Analysis Overview
SHA256
3108929126709bf3fe62a2a30b36943a5efc0d10317afc313264b9826799693d
Threat Level: Likely malicious
The file 990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
CryptOne packer
Loads dropped DLL
A potential corporate email address has been identified in the URL: [email protected]
Executes dropped EXE
UPX packed file
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
NSIS installer
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 03:52
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hot.vrs.sohu.com | udp |
| HK | 52.175.28.82:80 | hot.vrs.sohu.com | tcp |
| US | 8.8.8.8:53 | data.vod.itc.cn | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| US | 8.8.8.8:53 | 717-2.vod.tv.itc.cn | udp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
Files
memory/2732-0-0x0000000000140000-0x0000000000141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IFoxInfo.ini
| MD5 | 03e8f1df88918d932be4a3f59e4e63aa |
| SHA1 | 868a4c97541b78b36253d758476ac92bf129b89f |
| SHA256 | 20e63fafb19c0593e1103d1f7bd844eaa3441bd7d336ebd9f6198a4d9f34eb1e |
| SHA512 | 3dc385c3cd6c437d7aaedf9f6bcb02307bd71b19fd739e41d583aa7fe3b35f3560836c72728877b47490b1a7e415b1bd5a5b58a675f4a169150221d9fd473873 |
memory/2732-6-0x0000000000140000-0x0000000000141000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20241010-en
Max time kernel
145s
Max time network
130s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"
C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp" /SL5="$40108,317431,67072,C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"
Network
Files
memory/1552-2-0x0000000000401000-0x000000000040C000-memory.dmp
memory/1552-0-0x0000000000400000-0x0000000000417000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp
| MD5 | d46e2d82589924a5dd132be8b5af79e6 |
| SHA1 | cfd7c1adaf4653342c27fa536d257fffb6cfa531 |
| SHA256 | 6e35b0aa3c98d70737da7d4bb4ac8e798980c32ec1cd1162684b39b691770235 |
| SHA512 | 944cc9b3b32b12db6564f0588ee3ed4c77110fe1f8bc2018733b34a71a3bc3b6771bfbe7a8805454aeb5e9de1e15941465675fad5517d80f14ad9fa461c67f59 |
memory/2000-8-0x0000000000400000-0x00000000004C2000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-L4RRJ.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1552-15-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2000-16-0x0000000000400000-0x00000000004C2000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]
"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.ppstream.com | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| SG | 118.26.120.3:80 | download.ppstream.com | tcp |
| US | 8.8.8.8:53 | 3.120.26.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/2376-0-0x0000000000400000-0x00000000004AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsnC035.tmp\System.dll
| MD5 | 1a5dfca378b7d0de2dc21bf60ef7b534 |
| SHA1 | c6e1e94abce3c2373cad77f630b71bae5aeb0a9a |
| SHA256 | 4494ba34a963a2f4ac859b3d1c79c097b2a6b95f2bca593621d133d03b71dea8 |
| SHA512 | 8705e06cfc0a85f7246b84b08f1f45f2303f039e9bae15cecb7624ff48a3675d63c8ce50c60f90908a1302a0aebd126926df1f5b1c0f57025f3174cf7b27b380 |
C:\Users\Admin\AppData\Local\Temp\nsnC035.tmp\NSISdl.dll
| MD5 | 4fc6b7461244321c95e9eb649f509310 |
| SHA1 | 57ba87f732ecfd0be9508683f2c59a343fdd9cad |
| SHA256 | 9313cf0a9056c7c83aa139cb8944e38e9a6458e42a7d9bb123443c471835fb09 |
| SHA512 | ce627dc84d9d46fcc2d2a13fd647dd1bf1812c89c1e0a2d81f4c93080c40db3f88e3aa7bc8175452bb89677278ec0a685616c1669ff9f1fdca45f489ece256bc |
memory/2376-19-0x0000000000400000-0x00000000004AB000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\ = "HZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID\ = "{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HZDApp.exe
"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:55
Platform
win7-20241023-en
Max time kernel
119s
Max time network
140s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\GetVersion.dll
| MD5 | 2e2412281a205ed8d53aafb3ef770a2d |
| SHA1 | 3cae4138e8226866236cf34f8fb00dafb0954d97 |
| SHA256 | db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00 |
| SHA512 | 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219 |
\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\processwork.dll
| MD5 | 0a4fa7a9ba969a805eb0603c7cfe3378 |
| SHA1 | 0f018a8d5b42c6ce8bf34b4a6422861c327af88c |
| SHA256 | 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c |
| SHA512 | e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178 |
memory/2776-14-0x0000000001D70000-0x0000000001DB1000-memory.dmp
\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\BrandingURL.dll
| MD5 | 71c46b663baa92ad941388d082af97e7 |
| SHA1 | 5a9fcce065366a526d75cc5ded9aade7cadd6421 |
| SHA256 | bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e |
| SHA512 | 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce |
C:\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\ioSpecial.ini
| MD5 | c215db19893fc8294f65dc3023b801ee |
