Malware Analysis Report

2024-10-16 05:08

Sample ID 240826-sq4sya1aqe
Target c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118
SHA256 65d4e85c117014155b266f2785d05bac7530bfd3eff04d2804cc831e464962f6
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65d4e85c117014155b266f2785d05bac7530bfd3eff04d2804cc831e464962f6

Threat Level: Known bad

The file c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

Ammyyadmin family

AmmyyAdmin payload

FlawedAmmyy RAT

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 15:20

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

9s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\MarkupConverter.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\MarkupConverter.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545327d228a883a8b26b C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 33afa561877072c67d3b71518c9cd468b9cd58502b0ae0e6e6ad8fd3e10b15a5844e9c4cc3dcc8166a4f5a4a7994f562a4622ac0066acc8b2d2e722d36daa1c7ae23e3fd C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c5b80443bc31f2f5c1d2e384c3b82961
SHA1 445a99fa06484d216276b9284eedf25483780216
SHA256 cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad
SHA512 eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

C:\ProgramData\AMMYY\hr

MD5 828f4e7549d15c71a04a57283757b0ab
SHA1 90a711a1574e24d8d2da2be59ce7f1dfa9cfb68f
SHA256 b8a5fd0a7daeb2abc987c910ebdb5250f571df02feec6bed73c99354c2ecfa0d
SHA512 40f45a3c374a6e141ef4d2ecd14d499e2fa8fb8774705e694865ce36aa7cb646768aa973f0fa2f14c94107bb7d07a27686bbb478e796cda6da795b2358f40e9b

C:\ProgramData\AMMYY\hr3

MD5 345dd8ab6468a64d99e1ab5d615c6a1d
SHA1 04b5029d7b6e3ac64e7db463179a2c798045ffb3
SHA256 d35ec422d46d5b5bec60992f758dd96bb5981d30322f62945eeab810a781bcab
SHA512 f19a1394c5cf2c5eceff1f88763e7e2f094bc587824911a5ab2dd719dad4de9682270476debaca9bdfc53a0b02b1d97ffbde63b792ceb9d15e0fe0dd06d4ae6a

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst4B92.tmp\advsplash.dll

MD5 669030d7919ae29999a2fd89aa427202
SHA1 870bcb7e87bbf423abcbc1c5be80f7e63720a6d8
SHA256 e1ae0a39d4d941cdfaf87f1df87f7ec50146e2e32705254e4d3618f74506bb82
SHA512 1637b854938c6b05938a3a6a06181ae70e23f6cc9a4bca4f8024db65314771197ae3d5008c83dd480ede7fec14d655dae15f439e327fc33c7b70853710621e8f

\Users\Admin\AppData\Local\Temp\nst4B92.tmp\LangDLL.dll

MD5 ea60c7bd5edd6048601729bd31362c16
SHA1 6e6919d969eb61a141595014395b6c3f44139073
SHA256 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
SHA512 f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993

C:\Users\Admin\AppData\Local\Temp\nst4B92.tmp\ioSpecial.ini

MD5 d50f5ff8aad7e99acd70ca651e259616
SHA1 c85b1c9fc547520fd7eca223bf8525cc58f50e28
SHA256 741f7f7031a42997219a397a26290e3c0934b3b9e0687c0d4f736eeadca97b34
SHA512 7461aebb354d2c536c44771008b7f0eaafaf38a4eaadce4a5a2cb2b941801fd57da5c0cee5fe76462bd8efce53d6a0edc2d4128acbdc64250da9b0222860bf2f

\Users\Admin\AppData\Local\Temp\nst4B92.tmp\InstallOptions.dll

MD5 20f3184efe7edddfef3325efc25d12a5
SHA1 8db4c500d73f9525a7e9834df6caea2e70189939
SHA256 0e014352b64abc431d97460d79757cbafbf6ba997c08b608c294e1f582af269a
SHA512 433188957a4603c9c61ec698a720021aacf61f46ccc32d5a11bcb6f2d0b1f01e5680635707d8a0ec7a9ef2aa2a85d6dec07ded452e4cb9e280062c0bed555c1a

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 1004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 1004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 1004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1004 -ip 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baro.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\baro.exe

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Interop.WIA.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 116 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 116 wrote to memory of 2152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

10s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\advsplash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 236

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

13s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2136 wrote to memory of 2500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\FreeImage.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2500 -ip 2500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Network

N/A

Files

memory/2316-0-0x00000000743E2000-0x00000000743E4000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\System.Drawing.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 1476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3128 wrote to memory of 1476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3128 wrote to memory of 1476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240704-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d463288fe2b2e978f2f8193129cb260ab14f0b2fa632465a77764165450a1a569e567adc8cce05378ff608c78c52f67d22a345645fc308049f2fc5d1f521af7b74920493ae873654dae6d8 C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752539c3eafa883a8b26b C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe

