Analysis Overview
SHA256
c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f
Threat Level: Known bad
The file c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies firewall policy service
Disables service(s)
Modifies Windows Firewall
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Adds Run key to start application
Maps connected drives based on registry
Suspicious use of SetThreadContext
UPX packed file
Drops file in System32 directory
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Program crash
NSIS installer
Checks processor information in registry
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 08:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 08:56
Reported
2024-11-17 08:59
Platform
win7-20240903-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Disables service(s)
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Firewall.cpl\Debugger = "wuauclt.exe" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuauclt.exe" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuauclt.exe" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Firewall.cpl | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*MediaMangr0 = "\"C:\\ProgramData\\MediaMangr0\\acrotray.exe\"" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 = "awmv.61776D77vmwavboxqemuVMwarevmwarevirtualxen" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2664 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
C:\Windows\SysWOW64\sc.exe
sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\netsh.exe
netsh.exe firewall set opmode mode=disable profile=all
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:6667 | tcp | |
| CN | 119.0.97.0:6667 | tcp | |
| ID | 114.0.101.0:6667 | tcp | |
| SE | 92.0.77.0:6667 | tcp | |
| ZA | 105.0.99.0:6667 | tcp | |
| ID | 114.0.111.0:6667 | tcp | |
| KR | 115.0.111.0:6667 | tcp | |
| KE | 102.0.116.0:6667 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsjE88D.tmp\kymographs.dll
| MD5 | 42e4078c829a2e1d2734b0033847d2cc |
| SHA1 | 5f0279f9190c168d345e024f1e4b8739aec63cfc |
| SHA256 | 4cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2 |
| SHA512 | 56be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2 |
memory/2740-6-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-14-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-23-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-22-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-20-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2740-10-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-8-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-27-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-29-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2740-28-0x0000000000400000-0x000000000042C000-memory.dmp
C:\ProgramData\MediaMangr0\regmon.exe
| MD5 | 9643154395cef6ad892847d9d1806756 |
| SHA1 | 9be8440a9c34a60b58410b93bcff09b76a9d9bbf |
| SHA256 | c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f |
| SHA512 | 9811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8 |
memory/2740-114-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 08:56
Reported
2024-11-17 08:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Disables service(s)
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll\Debugger = "wuauclt.exe" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "wuauclt.exe" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallAPI.dll | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*MediaMangr0 = "\"C:\\ProgramData\\MediaMangr0\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 = "awmv.61776D77vmwavboxqemuVMwarevmwarevirtualxen" | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3052 set thread context of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
"C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
C:\Windows\SysWOW64\sc.exe
sc.exe config SharedAccess start= disabled
C:\Windows\SysWOW64\netsh.exe
netsh.exe firewall set opmode mode=disable profile=all
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| AU | 1.0.0.0:6667 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loadirc.ownz.su | udp |
| US | 104.42.72.0:6667 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| SG | 3.0.0.0:6667 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| AU | 101.0.92.0:6667 | tcp | |
| US | 72.0.97.0:6667 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| ID | 114.0.100.0:6667 | tcp | |
| US | 100.0.105.0:6667 | tcp | |
| KR | 115.0.107.0:6667 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\kymographs.dll
| MD5 | 42e4078c829a2e1d2734b0033847d2cc |
| SHA1 | 5f0279f9190c168d345e024f1e4b8739aec63cfc |
| SHA256 | 4cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2 |
| SHA512 | 56be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2 |
memory/4012-6-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4012-11-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4012-13-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4012-17-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4012-18-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4012-19-0x0000000000400000-0x000000000042C000-memory.dmp
C:\ProgramData\MediaMangr0\btplayerctrl.exe
| MD5 | 9643154395cef6ad892847d9d1806756 |
| SHA1 | 9be8440a9c34a60b58410b93bcff09b76a9d9bbf |
| SHA256 | c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f |
| SHA512 | 9811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8 |
memory/4012-116-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-17 08:56
Reported
2024-11-17 08:59
Platform
win7-20241010-en
Max time kernel
73s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kymographs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kymographs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 228
Network
Files
memory/1128-0-0x0000000010000000-0x0000000010017000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-17 08:56
Reported
2024-11-17 08:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 776 wrote to memory of 1356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 776 wrote to memory of 1356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 776 wrote to memory of 1356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kymographs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\kymographs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1356 -ip 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1356-0-0x0000000010000000-0x0000000010017000-memory.dmp