Analysis Overview
SHA256
1ecac9baae9daf7c7766ff7683570166d3be1031542475546c4db44e850dcafa
Threat Level: Shows suspicious behavior
The file 5197601d3263fce60649415662ad878e_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Indicator Removal: File Deletion
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
System Network Configuration Discovery: Internet Connection Discovery
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 09:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win7-20240903-en
Max time kernel
1s
Max time network
3s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ylawu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfirutrf.dll\",Startup" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\physicaldrive0 | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\DivX_Installer.exe
"C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"
C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"
C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\mfirutrf.dll",Startup
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 416
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /C ping -n 1 localhost
C:\Windows\SysWOW64\PING.EXE
ping -n 1 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | accrowd.com | udp |
Files
\Users\Admin\AppData\Roaming\DivX_Installer.exe
| MD5 | c5fac72a6adb2183930a3e4ae9918a5f |
| SHA1 | a3a60097d6312bed4fcda4fa6c4ecd86c140da19 |
| SHA256 | c27fd98bcf7260783b3b08776a3bbf93576c2e57bf386fa33e02220463496eaf |
| SHA512 | 70eb0795169781d0e38d023c46e03c9bf2b121c489720a818a0a49a24582310c799b129bcfe412f6c57dac41f0ba43a3feca51cf81f731651cefa0c6391fa47a |
\Users\Admin\AppData\Local\Temp\nsd75DD.tmp\ExecDos.dll
| MD5 | a7cd6206240484c8436c66afb12bdfbf |
| SHA1 | 0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919 |
| SHA256 | 69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926 |
| SHA512 | b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904 |
\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | e92604e043f51c604b6d1ac3bcd3a202 |
| SHA1 | 4154dda4a1e2a5ed14303dc3d36f448953ff6d33 |
| SHA256 | fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3 |
| SHA512 | ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43 |
memory/2800-25-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1.7z
| MD5 | 0efc8c3587e3a4c9e5296628942445e4 |
| SHA1 | 07f84a00303ca1c0611146c979489056159db29a |
| SHA256 | 94edff236294e85cba575e3983b9be804d52265ba895b6b785f151c123749572 |
| SHA512 | 04a19f9d3dd0b33050dcf984c776ab490001686f094277c7c15834e0ecf0af3073bca4e8f626d8a39292631970013f818ce38c5880dfad287cbdd0d2ba165f9b |
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe
| MD5 | b65d387db7875a1f5ac8aa5932b8af08 |
| SHA1 | b60a08b5e573fc8fa211379471b01883e9b5fffa |
| SHA256 | 640eceb1326fcf1f955436a99721893cda6fbc50ae782fa02727ad48c28c60ee |
| SHA512 | c5b9ae09c5a0684dbe9bf863a6eda7d08e27890c1d61e97cf82a4ee431dff111a58499ca9d899adb49e79697273a3fecd3c81a4c229ea9c435593c711b0a014e |
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe
| MD5 | 7b6bd526430c3987be1f44245aa3ec38 |
| SHA1 | e271078a59640b765fba87227f7b4401e5d6b35f |
| SHA256 | 7128ddfa3e765a80f592205bf300d7a3168e22acf64d4efbe7c694aca3a5e95a |
| SHA512 | afd50c61bf32bd6a09c9aefdbb5e16d6a5a11c541c9b013691cc97605f3072ad1ab101754cab3f8694d143db86b428a96048f5d21c707f9ae4783c218c87d9fc |
\Users\Admin\AppData\Local\Temp\DivX_Setup.exe
| MD5 | 94fb3b4a47c149ef0ae646c379697c63 |
| SHA1 | 115e466d3066b1f223acd9ec3abba24f9b40db64 |
| SHA256 | 212dde65e0b60c4518e0aa90dd3c2a7267e75b3227f550b3d56233fe500c3832 |
| SHA512 | 8f7df0814f6e8280efd34516171c1c293cfff6adf6f581ea0061645e8ef28cdd645c6452274d5902140ef06763bdadd0a1a2139fbc91f82f041e54a6baa6ac78 |
memory/2764-40-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2644-43-0x0000000010000000-0x0000000010017000-memory.dmp
memory/2592-50-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2592-55-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2764-54-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2096-51-0x0000000002550000-0x0000000002588000-memory.dmp