| SHA1 | 805e3ba32d9d395972469352aa94e300f04593ab |
| SHA256 | b8e3b3d7fd646749d14ff852957b05299a6f2f2227946d53d7a2f1f3533eae6c |
| SHA512 | f94c72313889c615e4097c9b48c9183d2880a63f4f2621a02252beaa281ed17716104d27e9ed2e7c9955ab59a115aff5d0000d6e1b74738d711970b9d5241836 |
\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\InstallOptions.dll
| MD5 | 0dc0cc7a6d9db685bf05a7e5f3ea4781 |
| SHA1 | 5d8b6268eeec9d8d904bc9d988a4b588b392213f |
| SHA256 | 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c |
| SHA512 | 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0 |
C:\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\ioSpecial.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | agent.sj.qq.com | udp |
Files
memory/2340-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 3700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 224
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20241010-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:55
Platform
win7-20241023-en
Max time kernel
118s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\ = "ContextBG" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\ContextBG | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ContextBG.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2372 wrote to memory of 1752 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2672 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4292 wrote to memory of 1824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 1824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4292 wrote to memory of 1824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1824 -ip 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20241010-en
Max time kernel
10s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 228
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 636 -ip 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp |
| PID 4192 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp |
| PID 4192 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe | C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"
C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp" /SL5="$70112,317431,67072,C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/4192-2-0x0000000000401000-0x000000000040C000-memory.dmp
memory/4192-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp
| MD5 | d46e2d82589924a5dd132be8b5af79e6 |
| SHA1 | cfd7c1adaf4653342c27fa536d257fffb6cfa531 |
| SHA256 | 6e35b0aa3c98d70737da7d4bb4ac8e798980c32ec1cd1162684b39b691770235 |
| SHA512 | 944cc9b3b32b12db6564f0588ee3ed4c77110fe1f8bc2018733b34a71a3bc3b6771bfbe7a8805454aeb5e9de1e15941465675fad5517d80f14ad9fa461c67f59 |
memory/1964-7-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/4192-12-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1964-13-0x0000000000400000-0x00000000004C2000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 244
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
145s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4424 wrote to memory of 5048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4424 wrote to memory of 5048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4424 wrote to memory of 5048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe
"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | client.haozhuodao.com | udp |
Files
memory/1708-0-0x000000006FFF0000-0x0000000070000000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\ = "ContextBG" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ContextBG.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\ContextBG | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3500 wrote to memory of 3152 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3500 wrote to memory of 3152 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3500 wrote to memory of 3152 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20241010-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID\ = "{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID\ = "HZDApp.Application" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\ = "HZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDApp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HZDApp.exe
"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe
"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | client.haozhuodao.com | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2572-0-0x000000006FFF0000-0x0000000070000000-memory.dmp
memory/2572-2-0x0000000077740000-0x0000000077758000-memory.dmp
memory/2572-1-0x0000000076210000-0x00000000763B0000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4316 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4316 wrote to memory of 3584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
152s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\GetVersion.dll
| MD5 | 2e2412281a205ed8d53aafb3ef770a2d |
