Analysis Overview
SHA256
1ed88842968fc634ce7f3a0ec6436ed087b0e4dbcd96521f3182e7d89df2199a
Threat Level: Known bad
The file a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
AmmyyAdmin payload
Ammyyadmin family
Checks computer location settings
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 03:24
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\baro.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\baro.exe
"C:\Users\Admin\AppData\Local\Temp\baro.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240708-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"
Network
Files
memory/784-0-0x0000000073CC2000-0x0000000073CC4000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win7-20240708-en
Max time kernel
15s
Max time network
21s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1756 wrote to memory of 964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240704-en
Max time kernel
14s
Max time network
16s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\baro.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\baro.exe
"C:\Users\Admin\AppData\Local\Temp\baro.exe"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
108s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3744 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3744 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3744 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240729-en
Max time kernel
140s
Max time network
18s
Command Line
Signatures
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe
"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"
Network
Files
memory/2544-0-0x0000000001220000-0x0000000001C07000-memory.dmp
memory/2544-1-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2544-9-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2544-8-0x0000000001220000-0x0000000001C07000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
108s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe
"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/220-0-0x00000000007A0000-0x0000000001187000-memory.dmp
memory/220-1-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/220-9-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/220-8-0x00000000007A0000-0x0000000001187000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win7-20240704-en
Max time kernel
7s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 236
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1228 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1228 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1228 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\AdvSplash.dll
| MD5 | 13cc92f90a299f5b2b2f795d0d2e47dc |
| SHA1 | aa69ead8520876d232c6ed96021a4825e79f542f |
| SHA256 | eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb |
| SHA512 | ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3 |
C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\ioSpecial.ini
| MD5 | f1125bceef5a71a8951108dfd88d3490 |
| SHA1 | b81794dc240b48a613a99a225bd0e2b945f90d62 |
| SHA256 | b0710b0bc362d20626870ca732968c995f991ec320287fa19993abdd00fb8ba8 |
| SHA512 | 408c8a6597ce44cbc16195c138e9cdef1c3a1bd39ae0cb9180449c15efb803ea1a4794fe3ec8987ee1c5004244615b2e2dad20ee1142940c87303fa4bba68a3c |
C:\Users\Admin\AppData\Local\Temp\nsi67D3.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win7-20240704-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 228
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
82s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2008 wrote to memory of 4204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240704-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win7-20240704-en
Max time kernel
10s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a533ab86bc7b1bdcfd05ff0c0f20b61d_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\AdvSplash.dll
| MD5 | 13cc92f90a299f5b2b2f795d0d2e47dc |
| SHA1 | aa69ead8520876d232c6ed96021a4825e79f542f |
| SHA256 | eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb |
| SHA512 | ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3 |
\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nso7EA3.tmp\ioSpecial.ini
| MD5 | 6a9ad6f18f1fe55a14d86c3330e79be6 |
| SHA1 | 73a37c7751b0e788a373a747843d7dcf68d3b984 |
| SHA256 | ac52fef41f99b2c8c016ba27b09039de4ca862b0ab617762b0b9b7852dba31d2 |
| SHA512 | 6ba5a21a0311844878fb3c4227f17525d7110930649e30aa1bbc7bc65328b3f70260110eae2ece7ccb57b70848ad9b004c68c77948e208b09e8b41e744f96a7b |
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240729-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1952-0-0x0000000074442000-0x0000000074443000-memory.dmp
memory/1952-1-0x0000000074440000-0x00000000749F1000-memory.dmp
memory/1952-2-0x0000000074440000-0x00000000749F1000-memory.dmp
memory/1952-4-0x0000000074440000-0x00000000749F1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240708-en
Max time kernel
13s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 224
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
106s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
108s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 3616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4500 wrote to memory of 3616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4500 wrote to memory of 3616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240708-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545337d74c1156aeb26b | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14608a11716933a51913de642a70b35b64d686eb5920abf001ec0e18a4a1744ddd5478da770961e07406d640bb571d06ed578c820e40da68131ec51d4ad1aed08744eef4 | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
| PID 2812 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
| PID 2812 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
| PID 2812 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | c5b80443bc31f2f5c1d2e384c3b82961 |
| SHA1 | 445a99fa06484d216276b9284eedf25483780216 |
| SHA256 | cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad |
| SHA512 | eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97 |
C:\ProgramData\AMMYY\hr3
| MD5 | 9e6e8e07db00e33e9c058466997d0208 |
| SHA1 | adc258608504f65e26d690994fb5a9bfc9b801a2 |
| SHA256 | 5a6820134785484cd772b290ec90dbc2287060105d4672db1118ef3436952898 |
| SHA512 | 305ccb4237e3201de928c8d70323055a4908440ad287dd1f26f7e943000d1f24de8d0cf989b9d4c59b3d52cbe5b5c6c93e65a96ea3bae395f06b6112a1ae236d |
C:\ProgramData\AMMYY\hr
| MD5 | f75cb35f010bacf6141c3dc9829be850 |
| SHA1 | 5d6bd879e76af63bdb154865f5d855b2db052573 |
| SHA256 | bf7c51fbf42e63322c0b7cfc22d0fc01738862a8e16949ad1f93e67dbf0256a3 |
| SHA512 | 60bf5b766508cbbc03f7d5383ebeb4e50b19959922e87c9e1f5db8ddacff75e2c1c05e2bc39ffb2abf7304a0007f2b9606a5159e6836e0d518028318809267e4 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253a24d3c1156aeb26b | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = da7a14ab001149c9c90f4fdbc5206b2f4425e17429d02099c8095f4bbf98cbb93ef83236f3b0e821819a3cec39d80cc1da397bf59d6fc93690c49b32ac16fd2856fd4c52d3e194b141e9c6 | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
| PID 2016 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
| PID 2016 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe | C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | c5b80443bc31f2f5c1d2e384c3b82961 |
| SHA1 | 445a99fa06484d216276b9284eedf25483780216 |
| SHA256 | cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad |
| SHA512 | eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97 |
C:\ProgramData\AMMYY\hr3
| MD5 | 2cc7d1129cc9c27a3c58bf649c78a61f |
| SHA1 | 4e1fadbdea20fa098808d70ee0c743254ec529ff |
| SHA256 | 93a6b353ece109ac73acd9f49af0922cd64273991bc05d05e43c9bc3b385ce94 |
| SHA512 | d34f3328fccbde72a7e56a294baf389987a8da75b75531c8a3a6ded12c0d7f80171e7c71fec763976132b73143543c1e3db4e8aca5e74dd2f8a72b661c2e52c2 |
C:\ProgramData\AMMYY\hr
| MD5 | fa43150f2517ea0cde53e6cf60d4fee4 |
| SHA1 | a3ce296b1122a621314c16240ed92ecd89e5dc97 |
| SHA256 | fe3231296f8c8feecd2282b48600e91efdeeeef068b1faacad8bc78b8468efa8 |
| SHA512 | 23be621c267c4c2e44586051129115b2ccffb1a4fa2b7f2333c3a5b85dc74781bed3993d8d15a85d6f3e4e5a6ead1d12ea6f78071ab7f44f6640ff095a10bcba |
Analysis: behavioral31
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240705-en
Max time kernel
140s
Max time network
18s
Command Line
Signatures
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe
"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"
Network
Files
memory/1480-1-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1480-0-0x0000000000E60000-0x0000000001847000-memory.dmp
memory/1480-9-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1480-8-0x0000000000E60000-0x0000000001847000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
110s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1016 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AdvSplash.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240704-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 244
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240708-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:27
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win7-20240704-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2800 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-08-18 03:24
Reported
2024-08-18 03:26
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe
"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1908-1-0x00000000019F0000-0x00000000019F1000-memory.dmp
memory/1908-0-0x0000000000610000-0x0000000000FF7000-memory.dmp
memory/1908-9-0x00000000019F0000-0x00000000019F1000-memory.dmp
memory/1908-8-0x0000000000610000-0x0000000000FF7000-memory.dmp