Malware Analysis Report

2024-12-06 03:23

Sample ID 241024-bqfmnsxgmd
Target 5c64ce5f7c6b88767f77b788a4fb5b19.bin
SHA256 e2263400ad0b27acf1e9b89895de5364c997bb2f2aa338ab37f81e37ee71da8a
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2263400ad0b27acf1e9b89895de5364c997bb2f2aa338ab37f81e37ee71da8a

Threat Level: Known bad

The file 5c64ce5f7c6b88767f77b788a4fb5b19.bin was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 01:20

Reported

2024-10-24 01:23

Platform

win7-20240903-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\synderegistres.lnk C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
File opened for modification C:\Windows\negotiate\Anstdeligheden.ini C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
File created C:\Windows\resources\synderegistres.lnk C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
PID 2528 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 comercializadoradeinsumos.cl udp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp

Files

C:\Windows\Resources\synderegistres.lnk

MD5 6edf2c7536a8a9bddec2566a79adfeda
SHA1 205604300b215a9ea9c5864cac2f275dbcc29b3f
SHA256 13e90ad02116f9d001d8a3adaec56b56fbcace5ef65786dcddad96030a5bf61c
SHA512 18857fd2d88e8eb77b17de71a6dee860fabc3d0a5206abcb64fcf115634eae8a84b02f854f1471acdd372a44f1d9c4c3aa100605c3b40bfcb6f9e68218f8d778

C:\ProgramData\Microsoft\Windows\Start Menu\eksportafgrde.ini

MD5 a0d91a2f9acb4dec3b5260aba27839c4
SHA1 8a9037c691a2bdeebcab8bf3d4c954e62aca9207
SHA256 773cd6fba7d53550b4c41aa889e330b744a7a579df2bb02212773b67e72f5844
SHA512 d3df7852aea197e901c787cd8d943faaa30ee9a6678c4853ed0bb494679897854e4e7556f420f1c176443a485cf1e02e0b4bff86f8da4017a053362b2c9a0608

\Users\Admin\AppData\Local\Temp\nsoAA36.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

memory/2924-828-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2924-829-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 01:20

Reported

2024-10-24 19:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\resources\synderegistres.lnk C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
File opened for modification C:\Windows\resources\synderegistres.lnk C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
File opened for modification C:\Windows\negotiate\Anstdeligheden.ini C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe

"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1508

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 comercializadoradeinsumos.cl udp
US 162.240.106.189:443 comercializadoradeinsumos.cl tcp
US 8.8.8.8:53 189.106.240.162.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\Resources\synderegistres.lnk

MD5 709f6a46c1ffc6854dc571f7ff852930
SHA1 7ffaba1c971f93c06870d936e39c4d1f43d7b2b0
SHA256 5e934f3b0c68352e78a6820ed1c9529391d1155f244ed084f9d40a41b1bf75da
SHA512 cc2ecff8e9a134588be438463d1dec13bfaa714833bf13d11f3aac30f21e6f3b361eee10d98ab884fb46c70686978535c160eaa0220ef31b58b62e02e7bc1784

C:\ProgramData\Microsoft\Windows\Start Menu\eksportafgrde.ini

MD5 a0d91a2f9acb4dec3b5260aba27839c4
SHA1 8a9037c691a2bdeebcab8bf3d4c954e62aca9207
SHA256 773cd6fba7d53550b4c41aa889e330b744a7a579df2bb02212773b67e72f5844
SHA512 d3df7852aea197e901c787cd8d943faaa30ee9a6678c4853ed0bb494679897854e4e7556f420f1c176443a485cf1e02e0b4bff86f8da4017a053362b2c9a0608

C:\Users\Admin\AppData\Local\Temp\nsh97DD.tmp\System.dll

MD5 12b140583e3273ee1f65016becea58c4
SHA1 92df24d11797fefd2e1f8d29be9dfd67c56c1ada
SHA256 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
SHA512 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

memory/3172-826-0x00000000034C0000-0x0000000004989000-memory.dmp

memory/3172-827-0x0000000077131000-0x0000000077251000-memory.dmp

memory/3172-828-0x0000000073E25000-0x0000000073E26000-memory.dmp

memory/3172-829-0x00000000034C0000-0x0000000004989000-memory.dmp

memory/1916-830-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1916-831-0x0000000001660000-0x0000000002B29000-memory.dmp

memory/1916-832-0x00000000771B8000-0x00000000771B9000-memory.dmp

memory/1916-833-0x00000000771D5000-0x00000000771D6000-memory.dmp

memory/1916-834-0x0000000001660000-0x0000000002B29000-memory.dmp

memory/1916-836-0x0000000077131000-0x0000000077251000-memory.dmp

memory/1916-835-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1916-840-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1916-841-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1916-842-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1916-843-0x0000000001660000-0x0000000002B29000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-24 01:20

Reported

2024-10-24 01:23

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-24 01:20

Reported

2024-10-24 19:30

Platform

win10v2004-20241007-en

Max time kernel

124s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 3976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-24 01:20

Reported

2024-10-24 01:23

Platform

macos-20240711.1-en

Max time kernel

93s

Max time network

123s

Command Line

[sh -c sudo /bin/zsh -c "open /Users/run/frlighed.app"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Users/run/frlighed.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Users/run/frlighed.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Users/run/frlighed.app]

/bin/zsh

[/bin/zsh -c open /Users/run/frlighed.app]

/usr/bin/open

[open /Users/run/frlighed.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

Network

Country Destination Domain Proto
GB 184.85.51.234:443 tcp
US 8.8.8.8:53 40.courier-push-apple.com.akadns.net udp
GB 2.18.109.84:443 tcp
DE 17.253.15.204:80 valid.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A