772-12-0x00000000737D2000-0x00000000737D4000-memory.dmp

memory/2772-13-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/2772-14-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/2772-17-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2772-23-0x0000000050310000-0x0000000050349000-memory.dmp

memory/3380-24-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/2772-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp

memory/2772-21-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2772-20-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2772-19-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2772-18-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2772-16-0x0000000000400000-0x000000000064B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e95c3989

MD5 b7f5a46de5f5d13fce38256ab738d652
SHA1 33482a8273ecbc6d72bae6f4994710c2b9cc268a
SHA256 cb71fb3b9fc51d26367c482db92a745d9bf0b8c9843e5fb336fb378988522183
SHA512 870300dfdeccc00c4dbcbf7943ed0c1825197bd881f3433430131d7b29bc3e2200459901783e4eb2942611d351d158d7c2423d9b13ea7d8263c4f00eee513235

memory/3380-26-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp

memory/3380-28-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/3380-29-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/3380-31-0x00000000737C0000-0x000000007393B000-memory.dmp

memory/4668-32-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp

memory/4668-33-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-35-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-37-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-38-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-39-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-40-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-41-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 6be01e88e7d2124fb718797d720f1540
SHA1 5fc31e3a5d75067d7ddba4919e4f0516f0bcf28c
SHA256 a1c3df8b5863709007d8958e831d0956006de375df7771cef6952427585a3c59
SHA512 a092fa72ac04d23e24d687763a42ea8fa315d59aec6345ed25def7a2cb1ee8e919d5f088c3eec45bdd13e6fefe9b985dc557e366d197b97ed7117f340f522e70

memory/4668-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-47-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-48-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-49-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4668-50-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240611-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 540 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 540 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 616

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 26.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/5052-0-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

133s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 752 wrote to memory of 824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 752 wrote to memory of 824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

Network

N/A

Files

memory/2312-0-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2312-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2312-2-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2312-3-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

132s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4768 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

133s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/4552-0-0x0000000057000000-0x000000005703F000-memory.dmp

memory/4552-1-0x0000000050120000-0x000000005030D000-memory.dmp

memory/4552-2-0x0000000050000000-0x0000000050116000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4236 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4236 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

memory/2580-3-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2580-1-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2580-0-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2580-2-0x0000000050000000-0x0000000050116000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 524 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 524 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

memory/2716-0-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2716-2-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2716-3-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2716-1-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2716-4-0x0000000050120000-0x000000005030D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240705-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2312 set thread context of 616 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp
FR 213.5.130.58:443 tcp

Files

memory/2312-0-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/2312-1-0x00000000771F0000-0x0000000077399000-memory.dmp

memory/2312-12-0x0000000074302000-0x0000000074304000-memory.dmp

memory/2312-13-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/2312-14-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/2312-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ba3c5cc

MD5 ee89543e1bae0212c0db3050557fdf5b
SHA1 fbf03c20f62f7890b2f0d2e1bd6f36da5f353ddc
SHA256 61aa62303003deeca437005836b2aadca774664ec499f1e57767f9a51cdc03c7
SHA512 0535c9ad517ba4814c072d59d2850e75b28b8257a31738d5749d19b77b60424be38cfd72fd96261a3ed25461e383d530046ef8f4f241ceb810d15f8b987199e5

memory/616-24-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/2312-23-0x0000000050310000-0x0000000050349000-memory.dmp

memory/2312-21-0x0000000057800000-0x0000000057812000-memory.dmp

memory/2312-20-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2312-19-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2312-18-0x0000000059800000-0x000000005986E000-memory.dmp

memory/2312-17-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2312-16-0x0000000000400000-0x000000000064B000-memory.dmp

memory/616-26-0x00000000771F0000-0x0000000077399000-memory.dmp

memory/616-71-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/616-72-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/616-74-0x00000000742F0000-0x0000000074464000-memory.dmp

memory/1592-75-0x00000000771F0000-0x0000000077399000-memory.dmp

memory/1592-76-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-80-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-82-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-83-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-84-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-85-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-86-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-87-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-88-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-89-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-90-0x00000000000C0000-0x0000000000143000-memory.dmp

memory/1592-91-0x00000000000C0000-0x0000000000143000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-19 19:18

Reported

2024-07-19 19:21

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1

Network

N/A

Files

memory/2344-0-0x0000000057000000-0x000000005703F000-memory.dmp

memory/2344-1-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2344-2-0x0000000050120000-0x000000005030D000-memory.dmp