Analysis Overview
SHA256
af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
Threat Level: Known bad
The file af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e was found to be: Known bad.
Malicious Activity Summary
SystemBC
Executes dropped EXE
Checks computer location settings
Drops startup file
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-20 06:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-20 06:52
Reported
2023-04-20 06:54
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
SystemBC
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk | C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp | N/A |
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3148 set thread context of 3400 | N/A | C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr | C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$8003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$9003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 5.45.73.25:4246 | tcp | |
| US | 8.8.8.8:53 | 25.73.45.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | tcp |
Files
memory/2704-133-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
| MD5 | 52b26165c6e3716fb6a13f90199b8945 |
| SHA1 | af0276a652e8ee18b2275d1182305c78275852bb |
| SHA256 | 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc |
| SHA512 | 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6 |
C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
| MD5 | 52b26165c6e3716fb6a13f90199b8945 |
| SHA1 | af0276a652e8ee18b2275d1182305c78275852bb |
| SHA256 | 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc |
| SHA512 | 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6 |
memory/1772-143-0x0000000002560000-0x0000000002561000-memory.dmp
memory/4636-146-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-148-0x0000000000400000-0x0000000000582000-memory.dmp
memory/2704-149-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
| MD5 | 52b26165c6e3716fb6a13f90199b8945 |
| SHA1 | af0276a652e8ee18b2275d1182305c78275852bb |
| SHA256 | 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc |
| SHA512 | 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6 |
C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
| MD5 | 52b26165c6e3716fb6a13f90199b8945 |
| SHA1 | af0276a652e8ee18b2275d1182305c78275852bb |
| SHA256 | 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc |
| SHA512 | 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6 |
C:\Users\Admin\AppData\Local\Temp\is-K21N9.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/736-158-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
| MD5 | 1fe7083d76e76df3f3d571beb38669fb |
| SHA1 | dfd0b4769a35ec89b1e3a67f619d9e0437c7f022 |
| SHA256 | 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87 |
| SHA512 | a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70 |
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
| MD5 | 1fe7083d76e76df3f3d571beb38669fb |
| SHA1 | dfd0b4769a35ec89b1e3a67f619d9e0437c7f022 |
| SHA256 | 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87 |
| SHA512 | a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70 |
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
| MD5 | 1fe7083d76e76df3f3d571beb38669fb |
| SHA1 | dfd0b4769a35ec89b1e3a67f619d9e0437c7f022 |
| SHA256 | 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87 |
| SHA512 | a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70 |
memory/736-170-0x0000000000400000-0x0000000000582000-memory.dmp
memory/4636-171-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 4af21e3fc07cc9c73f4c50e7901c8c77 |
| SHA1 | 94c18702bf325aaa2d9c90305d2fe153a9503062 |
| SHA256 | bc5610e5d7384956a9b479ac767ef072daf46c92d952a6cf1db6fa2f31eae6d3 |
| SHA512 | 400bbde81b3e4fe9a3e92e07d34113982aefeeb7867c2c229f585ff02148924fe15fcefa6330992436540620b06702da4ae6192b92997e40d5003a4a99439e8c |
memory/3148-173-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
memory/3148-174-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/3148-175-0x0000000000F30000-0x0000000000F31000-memory.dmp
memory/3148-176-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/3148-177-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/3148-178-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/3148-179-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/3148-180-0x0000000000400000-0x0000000000D54000-memory.dmp
memory/3400-184-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
| MD5 | 1fe7083d76e76df3f3d571beb38669fb |
| SHA1 | dfd0b4769a35ec89b1e3a67f619d9e0437c7f022 |
| SHA256 | 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87 |
| SHA512 | a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70 |
memory/3400-187-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3400-188-0x0000000000400000-0x0000000000406000-memory.dmp