Malware Analysis Report

2025-01-22 08:54

Sample ID 241027-p6zmdavqep
Target 30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN
SHA256 30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2f
Tags
discovery execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2f

Threat Level: Likely malicious

The file 30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN was found to be: Likely malicious.

Malicious Activity Summary

discovery execution persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Command and Scripting Interpreter: JavaScript

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 12:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

112s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ConduitFloatingPlugin_ojpijjmpahflnipadmlpgbjmagmjchkk = "\"C:\\Windows\\SysWOW64\\Rundll32.exe\" \"C:\\Program Files (x86)\\Conduit\\CT2504091\\plugins\\TBVerifier.dll\",RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
File opened for modification C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe

"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll" RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk,632

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 setupapi.toolbar.conduit-services.com udp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 downloads.conduit-services.com udp
US 50.16.131.148:80 downloads.conduit-services.com tcp
US 8.8.8.8:53 148.131.16.50.in-addr.arpa udp
US 8.8.8.8:53 usage.toolbar.conduit-services.com udp
NL 195.78.120.83:80 usage.toolbar.conduit-services.com tcp
NL 195.78.120.83:80 usage.toolbar.conduit-services.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 storage.webapp.conduit-services.com udp
GB 172.217.16.238:80 storage.webapp.conduit-services.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsUtils_2_1_1_0.dll

MD5 08f7510b9718fd68f95f04f334d5027d
SHA1 0251a69a7c456e4a524e4aca4d21c001ab3b0b88
SHA256 f168f9d34ebbdb2060221e5140d6fd9861c76ee28e781bc01ad58d71b91ed23d
SHA512 336e9eab198d6421eae72ec8b2761bea386d7616447701cede3a82c43e2ce9c2039a5a39d6026aa35ecb78ba77b5850294a49996f760c94f8a05692e8e03363b

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsJSON_2_0_1_0.dll

MD5 51eff3c4a3bd1c2a5726c81d5d02c695
SHA1 4ea472a3b3ffd2bd5288ac43747d0ffd6b6e5f68
SHA256 83c44cfcc5c0fe4987453e6306c55e2f2e62bb2be2297acae92f047ab8ad9e47
SHA512 83b929607d9aa70a5a52976ed961cc047f09505f733a50ebc04fe925911dc0495c0f4b89a6a1bdc01e274d45a444ea7413db57305a653cefeb0ce21712f00ba2

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsDialogs.dll

MD5 f7b92b78f1a00a872c8a38f40afa7d65
SHA1 872522498f69ad49270190c74cf3af28862057f2
SHA256 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA512 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsZip_1_0_2_0.dll

MD5 830121b8ef1771452e856c9e12c2c7bf
SHA1 19f0ee257d2c86ae18d6f064c0e8bc235b3532b9
SHA256 96b669fba768b7df76a7ff70b3c587e93fb3a8efbd67cca0e90c3ee6b56158b0
SHA512 192690e515b8d771d62db491ce4a1706d3639cd364a57a8c5db1fc39f8561468d397d7744574bb3deacd16095dc0d29bfa1f7c46a341d987243bba85b7e3b68b

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsZip_1_0_1_0.dll

MD5 e50d4a26d1754e3ecefc9a494cd8de4e
SHA1 45f61393259d1f982ce092a85b1031de4537a496
SHA256 bfaa50c23bba0e47893b0ace5dc937287d92519180cdc1435ffa8f67746cea32
SHA512 febd86cca9c872bfbc89ae6f62a107731c1fbe1060ef2e4c048f648b89ab872b87b15521b9e044bddcf86c704e21467511321a3fa72363ff20d013f26d76629f

C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll

MD5 fac18a5173ac0c425348086f307c8fec
SHA1 322d36a63709838e21905b9e1e5bcb9c7fad3a1d
SHA256 b6dc15bb1686c13b1397b36ce2ba8c33155b139a7b464f0a9650c8c1aa3485a0
SHA512 f5cc2f6ec62d1a1deef56df2f2ce400ad741ce8474ac40ab275a712cdc658300ca366b63b962173aba98de58522efa97dd6ac50cb702f21a56530a83b7707353

C:\Users\Admin\AppData\Local\Temp\CT2504091.crx

MD5 be8e96e2f3717f17614745e0784a02cc
SHA1 8299fdb858020dbac9bb12bab7e04ac71b91b634
SHA256 27ff2ebc4c88552d4ea9c44adb079815405b02c6c0cedb81ec444ec9d155883a
SHA512 cddac5799c874338736b2ec94b100d215e30ea4499c582ca958d6ec0b7f6bd37533b521106bf11ac3add8a9199435f618fe92ceab4bf88b793325694df4c5a3a

