Analysis Overview
SHA256
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
Threat Level: Known bad
The file cd48383befb4dce49fb855d64f500ca1.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Downloads MZ/PE file
Deletes itself
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 18:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 18:10
Reported
2022-11-16 18:12
Platform
win7-20220812-en
Max time kernel
140s
Max time network
91s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe
"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | w8khzw03nc.xzxueyg2t | udp |
Files
memory/1660-54-0x0000000002010000-0x00000000024F7000-memory.dmp
memory/1660-55-0x0000000002010000-0x00000000024F7000-memory.dmp
memory/1660-56-0x00000000003E0000-0x00000000004D6000-memory.dmp
memory/1660-57-0x00000000003E0000-0x00000000004D6000-memory.dmp
memory/1660-58-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
memory/1660-59-0x0000000002010000-0x00000000024F7000-memory.dmp
memory/1660-60-0x00000000003E0000-0x00000000004D6000-memory.dmp
memory/536-61-0x0000000000000000-mapping.dmp
\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
| MD5 | 881fe614a1d4306c82791cd4fda48a2d |
| SHA1 | 5e62e63710d38046d36ff3ae6b77f8f3ab8752fd |
| SHA256 | 271d164c315ef9ec879c1d2eee908ce4b2097c054f3833c1b9e9e28d9190c0ca |
| SHA512 | bf56eefe837b7494705542b08c46dc4e3c752fac68684a00976d096f0d8edbdb87147bfd81e9a94fa0644a041c35a31b02cbc465aba454c79c866e4cd6e6e239 |
memory/1524-64-0x0000000000000000-mapping.dmp
\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
| MD5 | eee17aab91c14e549cb82ef52cd7526d |
| SHA1 | c6680ca62a5c1c9661703513f0eceed6f9af0be5 |
| SHA256 | 23929e82afa41d2827a3a26f43dc9c2d28fb3b1d2531423a3e737ac511990af6 |
| SHA512 | cf13bf0eb85ba0eb7564fb5d898c092f05ddc7780ea6f4af532fa3ebdd97afc8938a3fe48b57f5030ad5c796de24b8fdda333ff361ab6748fb4e1e811d7f54ae |
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
| MD5 | 00d4784a97e31747292709dbacbbc45f |
| SHA1 | 451cfa56a5fc08617a5605cc2d42fdea3af190f1 |
| SHA256 | b5d29edcf7198ad654e07e426a050afa8ae0b1b09b7fc2cf1a18535ac1696afa |
| SHA512 | 76c21f729c0e0c407f8231e9d0a4e57acfd63dc70c573f4c8d4b3cd97340a7589fae2b30bae3f4156db93f004ff81eb3ce0720000d168e70ca4abc4b03668c54 |
memory/364-66-0x0000000000000000-mapping.dmp
memory/1524-67-0x00000000024E0000-0x00000000029C7000-memory.dmp
memory/1660-68-0x00000000003E0000-0x00000000004D6000-memory.dmp
memory/332-69-0x0000000000000000-mapping.dmp
memory/548-70-0x0000000000000000-mapping.dmp
memory/1524-71-0x00000000024E0000-0x00000000029C7000-memory.dmp
memory/1524-72-0x0000000000500000-0x00000000005F6000-memory.dmp
memory/1524-74-0x0000000000500000-0x00000000005F6000-memory.dmp
memory/1524-75-0x00000000024E0000-0x00000000029C7000-memory.dmp
memory/1524-76-0x0000000000500000-0x00000000005F6000-memory.dmp
memory/1524-77-0x0000000000F00000-0x0000000000F4B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 18:10
Reported
2022-11-16 18:12
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4236 created 2548 | N/A | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | C:\Windows\system32\taskhostw.exe |
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4236 set thread context of 4660 | N/A | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 | C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe
"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | w8khzw03nc.xzxueyg2t | udp |
| N/A | 52.168.117.169:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 13.107.4.50:80 | tcp | |
| N/A | 8.8.8.8:53 | w8khzw03nc.xzxueyg2t | udp |
| N/A | 8.8.8.8:53 | www.imarket-eg.com | udp |
| N/A | 160.153.50.70:443 | www.imarket-eg.com | tcp |
Files
memory/4900-132-0x00000000031EB000-0x00000000036D2000-memory.dmp
memory/4900-133-0x0000000003093000-0x0000000003189000-memory.dmp
memory/4900-134-0x00000000031EB000-0x00000000036D2000-memory.dmp
memory/4900-135-0x0000000003093000-0x0000000003189000-memory.dmp
memory/1168-136-0x0000000000000000-mapping.dmp
memory/4236-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
| MD5 | 87f8d18b597845376f06754a6cebf08b |
| SHA1 | 2585ce8d6f20de0da137f8cb87c47a547f6de4f3 |
| SHA256 | 7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f |
| SHA512 | 4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292 |
C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
| MD5 | 87f8d18b597845376f06754a6cebf08b |
| SHA1 | 2585ce8d6f20de0da137f8cb87c47a547f6de4f3 |
| SHA256 | 7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f |
| SHA512 | 4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292 |
memory/4208-140-0x0000000000000000-mapping.dmp
memory/4900-141-0x0000000003093000-0x0000000003189000-memory.dmp
memory/5048-142-0x0000000000000000-mapping.dmp
memory/2636-143-0x0000000000000000-mapping.dmp
memory/4236-144-0x0000000002B3B000-0x0000000003022000-memory.dmp
memory/4236-145-0x0000000002B3B000-0x0000000003022000-memory.dmp
memory/4236-146-0x000000000303A000-0x0000000003130000-memory.dmp
memory/4236-147-0x000000000303A000-0x0000000003130000-memory.dmp
memory/4236-148-0x0000000001150000-0x000000000119B000-memory.dmp
memory/4236-149-0x0000000001150000-0x000000000119B000-memory.dmp
memory/4660-150-0x0000000000000000-mapping.dmp
memory/4660-151-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4660-153-0x0000000000400000-0x0000000000407000-memory.dmp
memory/4660-155-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
| MD5 | 4880886732471a6abbb919b2d9c94e03 |
| SHA1 | 78d331eeff674b95bf5d9756a0da7c60b0dee7b4 |
| SHA256 | c1f5411008304f15bcc5fa281bd9ee8eae70948f2a58db190290adaf259dcee0 |
| SHA512 | b755b402d051d6ff777249ba5eb4754eeeb2a2c47baeb1d69dac3b7e67e88aa5ef83027a41fbfaf7e170cb2ec0f15065d8bb529f989fb15319d4c143b4900432 |
memory/2156-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | e716ffae131666d5e0e77e5d479b1e37 |
| SHA1 | 42fea83d3a19beecb25d2c5bd46e547bb4a09319 |
| SHA256 | 32684b073e05d41b49611a2d49f25d4d53ca8182d5de134bc7a4924158bc577b |
| SHA512 | c559c52b40c5b593e0687d05c9ed54229b0eb62a517940caaecc6d09aa4d21bdc129552cfcd31509e4f5c35be069ee617457ce047460cc6a23270499ca14f75c |
memory/2156-159-0x0000000002800000-0x0000000002DCB000-memory.dmp
memory/4236-160-0x000000000303A000-0x0000000003130000-memory.dmp