Malware Analysis Report

2025-06-15 23:34

Sample ID 241031-ttm52a1gnp
Target SecuriteInfo.com.FileRepMalware.6479.21607.exe
SHA256 0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
Tags
discovery bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075

Threat Level: Shows suspicious behavior

The file SecuriteInfo.com.FileRepMalware.6479.21607.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery bootkit persistence

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks installed software on the system

Writes to the Master Boot Record (MBR)

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 16:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

memory/2324-2-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2324-1-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2324-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2324-4-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2324-3-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2324-5-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 2600 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

N/A

Files

memory/1208-19-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-24-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-23-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-22-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-21-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-20-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-18-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-17-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-16-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-15-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-14-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-13-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-12-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-11-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-10-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-9-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-8-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-7-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-6-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-3-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-2-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1208-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 3228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1432 wrote to memory of 3228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1432 wrote to memory of 3228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20241010-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 228

Network

N/A

Files

memory/2456-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2456-1-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2456-2-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2840 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2840 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2136-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2136-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

134s

Command Line

C:\Windows\Explorer.EXE

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE
PID 864 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe

"C:\Users\Admin\AppData\Local\Temp\iconAnimate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20241010-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"

C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc

C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 gameapp.37.com udp
CN 180.188.25.9:80 gameapp.37.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso64AE.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/2880-13-0x0000000000341000-0x0000000000342000-memory.dmp

memory/2880-12-0x0000000000340000-0x0000000000343000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso64AE.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

MD5 75a7cc387d1e24de8ba1275e81a840d1
SHA1 8a21d186efb66be5db46925518e0b70861bf6dab
SHA256 d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc
SHA512 550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158

C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini

MD5 bd3d2a63852000b334df43694b413842
SHA1 c2352468953156292e7e1a3ec8f3fb007ca008b8
SHA256 0e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19
SHA512 463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08

\Users\Admin\AppData\Roaming\mk-jzcq\uninst.exe

MD5 80b05828a4c0d54e3a3ca2a4cd61492a
SHA1 f27df18439239725862d94450d284a4e41e5384b
SHA256 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc
SHA512 b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3

memory/2880-41-0x0000000000341000-0x0000000000342000-memory.dmp

memory/2880-40-0x0000000000340000-0x0000000000343000-memory.dmp

C:\Users\Admin\AppData\Roaming\mk-jzcq\Lander.ini

MD5 04b52176e0386a53a9fade075008b459
SHA1 c32a5b7983e25761dae4d88a509b0ddc2af36b37
SHA256 8079245d7e2833d3ea60c7dfa378d16a1e69833f4cad1cca8837c5024889ea0d
SHA512 99165626e233ea2e76938631ecea4340d965f0b7e25af21b875ae014aed66c795170424db01769bb1d1db5a21f698fe24f7114af3ae912d3abb59b37b1b0038e

memory/2880-58-0x0000000000340000-0x0000000000343000-memory.dmp

C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini

MD5 f140e286c87269088054cd0b5eba4f6f
SHA1 4d13decb580cac945527e23e02c50ab52c9e8d40
SHA256 592a3ba7bcc60ead84cb33157a9bf61762b7e9e605b5743d2c7440a0af1a9225
SHA512 5884063c86895e47fbce961609ca8f2122255a86250098ea74e550eb2a7edfa50a340072ae1581d87b33966cded699613e246594098b05b6e7c209983a41b1ac

memory/2996-69-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/2996-71-0x0000000000B50000-0x0000000000B51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"

C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc

C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun

Network

Country Destination Domain Proto
US 8.8.8.8:53 a.clickdata.37wan.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 gameapp.37.com udp
CN 180.188.25.9:80 gameapp.37.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/408-15-0x0000000004811000-0x0000000004812000-memory.dmp

memory/408-14-0x0000000004810000-0x0000000004813000-memory.dmp

C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini

MD5 bd3d2a63852000b334df43694b413842
SHA1 c2352468953156292e7e1a3ec8f3fb007ca008b8
SHA256 0e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19
SHA512 463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08

C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

MD5 75a7cc387d1e24de8ba1275e81a840d1
SHA1 8a21d186efb66be5db46925518e0b70861bf6dab
SHA256 d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc
SHA512 550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158

C:\Users\Admin\AppData\Roaming\mk-jzcq\Lander.ini

MD5 2c50cf60647cb651d7828f8aa66c0b68
SHA1 aa3ba89fc7adc865a13169d6449443ee63dfd910
SHA256 7549fdb2859a659368e06fe95abb06fdbc91ec3dafd6c062bff8b67317db6eb4
SHA512 46e3256a785ff494b375062ebe4543fd9ded68b34928f71812b1742bb25f3a153335646e4bd547f19c128c48a1a98dda336e1e8c759140c708be8019a0168769

memory/408-55-0x0000000000480000-0x0000000000483000-memory.dmp

memory/408-61-0x0000000000481000-0x0000000000482000-memory.dmp

memory/408-60-0x0000000000480000-0x0000000000483000-memory.dmp

memory/4780-69-0x0000000003170000-0x0000000003171000-memory.dmp

memory/4780-70-0x0000000003170000-0x0000000003171000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20241010-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninst.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3052 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2040 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
PID 2040 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
PID 2040 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe
PID 2040 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 138.113.101.14:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 80b05828a4c0d54e3a3ca2a4cd61492a
SHA1 f27df18439239725862d94450d284a4e41e5384b
SHA256 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc
SHA512 b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3

\Users\Admin\AppData\Local\Temp\nsy43B6.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/2040-13-0x0000000010000000-0x0000000010003000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy43B6.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\lander.ini

MD5 16cd51deb7d1bd427a510c389e82d087
SHA1 18b715836c89f55978ff04128d52de905f4e2f76
SHA256 97b69cb6229190e10399521e35e0e8f3579b2906f4f0ffca26bd4f7d791fdc5a
SHA512 6b9a2ab32b49d20994d8ed338b0125fbc7f39f8c9737855a1d84993b7a1279a2e18d306abc134068cc888398f0386d8c39b4bbe9e3ebfb165c9488b883298429

memory/2040-29-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3368 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3368 wrote to memory of 2428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2428-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2428-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3660 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20241023-en

Max time kernel

121s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

N/A

Files

memory/1100-0-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-1-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-36-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-35-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-34-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-33-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-32-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-31-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-30-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-29-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-28-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-27-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-26-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-25-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-24-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-23-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-22-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-21-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-20-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-19-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-18-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-17-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-16-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-15-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-14-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-13-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-12-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-11-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-10-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-9-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-8-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-7-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-6-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-4-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-3-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1100-2-0x0000000002E90000-0x0000000002E91000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 224

Network

N/A

Files

memory/2400-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2400-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2400-2-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 4532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 4532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1000 wrote to memory of 4532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 936 -ip 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/936-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/936-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 244

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
CN 180.188.25.9:80 gameapp.37.com tcp

Files

memory/1716-3-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1716-4-0x0000000002520000-0x0000000002521000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe" /uninstallsucc

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 d.wanyouxi7.com udp
GB 174.35.118.63:80 d.wanyouxi7.com tcp
US 8.8.8.8:53 a.clickdata.37wan.com udp
CN 106.55.79.146:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 63.118.35.174.in-addr.arpa udp
CN 159.75.141.43:80 a.clickdata.37wan.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 80b05828a4c0d54e3a3ca2a4cd61492a
SHA1 f27df18439239725862d94450d284a4e41e5384b
SHA256 9b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc
SHA512 b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3

C:\Users\Admin\AppData\Local\Temp\nsdC1CB.tmp\FindProcDLL.dll

MD5 8614c450637267afacad1645e23ba24a
SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

memory/1132-11-0x0000000010000000-0x0000000010003000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsdC1CB.tmp\inetc.dll

MD5 c498ae64b4971132bba676873978de1e
SHA1 92e4009cd776b6c8616d8bffade7668ef3cb3c27
SHA256 5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8
SHA512 8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

C:\Users\Admin\AppData\Local\Temp\lander.ini

MD5 edc33c0698acdf92e10e9672ba5c4db2
SHA1 8fbed53c547720a3cf9cadbe1b55bf1d465ca3e4
SHA256 1a2122161b14e1298e058c6a971b955cfe428c80e565b544fb9a6162e6116d3f
SHA512 0e2eab36b2df6684981f4d5468f7210553b74fb27333505490dc43be384fb5b619caf011bb641d47fbbf1b260c2fc877a6ee9ff7b3e20762c6a249d91b2d8d88

memory/1132-27-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\iconTips.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iconTips.exe

"C:\Users\Admin\AppData\Local\Temp\iconTips.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224

Network

N/A

Files

memory/1284-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1284-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/1284-2-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 3032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3032-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/3032-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 236

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 244

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1092 -ip 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-31 16:21

Reported

2024-10-31 16:23

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe

"C:\Users\Admin\AppData\Local\Temp\dqwhj_errwd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameapp.37.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
CN 180.188.25.9:80 gameapp.37.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3652-3-0x0000000002D10000-0x0000000002D11000-memory.dmp

memory/3652-4-0x0000000002D10000-0x0000000002D11000-memory.dmp