Malware Analysis Report

2024-10-16 05:08

Sample ID 240818-dx1mjawank
Target a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118
SHA256 1ed88842968fc634ce7f3a0ec6436ed087b0e4dbcd96521f3182e7d89df2199a
Tags
discovery flawedammyy trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed88842968fc634ce7f3a0ec6436ed087b0e4dbcd96521f3182e7d89df2199a

Threat Level: Known bad

The file a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery flawedammyy trojan ammyyadmin

FlawedAmmyy RAT

AmmyyAdmin payload

Ammyyadmin family

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 03:24

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baro.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\baro.exe

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240708-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Network

N/A

Files

memory/784-0-0x0000000073CC2000-0x0000000073CC4000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win7-20240708-en

Max time kernel

15s

Max time network

21s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1400 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1400 wrote to memory of 4800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240704-en

Max time kernel

14s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baro.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\baro.exe

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3744 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3744 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3744 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240729-en

Max time kernel

140s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

N/A

Files

memory/2544-0-0x0000000001220000-0x0000000001C07000-memory.dmp

memory/2544-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2544-9-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2544-8-0x0000000001220000-0x0000000001C07000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/220-0-0x00000000007A0000-0x0000000001187000-memory.dmp

memory/220-1-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/220-9-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/220-8-0x00000000007A0000-0x0000000001187000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win7-20240704-en

Max time kernel

7s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 236

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\ioSpecial.ini

MD5 f1125bceef5a71a8951108dfd88d3490
SHA1 b81794dc240b48a613a99a225bd0e2b945f90d62
SHA256 b0710b0bc362d20626870ca732968c995f991ec320287fa19993abdd00fb8ba8
SHA512 408c8a6597ce44cbc16195c138e9cdef1c3a1bd39ae0cb9180449c15efb803ea1a4794fe3ec8987ee1c5004244615b2e2dad20ee1142940c87303fa4bba68a3c

C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win7-20240704-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 228

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

82s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 4204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240704-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win7-20240704-en

Max time kernel

10s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\ioSpecial.ini

MD5 6a9ad6f18f1fe55a14d86c3330e79be6
SHA1 73a37c7751b0e788a373a747843d7dcf68d3b984
SHA256 ac52fef41f99b2c8c016ba27b09039de4ca862b0ab617762b0b9b7852dba31d2
SHA512 6ba5a21a0311844878fb3c4227f17525d7110930649e30aa1bbc7bc65328b3f70260110eae2ece7ccb57b70848ad9b004c68c77948e208b09e8b41e744f96a7b

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1952-0-0x0000000074442000-0x0000000074443000-memory.dmp

memory/1952-1-0x0000000074440000-0x00000000749F1000-memory.dmp

memory/1952-2-0x0000000074440000-0x00000000749F1000-memory.dmp

memory/1952-4-0x0000000074440000-0x00000000749F1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240708-en

Max time kernel

13s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 3616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4500 wrote to memory of 3616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4500 wrote to memory of 3616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240708-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545337d74c1156aeb26b C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14608a11716933a51913de642a70b35b64d686eb5920abf001ec0e18a4a1744ddd5478da770961e07406d640bb571d06ed578c820e40da68131ec51d4ad1aed08744eef4 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c5b80443bc31f2f5c1d2e384c3b82961
SHA1 445a99fa06484d216276b9284eedf25483780216
SHA256 cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad
SHA512 eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

C:\ProgramData\AMMYY\hr3

MD5 9e6e8e07db00e33e9c058466997d0208
SHA1 adc258608504f65e26d690994fb5a9bfc9b801a2
SHA256 5a6820134785484cd772b290ec90dbc2287060105d4672db1118ef3436952898
SHA512 305ccb4237e3201de928c8d70323055a4908440ad287dd1f26f7e943000d1f24de8d0cf989b9d4c59b3d52cbe5b5c6c93e65a96ea3bae395f06b6112a1ae236d

C:\ProgramData\AMMYY\hr

MD5 f75cb35f010bacf6141c3dc9829be850
SHA1 5d6bd879e76af63bdb154865f5d855b2db052573
SHA256 bf7c51fbf42e63322c0b7cfc22d0fc01738862a8e16949ad1f93e67dbf0256a3
SHA512 60bf5b766508cbbc03f7d5383ebeb4e50b19959922e87c9e1f5db8ddacff75e2c1c05e2bc39ffb2abf7304a0007f2b9606a5159e6836e0d518028318809267e4

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253a24d3c1156aeb26b C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = da7a14ab001149c9c90f4fdbc5206b2f4425e17429d02099c8095f4bbf98cbb93ef83236f3b0e821819a3cec39d80cc1da397bf59d6fc93690c49b32ac16fd2856fd4c52d3e194b141e9c6 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c5b80443bc31f2f5c1d2e384c3b82961
SHA1 445a99fa06484d216276b9284eedf25483780216
SHA256 cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad
SHA512 eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

C:\ProgramData\AMMYY\hr3

MD5 2cc7d1129cc9c27a3c58bf649c78a61f
SHA1 4e1fadbdea20fa098808d70ee0c743254ec529ff
SHA256 93a6b353ece109ac73acd9f49af0922cd64273991bc05d05e43c9bc3b385ce94
SHA512 d34f3328fccbde72a7e56a294baf389987a8da75b75531c8a3a6ded12c0d7f80171e7c71fec763976132b73143543c1e3db4e8aca5e74dd2f8a72b661c2e52c2

C:\ProgramData\AMMYY\hr

MD5 fa43150f2517ea0cde53e6cf60d4fee4
SHA1 a3ce296b1122a621314c16240ed92ecd89e5dc97
SHA256 fe3231296f8c8feecd2282b48600e91efdeeeef068b1faacad8bc78b8468efa8
SHA512 23be621c267c4c2e44586051129115b2ccffb1a4fa2b7f2333c3a5b85dc74781bed3993d8d15a85d6f3e4e5a6ead1d12ea6f78071ab7f44f6640ff095a10bcba

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240705-en

Max time kernel

140s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

N/A

Files

memory/1480-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1480-0-0x0000000000E60000-0x0000000001847000-memory.dmp

memory/1480-9-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1480-8-0x0000000000E60000-0x0000000001847000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240704-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 244

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240708-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:27

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win7-20240704-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-18 03:24

Reported

2024-08-18 03:26

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1908-1-0x00000000019F0000-0x00000000019F1000-memory.dmp

memory/1908-0-0x0000000000610000-0x0000000000FF7000-memory.dmp

memory/1908-9-0x00000000019F0000-0x00000000019F1000-memory.dmp

memory/1908-8-0x0000000000610000-0x0000000000FF7000-memory.dmp