C:\Users\Admin\AppData\Local\mfirutrf.dll
| MD5 | 969e89dc4a97415805530b6717bc8f51 |
| SHA1 | d46cedb74ecfc6eab0b089d0639263f97eeef618 |
| SHA256 | b96665f4e65f014fbe43d2496273f6addf9a5ae799508ee2214ed5ba30180291 |
| SHA512 | 7fda06061c302a17c1129f08bd6a4d02e9217e18c67fa70b72a4d07fa5aa5505ef7cb29138d2f8630ae9d1ff43e36cf2698a0b1fcbc8d7af5c49f4b7640b5054 |
memory/2540-67-0x0000000010000000-0x0000000010017000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b.vbs
| MD5 | 1a575dbe09ffd4493104d127c80a0db7 |
| SHA1 | 004f702b4e4aea196a94ce50d440e4a9f3055b76 |
| SHA256 | aac4342578fb155c7531e981e33a1e423b8ed7e2abb979a0b8a0711e5413648c |
| SHA512 | 16d47279e9544b51242b548018495c33792a0f902b15131f95e024c24b41b38f02705a80e6a94f0916064bf3020234bb07b7bb8a74f700763febe6f54b964b97 |
C:\Users\Admin\AppData\Local\Temp\d.bat
| MD5 | e8d125eecfd718eb049687bc0bfe2252 |
| SHA1 | 7be3dbb4578a9dfb836d8b420be7f54dfda0e332 |
| SHA256 | ff389a2d72dad44c1173e0846a45f203a36702b2425ab879d26f002a4e786cac |
| SHA512 | bcfbd08de6075f57e18fb7048c23e770c6b86e00ee1f723d2e5f0fd248fe884c30e2e29208cc5229e4873245cec5a8bfad03dd9d4cc1a5e980f0b1029f7a624d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
105s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uzadelubemojokes = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mfcoms.dll\",Startup" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DivX_Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5197601d3263fce60649415662ad878e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\DivX_Installer.exe
"C:\Users\Admin\AppData\Roaming\DivX_Installer.exe"
C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a1.7z" -aoa -oC:\Users\Admin\AppData\Local\Temp -p~@S23js@@vBz99432@t9 "" ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 868 -ip 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 492
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe"
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe"
C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",Startup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5116 -ip 5116
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b.vbs"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 468
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /C ping -n 1 localhost
C:\Windows\SysWOW64\PING.EXE
ping -n 1 localhost
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DIVX_C~1.EXE > nul
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\mfcoms.dll",iep
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accrowd.com | udp |
| US | 8.8.8.8:53 | bccorps.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 091707e8102b.weirden.com | udp |
| US | 8.8.8.8:53 | 091707e8102b.weirden.com | udp |
| US | 8.8.8.8:53 | 091707e8102b.weirden.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 091707e8102b.weirden.com | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 091707e8102b.weirden.com | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\DivX_Installer.exe
| MD5 | c5fac72a6adb2183930a3e4ae9918a5f |
| SHA1 | a3a60097d6312bed4fcda4fa6c4ecd86c140da19 |
| SHA256 | c27fd98bcf7260783b3b08776a3bbf93576c2e57bf386fa33e02220463496eaf |
| SHA512 | 70eb0795169781d0e38d023c46e03c9bf2b121c489720a818a0a49a24582310c799b129bcfe412f6c57dac41f0ba43a3feca51cf81f731651cefa0c6391fa47a |
C:\Users\Admin\AppData\Local\Temp\nsb7D21.tmp\ExecDos.dll
| MD5 | a7cd6206240484c8436c66afb12bdfbf |
| SHA1 | 0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919 |
| SHA256 | 69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926 |
| SHA512 | b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904 |
C:\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | e92604e043f51c604b6d1ac3bcd3a202 |
| SHA1 | 4154dda4a1e2a5ed14303dc3d36f448953ff6d33 |
| SHA256 | fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3 |
| SHA512 | ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43 |
C:\Users\Admin\AppData\Local\Temp\a1.7z
| MD5 | 0efc8c3587e3a4c9e5296628942445e4 |
| SHA1 | 07f84a00303ca1c0611146c979489056159db29a |
| SHA256 | 94edff236294e85cba575e3983b9be804d52265ba895b6b785f151c123749572 |
| SHA512 | 04a19f9d3dd0b33050dcf984c776ab490001686f094277c7c15834e0ecf0af3073bca4e8f626d8a39292631970013f818ce38c5880dfad287cbdd0d2ba165f9b |
C:\Users\Admin\AppData\Local\Temp\DivX_Codec.exe
| MD5 | b65d387db7875a1f5ac8aa5932b8af08 |
| SHA1 | b60a08b5e573fc8fa211379471b01883e9b5fffa |
| SHA256 | 640eceb1326fcf1f955436a99721893cda6fbc50ae782fa02727ad48c28c60ee |
| SHA512 | c5b9ae09c5a0684dbe9bf863a6eda7d08e27890c1d61e97cf82a4ee431dff111a58499ca9d899adb49e79697273a3fecd3c81a4c229ea9c435593c711b0a014e |
C:\Users\Admin\AppData\Local\Temp\DivX_Player.exe
| MD5 | 7b6bd526430c3987be1f44245aa3ec38 |
| SHA1 | e271078a59640b765fba87227f7b4401e5d6b35f |
| SHA256 | 7128ddfa3e765a80f592205bf300d7a3168e22acf64d4efbe7c694aca3a5e95a |
| SHA512 | afd50c61bf32bd6a09c9aefdbb5e16d6a5a11c541c9b013691cc97605f3072ad1ab101754cab3f8694d143db86b428a96048f5d21c707f9ae4783c218c87d9fc |
C:\Users\Admin\AppData\Local\Temp\DivX_Setup.exe
| MD5 | 94fb3b4a47c149ef0ae646c379697c63 |
| SHA1 | 115e466d3066b1f223acd9ec3abba24f9b40db64 |
| SHA256 | 212dde65e0b60c4518e0aa90dd3c2a7267e75b3227f550b3d56233fe500c3832 |
| SHA512 | 8f7df0814f6e8280efd34516171c1c293cfff6adf6f581ea0061645e8ef28cdd645c6452274d5902140ef06763bdadd0a1a2139fbc91f82f041e54a6baa6ac78 |
memory/3588-33-0x0000000010000000-0x0000000010017000-memory.dmp
memory/1624-42-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5116-41-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3588-36-0x0000000002020000-0x0000000002030000-memory.dmp
memory/1624-38-0x0000000000580000-0x0000000000585000-memory.dmp
memory/3588-37-0x0000000002020000-0x0000000002030000-memory.dmp
C:\Users\Admin\AppData\Local\mfcoms.dll
| MD5 | 969e89dc4a97415805530b6717bc8f51 |
| SHA1 | d46cedb74ecfc6eab0b089d0639263f97eeef618 |
| SHA256 | b96665f4e65f014fbe43d2496273f6addf9a5ae799508ee2214ed5ba30180291 |
| SHA512 | 7fda06061c302a17c1129f08bd6a4d02e9217e18c67fa70b72a4d07fa5aa5505ef7cb29138d2f8630ae9d1ff43e36cf2698a0b1fcbc8d7af5c49f4b7640b5054 |
memory/3188-51-0x0000000010000000-0x0000000010017000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b.vbs
| MD5 | 1a575dbe09ffd4493104d127c80a0db7 |
| SHA1 | 004f702b4e4aea196a94ce50d440e4a9f3055b76 |
| SHA256 | aac4342578fb155c7531e981e33a1e423b8ed7e2abb979a0b8a0711e5413648c |
| SHA512 | 16d47279e9544b51242b548018495c33792a0f902b15131f95e024c24b41b38f02705a80e6a94f0916064bf3020234bb07b7bb8a74f700763febe6f54b964b97 |
C:\Users\Admin\AppData\Local\Temp\d.bat
| MD5 | e8d125eecfd718eb049687bc0bfe2252 |
| SHA1 | 7be3dbb4578a9dfb836d8b420be7f54dfda0e332 |
| SHA256 | ff389a2d72dad44c1173e0846a45f203a36702b2425ab879d26f002a4e786cac |
| SHA512 | bcfbd08de6075f57e18fb7048c23e770c6b86e00ee1f723d2e5f0fd248fe884c30e2e29208cc5229e4873245cec5a8bfad03dd9d4cc1a5e980f0b1029f7a624d |
memory/1624-58-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3588-59-0x0000000002020000-0x0000000002030000-memory.dmp
memory/3588-60-0x0000000002020000-0x0000000002030000-memory.dmp
memory/3588-61-0x0000000010000000-0x0000000010017000-memory.dmp
memory/3188-62-0x0000000010000000-0x0000000010017000-memory.dmp
memory/3188-68-0x0000000010000000-0x0000000010017000-memory.dmp
memory/3188-69-0x0000000010000000-0x0000000010017000-memory.dmp
memory/3056-70-0x0000000010000000-0x0000000010017000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\7za.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win7-20240729-en
Max time kernel
0s
Max time network
1s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\physicaldrive0 | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe"
Network
Files
memory/2488-0-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\$APPDATA\DivX_Installer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-17 09:42
Reported
2024-10-17 09:45
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3960 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3960 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |