Malware Analysis Report

2025-01-23 13:44

Sample ID 241125-eeykwsxjfx
Target 990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118
SHA256 3108929126709bf3fe62a2a30b36943a5efc0d10317afc313264b9826799693d
Tags
discovery phishing upx cryptone packer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3108929126709bf3fe62a2a30b36943a5efc0d10317afc313264b9826799693d

Threat Level: Likely malicious

The file 990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery phishing upx cryptone packer

CryptOne packer

Loads dropped DLL

A potential corporate email address has been identified in the URL: [email protected]

Executes dropped EXE

UPX packed file

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 03:52

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hot.vrs.sohu.com udp
HK 52.175.28.82:80 hot.vrs.sohu.com tcp
US 8.8.8.8:53 data.vod.itc.cn udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
US 8.8.8.8:53 717-2.vod.tv.itc.cn udp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp

Files

memory/2732-0-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IFoxInfo.ini

MD5 03e8f1df88918d932be4a3f59e4e63aa
SHA1 868a4c97541b78b36253d758476ac92bf129b89f
SHA256 20e63fafb19c0593e1103d1f7bd844eaa3441bd7d336ebd9f6198a4d9f34eb1e
SHA512 3dc385c3cd6c437d7aaedf9f6bcb02307bd71b19fd739e41d583aa7fe3b35f3560836c72728877b47490b1a7e415b1bd5a5b58a675f4a169150221d9fd473873

memory/2732-6-0x0000000000140000-0x0000000000141000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20241010-en

Max time kernel

145s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp" /SL5="$40108,317431,67072,C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

Network

N/A

Files

memory/1552-2-0x0000000000401000-0x000000000040C000-memory.dmp

memory/1552-0-0x0000000000400000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FPOA6.tmp\SU_lk78_setup_lg0597.tmp

MD5 d46e2d82589924a5dd132be8b5af79e6
SHA1 cfd7c1adaf4653342c27fa536d257fffb6cfa531
SHA256 6e35b0aa3c98d70737da7d4bb4ac8e798980c32ec1cd1162684b39b691770235
SHA512 944cc9b3b32b12db6564f0588ee3ed4c77110fe1f8bc2018733b34a71a3bc3b6771bfbe7a8805454aeb5e9de1e15941465675fad5517d80f14ad9fa461c67f59

memory/2000-8-0x0000000000400000-0x00000000004C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-L4RRJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1552-15-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2000-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"

Signatures

A potential corporate email address has been identified in the URL: [email protected]

phishing

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]

"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 download.ppstream.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
SG 118.26.120.3:80 download.ppstream.com tcp
US 8.8.8.8:53 3.120.26.118.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/2376-0-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsnC035.tmp\System.dll

MD5 1a5dfca378b7d0de2dc21bf60ef7b534
SHA1 c6e1e94abce3c2373cad77f630b71bae5aeb0a9a
SHA256 4494ba34a963a2f4ac859b3d1c79c097b2a6b95f2bca593621d133d03b71dea8
SHA512 8705e06cfc0a85f7246b84b08f1f45f2303f039e9bae15cecb7624ff48a3675d63c8ce50c60f90908a1302a0aebd126926df1f5b1c0f57025f3174cf7b27b380

C:\Users\Admin\AppData\Local\Temp\nsnC035.tmp\NSISdl.dll

MD5 4fc6b7461244321c95e9eb649f509310
SHA1 57ba87f732ecfd0be9508683f2c59a343fdd9cad
SHA256 9313cf0a9056c7c83aa139cb8944e38e9a6458e42a7d9bb123443c471835fb09
SHA512 ce627dc84d9d46fcc2d2a13fd647dd1bf1812c89c1e0a2d81f4c93080c40db3f88e3aa7bc8175452bb89677278ec0a685616c1669ff9f1fdca45f489ece256bc

memory/2376-19-0x0000000000400000-0x00000000004AB000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\ = "HZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID\ = "{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HZDApp.exe

"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:55

Platform

win7-20241023-en

Max time kernel

119s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\GetVersion.dll

MD5 2e2412281a205ed8d53aafb3ef770a2d
SHA1 3cae4138e8226866236cf34f8fb00dafb0954d97
SHA256 db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA512 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\processwork.dll

MD5 0a4fa7a9ba969a805eb0603c7cfe3378
SHA1 0f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA256 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512 e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

memory/2776-14-0x0000000001D70000-0x0000000001DB1000-memory.dmp

\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\BrandingURL.dll

MD5 71c46b663baa92ad941388d082af97e7
SHA1 5a9fcce065366a526d75cc5ded9aade7cadd6421
SHA256 bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e
SHA512 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

C:\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\ioSpecial.ini

MD5 c215db19893fc8294f65dc3023b801ee
SHA1 805e3ba32d9d395972469352aa94e300f04593ab
SHA256 b8e3b3d7fd646749d14ff852957b05299a6f2f2227946d53d7a2f1f3533eae6c
SHA512 f94c72313889c615e4097c9b48c9183d2880a63f4f2621a02252beaa281ed17716104d27e9ed2e7c9955ab59a115aff5d0000d6e1b74738d711970b9d5241836

\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\InstallOptions.dll

MD5 0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1 5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

C:\Users\Admin\AppData\Local\Temp\nstDA2A.tmp\ioSpecial.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 agent.sj.qq.com udp

Files

memory/2340-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20241010-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:55

Platform

win7-20241023-en

Max time kernel

118s

Max time network

139s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\ = "ContextBG" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\ContextBG C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ContextBG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 1752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDMp3ToWav.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4292 wrote to memory of 1824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrandingURL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1824 -ip 1824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20241010-en

Max time kernel

10s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 228

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp" /SL5="$70112,317431,67072,C:\Users\Admin\AppData\Local\Temp\$TEMP\SU_lk78_setup_lg0597.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/4192-2-0x0000000000401000-0x000000000040C000-memory.dmp

memory/4192-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K1PI3.tmp\SU_lk78_setup_lg0597.tmp

MD5 d46e2d82589924a5dd132be8b5af79e6
SHA1 cfd7c1adaf4653342c27fa536d257fffb6cfa531
SHA256 6e35b0aa3c98d70737da7d4bb4ac8e798980c32ec1cd1162684b39b691770235
SHA512 944cc9b3b32b12db6564f0588ee3ed4c77110fe1f8bc2018733b34a71a3bc3b6771bfbe7a8805454aeb5e9de1e15941465675fad5517d80f14ad9fa461c67f59

memory/1964-7-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4192-12-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1964-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 244

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 5048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe

"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 client.haozhuodao.com udp

Files

memory/1708-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\ = "ContextBG" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ContextBG.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\ContextBG C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\ContextBG C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C125022-639D-43cc-9F3D-647E6CC69EF1}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ContextBG\ = "{6C125022-639D-43cc-9F3D-647E6CC69EF1}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 3152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3500 wrote to memory of 3152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3500 wrote to memory of 3152 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ContextBG.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20241010-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID\ = "{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\ProgID\ = "HZDApp.Application" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HZDApp.exe" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5C5E32E1-1E09-4396-B833-A6F5051A1FF1}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HZDApp.Application\CLSID C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\ = "HZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{020F31A0-4478-41D0-90BF-4BBC7CE63889}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\ = "IHZDApp" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\ = "{020F31A0-4478-41D0-90BF-4BBC7CE63889}" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BBD8C31-B90C-4C40-981C-23AC1B7A2335} C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HZDApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HZDApp.exe

"C:\Users\Admin\AppData\Local\Temp\HZDApp.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe

"C:\Users\Admin\AppData\Local\Temp\HZDHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 client.haozhuodao.com udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2572-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2572-2-0x0000000077740000-0x0000000077758000-memory.dmp

memory/2572-1-0x0000000076210000-0x00000000763B0000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4316 wrote to memory of 3584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HZDKernel.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\990ac8ae972de14c20c8e5ae1ccf66de_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\GetVersion.dll

MD5 2e2412281a205ed8d53aafb3ef770a2d
SHA1 3cae4138e8226866236cf34f8fb00dafb0954d97
SHA256 db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
SHA512 6d57249b7e02e1dfed2e297ec35fb375ecf3abc893d68694f4fa5f2e82ec68c129af9cc5ce3dd4025147309c0832a2847b69334138f3d29c5572ff4e1b16f219

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\processwork.dll

MD5 0a4fa7a9ba969a805eb0603c7cfe3378
SHA1 0f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA256 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512 e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

memory/5052-15-0x0000000002F40000-0x0000000002F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\BrandingURL.dll

MD5 71c46b663baa92ad941388d082af97e7
SHA1 5a9fcce065366a526d75cc5ded9aade7cadd6421
SHA256 bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e
SHA512 5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\InstallOptions.dll

MD5 0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1 5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

C:\Users\Admin\AppData\Local\Temp\nshBDF2.tmp\ioSpecial.ini

MD5 6f538a75101725af75ad61f62fcf2718
SHA1 eefc60a4cf97af4e059dc2664226788ef28061b3
SHA256 c1f33a60863659ccf7f4e1d35eae66bb909c08196de114ffadec248d05192a2a
SHA512 b590fc4f0b5a239ce96267785a2345353a8f2e81b0479e9459c5d04bb6d45124cd4ae7bf64581fb39eae8d16a4848d4b8cfe7a84c4dcf9530f5c6288c048e2e2

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:55

Platform

win7-20241023-en

Max time kernel

122s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\processwork.dll,#1

Network

N/A

Files

memory/2236-0-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"

Signatures

A potential corporate email address has been identified in the URL: [email protected]

phishing

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected] N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]

"C:\Users\Admin\AppData\Local\Temp\$TEMP\[email protected]"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.ppstream.com udp
SG 118.26.120.3:80 download.ppstream.com tcp

Files

memory/2380-0-0x0000000000400000-0x00000000004AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdA0D3.tmp\System.dll

MD5 1a5dfca378b7d0de2dc21bf60ef7b534
SHA1 c6e1e94abce3c2373cad77f630b71bae5aeb0a9a
SHA256 4494ba34a963a2f4ac859b3d1c79c097b2a6b95f2bca593621d133d03b71dea8
SHA512 8705e06cfc0a85f7246b84b08f1f45f2303f039e9bae15cecb7624ff48a3675d63c8ce50c60f90908a1302a0aebd126926df1f5b1c0f57025f3174cf7b27b380

\Users\Admin\AppData\Local\Temp\nsdA0D3.tmp\NSISdl.dll

MD5 4fc6b7461244321c95e9eb649f509310
SHA1 57ba87f732ecfd0be9508683f2c59a343fdd9cad
SHA256 9313cf0a9056c7c83aa139cb8944e38e9a6458e42a7d9bb123443c471835fb09
SHA512 ce627dc84d9d46fcc2d2a13fd647dd1bf1812c89c1e0a2d81f4c93080c40db3f88e3aa7bc8175452bb89677278ec0a685616c1669ff9f1fdca45f489ece256bc

memory/2380-20-0x0000000000400000-0x00000000004AB000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 376 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 376 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\IFoxInstall_4.0.0.51-c206780001-nsi-s-x.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hot.vrs.sohu.com udp
HK 52.175.24.208:80 hot.vrs.sohu.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 data.vod.itc.cn udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.24.175.52.in-addr.arpa udp
US 8.8.8.8:53 717-2.vod.tv.itc.cn udp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp
HK 52.175.24.208:80 data.vod.itc.cn tcp
CN 111.172.239.129:80 717-2.vod.tv.itc.cn tcp

Files

memory/2380-0-0x0000000000B00000-0x0000000000B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IFoxInfo.ini

MD5 03e8f1df88918d932be4a3f59e4e63aa
SHA1 868a4c97541b78b36253d758476ac92bf129b89f
SHA256 20e63fafb19c0593e1103d1f7bd844eaa3441bd7d336ebd9f6198a4d9f34eb1e
SHA512 3dc385c3cd6c437d7aaedf9f6bcb02307bd71b19fd739e41d583aa7fe3b35f3560836c72728877b47490b1a7e415b1bd5a5b58a675f4a169150221d9fd473873

memory/2380-6-0x0000000000B00000-0x0000000000B01000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QQPhoneManagerWeb_710061.1028.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 agent.sj.qq.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/1088-0-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-25 03:51

Reported

2024-11-25 03:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 3080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

N/A