Analysis Overview
SHA256
e721952c765bb39555f2aa9f2141649fe2c1f2700224513c2860c8a7e25d2260
Threat Level: Known bad
The file APPENDIX FORM_N°45013-20241120.com.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
Guloader family
Guloader,Cloudeye
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook accounts
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 11:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 11:20
Reported
2024-11-21 11:23
Platform
win7-20241010-en
Max time kernel
148s
Max time network
132s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2484 set thread context of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2388 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2388 set thread context of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2388 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Separable80\Redegjortes184.Dis | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\fiksersaltenes\cubmaster.ini | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\situationer.ini | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Millet20.ton | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Windows\honduras.Ski | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wuumqaalqqogojjvxtyttzia"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hwifrslmmyglqpfzgdkveldrrlhf"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rrnpslwgahyqbvtdyoxwhqyaarzovpj"
Network
| Country | Destination | Domain | Proto |
| US | 45.133.158.36:80 | 45.133.158.36 | tcp |
| US | 45.133.158.36:11371 | tcp | |
| US | 45.133.158.36:11371 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst46F1.tmp\System.dll
| MD5 | 960a5c48e25cf2bca332e74e11d825c9 |
| SHA1 | da35c6816ace5daf4c6c1d57b93b09a82ecdc876 |
| SHA256 | 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2 |
| SHA512 | cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da |
memory/2484-18-0x0000000003100000-0x00000000041FE000-memory.dmp
memory/2484-19-0x0000000003100000-0x00000000041FE000-memory.dmp
memory/2484-20-0x00000000776B1000-0x00000000777B2000-memory.dmp
memory/2484-21-0x00000000776B0000-0x0000000077859000-memory.dmp
memory/2388-22-0x00000000776B0000-0x0000000077859000-memory.dmp
memory/2484-23-0x0000000003100000-0x00000000041FE000-memory.dmp
memory/2388-24-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-27-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2780-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2780-37-0x00000000776B0000-0x0000000077859000-memory.dmp
memory/2648-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2868-41-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2648-40-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2868-34-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2868-43-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2780-33-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2648-39-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2648-44-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2648-38-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2780-36-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2868-35-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2780-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2780-50-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wuumqaalqqogojjvxtyttzia
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2388-53-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-54-0x00000000320F0000-0x0000000032109000-memory.dmp
memory/2388-57-0x00000000320F0000-0x0000000032109000-memory.dmp
memory/2388-58-0x00000000320F0000-0x0000000032109000-memory.dmp
memory/2868-59-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2388-61-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-62-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-63-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-64-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-65-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-66-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-67-0x0000000000450000-0x00000000014B2000-memory.dmp
memory/2388-68-0x0000000000450000-0x00000000014B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 11:20
Reported
2024-11-21 11:23
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3484 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2272 set thread context of 4488 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2272 set thread context of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
| PID 2272 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Separable80\Redegjortes184.Dis | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\fiksersaltenes\cubmaster.ini | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\situationer.ini | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Millet20.ton | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| File opened for modification | C:\Windows\honduras.Ski | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vubafotynhbereuk"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gogtfgesbptjblqoghj"
C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe
"C:\Users\Admin\AppData\Local\Temp\APPENDIX FORM_N°45013-20241120.com.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ijmlgzptpxlodreapsvyhv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 45.133.158.36:80 | 45.133.158.36 | tcp |
| US | 45.133.158.36:11371 | tcp | |
| US | 8.8.8.8:53 | 36.158.133.45.in-addr.arpa | udp |
| US | 45.133.158.36:11371 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.88.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsw9666.tmp\System.dll
| MD5 | 960a5c48e25cf2bca332e74e11d825c9 |
| SHA1 | da35c6816ace5daf4c6c1d57b93b09a82ecdc876 |
| SHA256 | 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2 |
| SHA512 | cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da |
memory/3484-18-0x0000000003230000-0x000000000432E000-memory.dmp
memory/3484-19-0x0000000077B61000-0x0000000077C81000-memory.dmp
memory/3484-20-0x0000000010004000-0x0000000010005000-memory.dmp
memory/2272-21-0x00000000016B0000-0x00000000027AE000-memory.dmp
memory/3484-22-0x0000000003230000-0x000000000432E000-memory.dmp
memory/2272-23-0x0000000077BE8000-0x0000000077BE9000-memory.dmp
memory/2272-24-0x0000000077C05000-0x0000000077C06000-memory.dmp
memory/2272-25-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-29-0x0000000077B61000-0x0000000077C81000-memory.dmp
memory/2272-30-0x00000000016B0000-0x00000000027AE000-memory.dmp
memory/4488-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4316-38-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4488-40-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2044-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2044-50-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4316-48-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2044-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2044-43-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4316-39-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4488-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4316-36-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4488-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4316-35-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2044-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4488-54-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vubafotynhbereuk
| MD5 | bc25ccf39db8626dc249529bcc8c5639 |
| SHA1 | 3e9cbdb20a0970a3c13719a2f289d210cdcc9e1d |
| SHA256 | b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904 |
| SHA512 | 9a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a |
memory/2272-57-0x00000000333D0000-0x00000000333E9000-memory.dmp
memory/2272-61-0x00000000333D0000-0x00000000333E9000-memory.dmp
memory/2272-60-0x00000000333D0000-0x00000000333E9000-memory.dmp
memory/2272-62-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-63-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-64-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-65-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-66-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-67-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-68-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-69-0x0000000000450000-0x00000000016A4000-memory.dmp
memory/2272-70-0x0000000000450000-0x00000000016A4000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 11:20
Reported
2024-11-21 11:23
Platform
win7-20240903-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 11:20
Reported
2024-11-21 11:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3996 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3996 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3996 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.88.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |