Analysis Overview
SHA256
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4
Threat Level: Likely malicious
The file 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1240 set thread context of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SvcManager\svcmgr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
"C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net user %username%
C:\Windows\SysWOW64\net.exe
net user Admin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-ExecutionPolicy bypass -Force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q C:\Windows\SvcManager
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49230 | tcp | |
| US | 8.8.8.8:53 | first.tests.agency | udp |
Files
memory/1240-2-0x0000000073F3E000-0x0000000073F3F000-memory.dmp
memory/1240-1-0x0000000076F60000-0x0000000076F61000-memory.dmp
memory/1240-0-0x0000000000400000-0x0000000000A34000-memory.dmp
memory/1240-3-0x0000000000400000-0x00000000009EC000-memory.dmp
memory/1240-4-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/1240-5-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/1240-6-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/1240-7-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/1240-8-0x0000000000400000-0x0000000000A34000-memory.dmp
memory/1240-9-0x0000000000B90000-0x0000000000BB0000-memory.dmp
memory/1240-10-0x0000000073F3E000-0x0000000073F3F000-memory.dmp
memory/1240-11-0x0000000073F30000-0x000000007461E000-memory.dmp
memory/1240-15-0x0000000009DD0000-0x0000000009EBC000-memory.dmp
memory/1240-16-0x0000000009EC0000-0x0000000009F76000-memory.dmp
memory/2748-17-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-30-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2748-27-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-25-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-23-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-21-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-19-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-33-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-34-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1240-35-0x0000000073F30000-0x000000007461E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 2965be24c44a1089721b8640c5a15fc4 |
| SHA1 | 66d6c947e07ab96d7e7e699fad80b891c3e84f52 |
| SHA256 | 166d46117b8f149bb3c2942f9a297a82d7a499eb4d4fcf39e0c9ca7d1c4f89be |
| SHA512 | 0bb5ae575618211991a30c0ec7d67fe7e97daa9cf9166a4c32eb1d2a8e79f6012208c96c9986c438a4de6c1fb152a70d97015542b2e338dcb53dfed80bcf85cd |
memory/2748-43-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-44-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2748-45-0x0000000000400000-0x00000000004A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3896 set thread context of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SvcManager\svcmgr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
"C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net user %username%
C:\Windows\SysWOW64\net.exe
net user Admin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-ExecutionPolicy bypass -Force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q C:\Windows\SvcManager
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:54590 | tcp | |
| US | 8.8.8.8:53 | first.tests.agency | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3896-0-0x0000000000400000-0x0000000000A34000-memory.dmp
memory/3896-2-0x0000000077873000-0x0000000077874000-memory.dmp
memory/3896-1-0x0000000077872000-0x0000000077873000-memory.dmp
memory/3896-3-0x000000007479E000-0x000000007479F000-memory.dmp
memory/3896-4-0x0000000000400000-0x00000000009EC000-memory.dmp
memory/3896-5-0x0000000005A80000-0x0000000006024000-memory.dmp
memory/3896-6-0x00000000034B0000-0x0000000003542000-memory.dmp
memory/3896-7-0x0000000006030000-0x00000000060CC000-memory.dmp
memory/3896-8-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3896-9-0x00000000035E0000-0x00000000035EA000-memory.dmp
memory/3896-10-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3896-11-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3896-12-0x0000000000400000-0x0000000000A34000-memory.dmp
memory/3896-13-0x0000000003320000-0x0000000003340000-memory.dmp
memory/3896-14-0x000000007479E000-0x000000007479F000-memory.dmp
memory/3896-16-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3896-19-0x0000000001350000-0x000000000143C000-memory.dmp
memory/3896-20-0x000000000C190000-0x000000000C246000-memory.dmp
memory/1136-21-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1136-25-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1136-24-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1136-26-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/3896-27-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/1828-28-0x0000000004A10000-0x0000000004A46000-memory.dmp
memory/1828-29-0x00000000050C0000-0x00000000056E8000-memory.dmp
memory/1828-30-0x0000000005830000-0x0000000005852000-memory.dmp
memory/1828-36-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/1828-37-0x00000000059B0000-0x0000000005A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1ypbobf.k4a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1828-42-0x0000000005B20000-0x0000000005E74000-memory.dmp
memory/1828-43-0x0000000005FB0000-0x0000000005FCE000-memory.dmp
memory/1828-44-0x0000000006070000-0x00000000060BC000-memory.dmp
memory/1828-45-0x0000000006590000-0x00000000065C2000-memory.dmp
memory/1828-46-0x0000000070C00000-0x0000000070C4C000-memory.dmp
memory/1828-56-0x00000000065D0000-0x00000000065EE000-memory.dmp
memory/1828-57-0x00000000071B0000-0x0000000007253000-memory.dmp
memory/1828-58-0x0000000007930000-0x0000000007FAA000-memory.dmp
memory/1828-59-0x00000000072F0000-0x000000000730A000-memory.dmp
memory/1828-60-0x0000000007360000-0x000000000736A000-memory.dmp
memory/1828-61-0x0000000007570000-0x0000000007606000-memory.dmp
memory/1828-62-0x00000000074F0000-0x0000000007501000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | e03d3a9e96ae6dbee071f3bbf77b4f98 |
| SHA1 | 3b104c534a7666859ff786c1e29fd03f0dc9c100 |
| SHA256 | 183fe219bc796c2f6e20829319934fa116724396b22e57b66a55b6688281cf89 |
| SHA512 | 1b7aa7448c409502774aa7adf897b1149641afe34af5e4fe7ba0beeb0809620e63d2cb9aed4fd14c176dda64347e92d701b7eec1cb3ed78d17f3de7e79a0a0ec |
memory/728-75-0x00000000055E0000-0x0000000005934000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86f3315cf8c80832e417d2593259a196 |
| SHA1 | 35794253d9281792ad2583d393e76ff81009390b |
| SHA256 | 713f0b56be363372d2f685ad020c610dd04387ecdfa4c55ce3d016b7193a167e |
| SHA512 | aa504a4717164523d7ddbce1a6d024116d12a30d9a0e0736869d293ea04a6ec11b4ee35960c6277de061006058e92f44f1020904e68d8ff3119a70f2971ae010 |
memory/728-77-0x0000000070C00000-0x0000000070C4C000-memory.dmp
memory/728-87-0x00000000071C0000-0x00000000071CE000-memory.dmp
memory/728-88-0x00000000071D0000-0x00000000071E4000-memory.dmp
memory/728-89-0x00000000072D0000-0x00000000072EA000-memory.dmp
memory/728-90-0x00000000072B0000-0x00000000072B8000-memory.dmp
memory/1136-92-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1136-93-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1136-94-0x0000000000400000-0x00000000004A3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |