Malware Analysis Report

2025-04-03 14:29

Sample ID 241001-hn5mcazfqc
Target 特典への署名 - 署名して返送#9553-01.tbz
SHA256 dd72d4aef098a3d521a2cbea6e58ba477a2bad051aca8f15593adff4f3cb4eb3
Tags
guloader remcos remotehost collection discovery downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd72d4aef098a3d521a2cbea6e58ba477a2bad051aca8f15593adff4f3cb4eb3

Threat Level: Known bad

The file 特典への署名 - 署名して返送#9553-01.tbz was found to be: Known bad.

Malicious Activity Summary

guloader remcos remotehost collection discovery downloader rat spyware stealer

Remcos

Guloader,Cloudeye

NirSoft MailPassView

Detected Nirsoft tools

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 06:53

Reported

2024-10-01 06:56

Platform

win7-20240903-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2052 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2820 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

Processes

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\madumfkmsfiotiaqkxnl"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\puimfyvggnabvopcthaevht"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zooffqohuvsgfclgdsuggufyqo"

Network

Country Destination Domain Proto
US 172.245.93.118:80 172.245.93.118 tcp
US 172.245.93.118:25000 tcp
US 172.245.93.118:25000 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

\Users\Admin\AppData\Local\Temp\nstD329.tmp\System.dll

MD5 b853d5d2361ade731e33e882707efc34
SHA1 c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be
SHA256 f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b
SHA512 8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

C:\Users\Admin\AppData\Local\Temp\BooConf.ini

MD5 8b9fc0443d7e48145e2d4b37afb2d37b
SHA1 64a5718a478a38ac262d2e46da81d0e88c122a0f
SHA256 4f743978ead44260f895c983689d718e31ca826161c447d205021a9d3e010afa
SHA512 5126da1d29f662465241c8b51b95783df3f88c8feb8bb1b65dcf354738c48aab4bfb6c0035dfe6b40fa03ae5aaba8f72f1c31343aec7d4edb9c6ebcc773cc3d3

memory/2052-30-0x0000000003D80000-0x00000000047D0000-memory.dmp

memory/2052-31-0x0000000077041000-0x0000000077142000-memory.dmp

memory/2052-32-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/2052-33-0x0000000003D80000-0x00000000047D0000-memory.dmp

memory/2820-34-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/2820-35-0x0000000000470000-0x00000000014D2000-memory.dmp

memory/2820-37-0x0000000000470000-0x00000000014D2000-memory.dmp

memory/2596-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-42-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2648-49-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-52-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-51-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2584-50-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2648-48-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2648-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2596-46-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2596-44-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2596-54-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2584-59-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\madumfkmsfiotiaqkxnl

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2596-62-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2820-68-0x0000000031A40000-0x0000000031A59000-memory.dmp

memory/2820-67-0x0000000031A40000-0x0000000031A59000-memory.dmp

memory/2820-64-0x0000000031A40000-0x0000000031A59000-memory.dmp

memory/2052-74-0x0000000003D80000-0x00000000047D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 06:53

Reported

2024-10-01 06:56

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 1152 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 1152 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 1152 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 1152 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe
PID 2560 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

Processes

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rbwlqhvakabbfvjukbpffhvgvfowk"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cvbdrzgbgjtghbfybmbhiuqpvtyfmklw"

C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe

"C:\Users\Admin\AppData\Local\Temp\______ - ______#9553-01.exe" /stext "C:\Users\Admin\AppData\Local\Temp\exoo"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.245.93.118:80 172.245.93.118 tcp
US 172.245.93.118:25000 tcp
US 8.8.8.8:53 118.93.245.172.in-addr.arpa udp
US 172.245.93.118:25000 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsmBDC4.tmp\System.dll

MD5 b853d5d2361ade731e33e882707efc34
SHA1 c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be
SHA256 f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b
SHA512 8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

memory/1152-30-0x00000000051D0000-0x0000000005C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BooConf.ini

MD5 8b9fc0443d7e48145e2d4b37afb2d37b
SHA1 64a5718a478a38ac262d2e46da81d0e88c122a0f
SHA256 4f743978ead44260f895c983689d718e31ca826161c447d205021a9d3e010afa
SHA512 5126da1d29f662465241c8b51b95783df3f88c8feb8bb1b65dcf354738c48aab4bfb6c0035dfe6b40fa03ae5aaba8f72f1c31343aec7d4edb9c6ebcc773cc3d3

memory/1152-31-0x0000000077B71000-0x0000000077C91000-memory.dmp

memory/1152-32-0x0000000010004000-0x0000000010005000-memory.dmp

memory/1152-33-0x00000000051D0000-0x0000000005C20000-memory.dmp

memory/2560-34-0x00000000016D0000-0x0000000002120000-memory.dmp

memory/2560-35-0x0000000077BF8000-0x0000000077BF9000-memory.dmp

memory/2560-36-0x0000000077C15000-0x0000000077C16000-memory.dmp

memory/2560-37-0x00000000016D0000-0x0000000002120000-memory.dmp

memory/2560-38-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-42-0x0000000077B71000-0x0000000077C91000-memory.dmp

memory/2560-43-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-44-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-45-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-46-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-47-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-48-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-49-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-50-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-53-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-54-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-55-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2948-56-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3292-65-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3292-64-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3292-68-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2560-73-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2168-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2168-62-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2560-74-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2168-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2168-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2948-59-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3292-58-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2560-75-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2948-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2948-79-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2560-80-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-81-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-82-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-84-0x0000000032E30000-0x0000000032E49000-memory.dmp

memory/2560-88-0x0000000032E30000-0x0000000032E49000-memory.dmp

memory/2560-87-0x0000000032E30000-0x0000000032E49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rbwlqhvakabbfvjukbpffhvgvfowk

MD5 18db1829b27eaeed163c211f5d179d72
SHA1 4442332494cba1e012f8876ecac42126ba995bc6
SHA256 610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d
SHA512 123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986

memory/2560-89-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-90-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-91-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-92-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-93-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-94-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-95-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-96-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-97-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-98-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-99-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-100-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-101-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-102-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-104-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-105-0x00000000004A4000-0x00000000004A5000-memory.dmp

memory/2560-106-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-107-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/2560-108-0x0000000000470000-0x00000000016C4000-memory.dmp

memory/1152-113-0x00000000051D0000-0x0000000005C20000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-01 06:53

Reported

2024-10-01 06:56

Platform

win7-20240729-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-01 06:53

Reported

2024-10-01 06:56

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 3592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A