"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 c5b80443bc31f2f5c1d2e384c3b82961
SHA1 445a99fa06484d216276b9284eedf25483780216
SHA256 cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad
SHA512 eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

C:\ProgramData\AMMYY\hr3

MD5 b1f44194d86bbc977f1c34a598900e59
SHA1 aca7da67f0a4e24d2faf0693210a8422b29a9bbd
SHA256 b567168244feeda2ff4bacb22668b57bbba3cf51b4c5821ff4934b71960a9bc2
SHA512 8cfd643c2230652b5cb4c2a5e4a42bfec3c8368f21c6df3ad48d48f983920dfae5b3c5a7e662fb170c67465d0d8e6433b629095cd55a6b4d9df5b395dbe9673e

C:\ProgramData\AMMYY\hr

MD5 71a2f293f1348faf34d576cd618740ab
SHA1 110413d7020e59c59f7b2d800a4cfa64857d86d9
SHA256 88e0734a5294240da4a8a8606bb32a40324ec80e33871d05ddf171e5a9ab01b4
SHA512 a6ab2711e8bff8e99ede2da5e3ee93b75330f5b082eb4a5659b5cacc648b6e05c6045dd36308caa6ffd56a0ec309b5b5081dc65eb36b3bc1f28c94442b8f75f4

Analysis: behavioral31

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

N/A

Files

memory/2200-1-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/2200-0-0x0000000000060000-0x000000000136F000-memory.dmp

memory/2200-8-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/2200-7-0x0000000000060000-0x000000000136F000-memory.dmp

memory/2200-10-0x0000000000060000-0x000000000136F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c3456bef8a4584ec64a5dd87ab20e28e_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst8FAE.tmp\advsplash.dll

MD5 669030d7919ae29999a2fd89aa427202
SHA1 870bcb7e87bbf423abcbc1c5be80f7e63720a6d8
SHA256 e1ae0a39d4d941cdfaf87f1df87f7ec50146e2e32705254e4d3618f74506bb82
SHA512 1637b854938c6b05938a3a6a06181ae70e23f6cc9a4bca4f8024db65314771197ae3d5008c83dd480ede7fec14d655dae15f439e327fc33c7b70853710621e8f

C:\Users\Admin\AppData\Local\Temp\nst8FAE.tmp\LangDLL.dll

MD5 ea60c7bd5edd6048601729bd31362c16
SHA1 6e6919d969eb61a141595014395b6c3f44139073
SHA256 4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
SHA512 f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993

C:\Users\Admin\AppData\Local\Temp\nst8FAE.tmp\ioSpecial.ini

MD5 d40bd46b45573fb1b60fcce57f6abece
SHA1 793c2c73a17984b0b6fdda0e9b8852a13650ab97
SHA256 aae6383ffe376f756f1f7168de3bb7209234fdac4cd4c9a1ca5f6823084deb0a
SHA512 9f1a2acbaeec0fc2d5bec4a3f58b68db20ea83c3e3bbf5967c12d73c7060b84ea20e8fd14c32b52cc865c789db033a908fecff45273b61424605f5673c8b9c3b

C:\Users\Admin\AppData\Local\Temp\nst8FAE.tmp\InstallOptions.dll

MD5 20f3184efe7edddfef3325efc25d12a5
SHA1 8db4c500d73f9525a7e9834df6caea2e70189939
SHA256 0e014352b64abc431d97460d79757cbafbf6ba997c08b608c294e1f582af269a
SHA512 433188957a4603c9c61ec698a720021aacf61f46ccc32d5a11bcb6f2d0b1f01e5680635707d8a0ec7a9ef2aa2a85d6dec07ded452e4cb9e280062c0bed555c1a

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240729-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 3016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PBWS32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240705-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1676 -ip 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\MarkupConverter.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\MarkupConverter.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\dll\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3852-0-0x0000000074A32000-0x0000000074A33000-memory.dmp

memory/3852-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/3852-3-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/3852-4-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe

"C:\Users\Admin\AppData\Local\Temp\dll\WinSCP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2780-1-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2780-0-0x0000000000670000-0x000000000197F000-memory.dmp

memory/2780-8-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2780-7-0x0000000000670000-0x000000000197F000-memory.dmp

memory/2780-9-0x0000000000670000-0x000000000197F000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\Saraff.Twain.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 244

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\baro.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\baro.exe

"C:\Users\Admin\AppData\Local\Temp\baro.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\PdfSharp.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-26 15:20

Reported

2024-08-26 15:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2732 wrote to memory of 2784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\SDD_TWAIN_SCANNER.dll,#1

Network

N/A

Files

N/A