| SHA1 | 3cae4138e8226866236cf34f8fb00dafb0954d97 |
| SHA256 | db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00 |
| SHA512 | 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219 |
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\processwork.dll
| MD5 | 0a4fa7a9ba969a805eb0603c7cfe3378 |
| SHA1 | 0f018a8d5b42c6ce8bf34b4a6422861c327af88c |
| SHA256 | 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c |
| SHA512 | e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178 |
memory/5052-15-0x0000000002F40000-0x0000000002F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\BrandingURL.dll
| MD5 | 71c46b663baa92ad941388d082af97e7 |
| SHA1 | 5a9fcce065366a526d75cc5ded9aade7cadd6421 |
| SHA256 | bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e |
| SHA512 | 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce |
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\InstallOptions.dll
| MD5 | 0dc0cc7a6d9db685bf05a7e5f3ea4781 |
| SHA1 | 5d8b6268eeec9d8d904bc9d988a4b588b392213f |
| SHA256 | 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c |
| SHA512 | 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0 |
C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\ioSpecial.ini
| MD5 | 6f538a75101725af75ad61f62fcf2718 |
| SHA1 | eefc60a4cf97af4e059dc2664226788ef28061b3 |
| SHA256 | c1f33a60863659ccf7f4e1d35eae66bb909c08196de114ffadec248d05192a2a |
| SHA512 | b590fc4f0b5a239ce96267785a2345353a8f2e81b0479e9459c5d04bb6d45124cd4ae7bf64581fb39eae8d16a4848d4b8cfe7a84c4dcf9530f5c6288c048e2e2 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:55
Platform
win7-20241023-en
Max time kernel
122s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240729-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2240 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1
Network
Files
memory/2236-0-0x0000000001FA0000-0x0000000001FE1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]
"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.ppstream.com | udp |
| SG | 118.26.120.3:80 | download.ppstream.com | tcp |
Files
memory/2380-0-0x0000000000400000-0x00000000004AB000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsdA0D3.tmp\System.dll
| MD5 | 1a5dfca378b7d0de2dc21bf60ef7b534 |
| SHA1 | c6e1e94abce3c2373cad77f630b71bae5aeb0a9a |
| SHA256 | 4494ba34a963a2f4ac859b3d1c79c097b2a6b95f2bca593621d133d03b71dea8 |
| SHA512 | 8705e06cfc0a85f7246b84b08f1f45f2303f039e9bae15cecb7624ff48a3675d63c8ce50c60f90908a1302a0aebd126926df1f5b1c0f57025f3174cf7b27b380 |
\Users\Admin\AppData\Local\Temp\nsdA0D3.tmp\NSISdl.dll
| MD5 | 4fc6b7461244321c95e9eb649f509310 |
| SHA1 | 57ba87f732ecfd0be9508683f2c59a343fdd9cad |
| SHA256 | 9313cf0a9056c7c83aa139cb8944e38e9a6458e42a7d9bb123443c471835fb09 |
| SHA512 | ce627dc84d9d46fcc2d2a13fd647dd1bf1812c89c1e0a2d81f4c93080c40db3f88e3aa7bc8175452bb89677278ec0a685616c1669ff9f1fdca45f489ece256bc |
memory/2380-20-0x0000000000400000-0x00000000004AB000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 376 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 376 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 376 wrote to memory of 224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 224 -ip 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hot.vrs.sohu.com | udp |
| HK | 52.175.24.208:80 | hot.vrs.sohu.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data.vod.itc.cn | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.24.175.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 717-2.vod.tv.itc.cn | udp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
| HK | 52.175.24.208:80 | data.vod.itc.cn | tcp |
| CN | 111.172.239.129:80 | 717-2.vod.tv.itc.cn | tcp |
Files
memory/2380-0-0x0000000000B00000-0x0000000000B01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IFoxInfo.ini
| MD5 | 03e8f1df88918d932be4a3f59e4e63aa |
| SHA1 | 868a4c97541b78b36253d758476ac92bf129b89f |
| SHA256 | 20e63fafb19c0593e1103d1f7bd844eaa3441bd7d336ebd9f6198a4d9f34eb1e |
| SHA512 | 3dc385c3cd6c437d7aaedf9f6bcb02307bd71b19fd739e41d583aa7fe3b35f3560836c72728877b47490b1a7e415b1bd5a5b58a675f4a169150221d9fd473873 |
memory/2380-6-0x0000000000B00000-0x0000000000B01000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | agent.sj.qq.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
memory/1088-0-0x0000000002FE0000-0x0000000002FE1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2920 wrote to memory of 2084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2920 wrote to memory of 2084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2920 wrote to memory of 2084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-25 03:51
Reported
2024-11-25 03:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2848 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2848 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3080 -ip 3080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |