Analysis Overview
SHA256
0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
Threat Level: Shows suspicious behavior
The file SecuriteInfo.com.FileRepMalware.6479.21607.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Deletes itself
Checks installed software on the system
Writes to the Master Boot Record (MBR)
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 16:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
Network
Files
memory/2324-2-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2324-1-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2324-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2324-4-0x0000000010001000-0x0000000010002000-memory.dmp
memory/2324-3-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2324-5-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe
"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"
Network
Files
memory/1208-19-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-24-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-23-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-22-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-21-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-20-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-18-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-17-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-16-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-15-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-14-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-13-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-12-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-11-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-10-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-9-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-8-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-7-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-6-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-5-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-4-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-3-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-2-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-1-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1208-0-0x0000000002D90000-0x0000000002D91000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1432 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1432 wrote to memory of 3228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20241010-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 228
Network
Files
memory/2456-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2456-1-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2456-2-0x0000000010001000-0x0000000010002000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2840 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2136 -ip 2136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2136-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2136-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe
"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | gameapp.37.com | udp |
| CN | 180.188.25.9:80 | gameapp.37.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso64AE.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/2880-13-0x0000000000341000-0x0000000000342000-memory.dmp
memory/2880-12-0x0000000000340000-0x0000000000343000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso64AE.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
| MD5 | 75a7cc387d1e24de8ba1275e81a840d1 |
| SHA1 | 8a21d186efb66be5db46925518e0b70861bf6dab |
| SHA256 | d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc |
| SHA512 | 550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158 |
C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini
| MD5 | bd3d2a63852000b334df43694b413842 |
| SHA1 | c2352468953156292e7e1a3ec8f3fb007ca008b8 |
| SHA256 | 0e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19 |
| SHA512 | 463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08 |
\Users\Admin\AppData\Roaming\mk-jzcq\uninst.exe
| MD5 | 80b05828a4c0d54e3a3ca2a4cd61492a |
| SHA1 | f27df18439239725862d94450d284a4e41e5384b |
| SHA256 | 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc |
| SHA512 | b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3 |
memory/2880-41-0x0000000000341000-0x0000000000342000-memory.dmp
memory/2880-40-0x0000000000340000-0x0000000000343000-memory.dmp
C:\Users\Admin\AppData\Roaming\mk-jzcq\Lander.ini
| MD5 | 04b52176e0386a53a9fade075008b459 |
| SHA1 | c32a5b7983e25761dae4d88a509b0ddc2af36b37 |
| SHA256 | 8079245d7e2833d3ea60c7dfa378d16a1e69833f4cad1cca8837c5024889ea0d |
| SHA512 | 99165626e233ea2e76938631ecea4340d965f0b7e25af21b875ae014aed66c795170424db01769bb1d1db5a21f698fe24f7114af3ae912d3abb59b37b1b0038e |
memory/2880-58-0x0000000000340000-0x0000000000343000-memory.dmp
C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini
| MD5 | f140e286c87269088054cd0b5eba4f6f |
| SHA1 | 4d13decb580cac945527e23e02c50ab52c9e8d40 |
| SHA256 | 592a3ba7bcc60ead84cb33157a9bf61762b7e9e605b5743d2c7440a0af1a9225 |
| SHA512 | 5884063c86895e47fbce961609ca8f2122255a86250098ea74e550eb2a7edfa50a340072ae1581d87b33966cded699613e246594098b05b6e7c209983a41b1ac |
memory/2996-69-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/2996-71-0x0000000000B50000-0x0000000000B51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gameapp.37.com | udp |
| CN | 180.188.25.9:80 | gameapp.37.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/408-15-0x0000000004811000-0x0000000004812000-memory.dmp
memory/408-14-0x0000000004810000-0x0000000004813000-memory.dmp
C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini
| MD5 | bd3d2a63852000b334df43694b413842 |
| SHA1 | c2352468953156292e7e1a3ec8f3fb007ca008b8 |
| SHA256 | 0e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19 |
| SHA512 | 463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08 |
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
| MD5 | 75a7cc387d1e24de8ba1275e81a840d1 |
| SHA1 | 8a21d186efb66be5db46925518e0b70861bf6dab |
| SHA256 | d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc |
| SHA512 | 550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158 |
C:\Users\Admin\AppData\Roaming\mk-jzcq\Lander.ini
| MD5 | 2c50cf60647cb651d7828f8aa66c0b68 |
| SHA1 | aa3ba89fc7adc865a13169d6449443ee63dfd910 |
| SHA256 | 7549fdb2859a659368e06fe95abb06fdbc91ec3dafd6c062bff8b67317db6eb4 |
| SHA512 | 46e3256a785ff494b375062ebe4543fd9ded68b34928f71812b1742bb25f3a153335646e4bd547f19c128c48a1a98dda336e1e8c759140c708be8019a0168769 |
memory/408-55-0x0000000000480000-0x0000000000483000-memory.dmp
memory/408-61-0x0000000000481000-0x0000000000482000-memory.dmp
memory/408-60-0x0000000000480000-0x0000000000483000-memory.dmp
memory/4780-69-0x0000000003170000-0x0000000003171000-memory.dmp
memory/4780-70-0x0000000003170000-0x0000000003171000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20241010-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe" /uninstallsucc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | d.wanyouxi7.com | udp |
| GB | 138.113.101.14:80 | d.wanyouxi7.com | tcp |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 80b05828a4c0d54e3a3ca2a4cd61492a |
| SHA1 | f27df18439239725862d94450d284a4e41e5384b |
| SHA256 | 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc |
| SHA512 | b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3 |
\Users\Admin\AppData\Local\Temp\nsy43B6.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/2040-13-0x0000000010000000-0x0000000010003000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy43B6.tmp\inetc.dll
| MD5 | c498ae64b4971132bba676873978de1e |
| SHA1 | 92e4009cd776b6c8616d8bffade7668ef3cb3c27 |
| SHA256 | 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8 |
| SHA512 | 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7 |
C:\Users\Admin\AppData\Local\Temp\lander.ini
| MD5 | 16cd51deb7d1bd427a510c389e82d087 |
| SHA1 | 18b715836c89f55978ff04128d52de905f4e2f76 |
| SHA256 | 97b69cb6229190e10399521e35e0e8f3579b2906f4f0ffca26bd4f7d791fdc5a |
| SHA512 | 6b9a2ab32b49d20994d8ed338b0125fbc7f39f8c9737855a1d84993b7a1279a2e18d306abc134068cc888398f0386d8c39b4bbe9e3ebfb165c9488b883298429 |
memory/2040-29-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3368 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3368 wrote to memory of 2428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2428-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2428-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 224
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3660 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3660 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3660 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20241023-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iconTips.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iconTips.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\iconTips.exe
"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"
Network
Files
memory/1100-0-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-1-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-36-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-35-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-34-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-33-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-32-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-31-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-30-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-29-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-28-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-27-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-26-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-25-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-24-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-23-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-22-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-21-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-20-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-19-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-18-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-17-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-16-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-15-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-14-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-13-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-12-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-11-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-10-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-9-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-8-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-7-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-6-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-5-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-4-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-3-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/1100-2-0x0000000002E90000-0x0000000002E91000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 224
Network
Files
memory/2400-1-0x0000000010001000-0x0000000010002000-memory.dmp
memory/2400-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/2400-2-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1000 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1000 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1000 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2504 wrote to memory of 936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2504 wrote to memory of 936 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 936 -ip 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/936-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/936-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 244
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameapp.37.com | udp |
| CN | 180.188.25.9:80 | gameapp.37.com | tcp |
Files
memory/1716-3-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1716-4-0x0000000002520000-0x0000000002521000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
141s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 880 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 880 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 880 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1132 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe |
| PID 1132 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe |
| PID 1132 wrote to memory of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe" /uninstallsucc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d.wanyouxi7.com | udp |
| GB | 174.35.118.63:80 | d.wanyouxi7.com | tcp |
| US | 8.8.8.8:53 | a.clickdata.37wan.com | udp |
| CN | 106.55.79.146:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 63.118.35.174.in-addr.arpa | udp |
| CN | 159.75.141.43:80 | a.clickdata.37wan.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 80b05828a4c0d54e3a3ca2a4cd61492a |
| SHA1 | f27df18439239725862d94450d284a4e41e5384b |
| SHA256 | 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc |
| SHA512 | b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3 |
C:\Users\Admin\AppData\Local\Temp\nsdC1CB.tmp\FindProcDLL.dll
| MD5 | 8614c450637267afacad1645e23ba24a |
| SHA1 | e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 |
| SHA256 | 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 |
| SHA512 | af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b |
memory/1132-11-0x0000000010000000-0x0000000010003000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsdC1CB.tmp\inetc.dll
| MD5 | c498ae64b4971132bba676873978de1e |
| SHA1 | 92e4009cd776b6c8616d8bffade7668ef3cb3c27 |
| SHA256 | 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8 |
| SHA512 | 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7 |
C:\Users\Admin\AppData\Local\Temp\lander.ini
| MD5 | edc33c0698acdf92e10e9672ba5c4db2 |
| SHA1 | 8fbed53c547720a3cf9cadbe1b55bf1d465ca3e4 |
| SHA256 | 1a2122161b14e1298e058c6a971b955cfe428c80e565b544fb9a6162e6116d3f |
| SHA512 | 0e2eab36b2df6684981f4d5468f7210553b74fb27333505490dc43be384fb5b619caf011bb641d47fbbf1b260c2fc877a6ee9ff7b3e20762c6a249d91b2d8d88 |
memory/1132-27-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\iconTips.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iconTips.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\iconTips.exe
"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224
Network
Files
memory/1284-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/1284-1-0x0000000010001000-0x0000000010002000-memory.dmp
memory/1284-2-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 3032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3032 -ip 3032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3032-0-0x0000000010000000-0x0000000010003000-memory.dmp
memory/3032-1-0x0000000010000000-0x0000000010003000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 236
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 244
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4316 wrote to memory of 1092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 1092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 1092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1092 -ip 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-31 16:21
Reported
2024-10-31 16:23
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gameapp.37.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| CN | 180.188.25.9:80 | gameapp.37.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3652-3-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/3652-4-0x0000000002D10000-0x0000000002D11000-memory.dmp