Malware Analysis Report

2025-01-02 07:16

Sample ID 241124-lqc7natqhy
Target 93df7f361cf510714fb341106d886ed1_JaffaCakes118
SHA256 4fade83d0fd66d068ed856bf228e8bb17bfdaedeeb4ff3893ef86e035052c353
Tags
discovery persistence privilege_escalation upx privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fade83d0fd66d068ed856bf228e8bb17bfdaedeeb4ff3893ef86e035052c353

Threat Level: Known bad

The file 93df7f361cf510714fb341106d886ed1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence privilege_escalation upx privateloader

Privateloader family

Event Triggered Execution: Component Object Model Hijacking

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 09:44

Signatures

Privateloader family

privateloader

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 244

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DaumCrashHandler64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DaumCrashHandler64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4744 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 224

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4684 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4684 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4684 wrote to memory of 4780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\ = "PotPlayerMCE_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\ = "PotPlayerMCE_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\ = "PotPlayerMini_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\ = "PotPlayerMini_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\ = "PotPlayerLive_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\ = "PotPlayerLive_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DesktopHook.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20241010-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 4544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4432 wrote to memory of 4544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4432 wrote to memory of 4544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 244

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 3504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3504 -ip 3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DaumCrashHandler64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DaumCrashHandler64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\ = "PotPlayerLive_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\ = "PotPlayerMCE_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\ = "PotPlayerMini_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\ = "PotPlayerLive_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\ = "PotPlayerMini_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\ = "PotPlayerMCE_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93df7f361cf510714fb341106d886ed1_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 3572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 3572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 3572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3572 -ip 3572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 2820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2820-0-0x0000000075730000-0x0000000075740000-memory.dmp

memory/2820-1-0x0000000075730000-0x0000000075740000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2408 wrote to memory of 4160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4160 -ip 4160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win7-20241010-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 228

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 2688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win7-20240708-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 224

Network

N/A

Files

memory/1976-1-0x0000000074DA0000-0x0000000074DB0000-memory.dmp

memory/1976-0-0x0000000074E40000-0x0000000074E50000-memory.dmp

memory/1976-2-0x0000000074D90000-0x0000000074DA0000-memory.dmp

memory/1976-3-0x0000000074E40000-0x0000000074E50000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 3936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 996 wrote to memory of 3936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 996 wrote to memory of 3936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-24 09:43

Reported

2024-11-24 09:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3912 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3912 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A