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsCRandom_1_0_1_1.dll

MD5 077a42a89875b2271731ce9afcfec5cd
SHA1 65c034b85516a5e7d55a94ce283851aee1fc37fe
SHA256 5efd476cb861695bfbd04ccdbb952655d40a393a30d8490e474a48c3937c62f4
SHA512 18849c08991376658ce0206bc33baf7fb9eb8cd4c37e3c0da96cf64c7352896f0796fab5bc9ca92aaa1c5e383b5e19f3518a644ad42e2304a8ea6b5758edbf18

C:\Users\Admin\AppData\Local\Temp\nsp84BE.tmp

MD5 4a55556bb333f20a28eb7d183a8e283f
SHA1 ca7dfbf7a1e052ef7f84a43f1ad81d4e30df9147
SHA256 3258c5c9c9131f528f051232769a07ab49caac5d3d54a10ddfb318879e3b44e2
SHA512 640e34e189d54c34750b29f1d8c61754986c7ed1d33ea336be18f6d73311fcc7900107d5899b94ad7f1b50c5b1a603f963f163be7cf3f305178ccede8ebd7c00

C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\Omnibox_2_0_1_1.dll

MD5 6b75c874dc2d6408b4d0ba0aa5c1b11f
SHA1 a0dabf72db0cda023756b196da489cbbc49a7a9b
SHA256 d3d474a2c4982b55028f8d24395a8a463b95cb29777d34c3dca660b2441d1cd4
SHA512 d24e32ee0f25d033b691971c7c9553ae5e8b694d01bebeb7cf153d4e6f9f90e4c48fe9b69c5c93120ec716835960978c343f789e72e327b1ba671edfe6ea400c

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

108s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1936 wrote to memory of 2432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2432 -ip 2432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4996 wrote to memory of 4784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20241023-en

Max time kernel

15s

Max time network

16s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

75s

Max time network

18s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

113s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

21s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 220

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20241010-en

Max time kernel

73s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

108s

Max time network

111s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1080 -ip 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

103s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 2480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 248

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

101s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

75s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 220

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

100s

Max time network

101s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

106s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20241010-en

Max time kernel

13s

Max time network

20s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

107s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4808 wrote to memory of 804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

107s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 4136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4136 -ip 4136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

113s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20241010-en

Max time kernel

119s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ConduitFloatingPlugin_ojpijjmpahflnipadmlpgbjmagmjchkk = "\"C:\\Windows\\SysWOW64\\Rundll32.exe\" \"C:\\Program Files (x86)\\Conduit\\CT2504091\\plugins\\TBVerifier.dll\",RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
File opened for modification C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe

"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll" RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk,2360

Network

Country Destination Domain Proto
US 8.8.8.8:53 setupapi.toolbar.conduit-services.com udp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
NL 195.78.120.169:80 setupapi.toolbar.conduit-services.com tcp
US 8.8.8.8:53 downloads.conduit-services.com udp
US 34.226.241.138:80 downloads.conduit-services.com tcp
US 8.8.8.8:53 usage.toolbar.conduit-services.com udp
NL 195.78.120.83:80 usage.toolbar.conduit-services.com tcp
NL 195.78.120.83:80 usage.toolbar.conduit-services.com tcp
US 8.8.8.8:53 storage.webapp.conduit-services.com udp
GB 172.217.16.238:80 storage.webapp.conduit-services.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsUtils_2_1_1_0.dll

MD5 08f7510b9718fd68f95f04f334d5027d
SHA1 0251a69a7c456e4a524e4aca4d21c001ab3b0b88
SHA256 f168f9d34ebbdb2060221e5140d6fd9861c76ee28e781bc01ad58d71b91ed23d
SHA512 336e9eab198d6421eae72ec8b2761bea386d7616447701cede3a82c43e2ce9c2039a5a39d6026aa35ecb78ba77b5850294a49996f760c94f8a05692e8e03363b

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsJSON_2_0_1_0.dll

MD5 51eff3c4a3bd1c2a5726c81d5d02c695
SHA1 4ea472a3b3ffd2bd5288ac43747d0ffd6b6e5f68
SHA256 83c44cfcc5c0fe4987453e6306c55e2f2e62bb2be2297acae92f047ab8ad9e47
SHA512 83b929607d9aa70a5a52976ed961cc047f09505f733a50ebc04fe925911dc0495c0f4b89a6a1bdc01e274d45a444ea7413db57305a653cefeb0ce21712f00ba2

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsDialogs.dll

MD5 f7b92b78f1a00a872c8a38f40afa7d65
SHA1 872522498f69ad49270190c74cf3af28862057f2
SHA256 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA512 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsZip_1_0_2_0.dll

MD5 830121b8ef1771452e856c9e12c2c7bf
SHA1 19f0ee257d2c86ae18d6f064c0e8bc235b3532b9
SHA256 96b669fba768b7df76a7ff70b3c587e93fb3a8efbd67cca0e90c3ee6b56158b0
SHA512 192690e515b8d771d62db491ce4a1706d3639cd364a57a8c5db1fc39f8561468d397d7744574bb3deacd16095dc0d29bfa1f7c46a341d987243bba85b7e3b68b

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsZip_1_0_1_0.dll

MD5 e50d4a26d1754e3ecefc9a494cd8de4e
SHA1 45f61393259d1f982ce092a85b1031de4537a496
SHA256 bfaa50c23bba0e47893b0ace5dc937287d92519180cdc1435ffa8f67746cea32
SHA512 febd86cca9c872bfbc89ae6f62a107731c1fbe1060ef2e4c048f648b89ab872b87b15521b9e044bddcf86c704e21467511321a3fa72363ff20d013f26d76629f

C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll

MD5 fac18a5173ac0c425348086f307c8fec
SHA1 322d36a63709838e21905b9e1e5bcb9c7fad3a1d
SHA256 b6dc15bb1686c13b1397b36ce2ba8c33155b139a7b464f0a9650c8c1aa3485a0
SHA512 f5cc2f6ec62d1a1deef56df2f2ce400ad741ce8474ac40ab275a712cdc658300ca366b63b962173aba98de58522efa97dd6ac50cb702f21a56530a83b7707353

C:\Users\Admin\AppData\Local\Temp\CT2504091.crx

MD5 be8e96e2f3717f17614745e0784a02cc
SHA1 8299fdb858020dbac9bb12bab7e04ac71b91b634
SHA256 27ff2ebc4c88552d4ea9c44adb079815405b02c6c0cedb81ec444ec9d155883a
SHA512 cddac5799c874338736b2ec94b100d215e30ea4499c582ca958d6ec0b7f6bd37533b521106bf11ac3add8a9199435f618fe92ceab4bf88b793325694df4c5a3a

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsCRandom_1_0_1_1.dll

MD5 077a42a89875b2271731ce9afcfec5cd
SHA1 65c034b85516a5e7d55a94ce283851aee1fc37fe
SHA256 5efd476cb861695bfbd04ccdbb952655d40a393a30d8490e474a48c3937c62f4
SHA512 18849c08991376658ce0206bc33baf7fb9eb8cd4c37e3c0da96cf64c7352896f0796fab5bc9ca92aaa1c5e383b5e19f3518a644ad42e2304a8ea6b5758edbf18

C:\Users\Admin\AppData\Local\Temp\nsoE5DF.tmp

MD5 ceb0a20a63e688e308eee50166ab9a7e
SHA1 f3a8b8488606a6d916c5bbb69918996037020c90
SHA256 d9fb78d3bb85f4701efd0f4f0ec1cee1583ab8c1c737c93747fcb7edef892d3d
SHA512 a1e1fcce2a3a3a5d0aebffbf206880cad610b948eb5671ef7c23f05985ebd3a5ac109e0dd5fa6ecff15b5ae3038ed1cc47e9449a7f92c9a3d145e6984254977c

\Users\Admin\AppData\Local\Temp\nsjD422.tmp\Omnibox_2_0_1_1.dll

MD5 6b75c874dc2d6408b4d0ba0aa5c1b11f
SHA1 a0dabf72db0cda023756b196da489cbbc49a7a9b
SHA256 d3d474a2c4982b55028f8d24395a8a463b95cb29777d34c3dca660b2441d1cd4
SHA512 d24e32ee0f25d033b691971c7c9553ae5e8b694d01bebeb7cf153d4e6f9f90e4c48fe9b69c5c93120ec716835960978c343f789e72e327b1ba671edfe6ea400c

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win7-20240903-en

Max time kernel

14s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

108s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 736 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 736 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-27 12:57

Reported

2024-10-27 12:59

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A