Analysis Overview
SHA256
bdd04fcdbac5e8df6aca7e74040103317ff268a11193f94b1be7fd9c87622d60
Threat Level: Known bad
The file a44a78759af5b0c48feca4412b21d018.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:20
Reported
2024-01-07 19:23
Platform
win7-20231215-en
Max time kernel
1s
Max time network
121s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
| PID 2456 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
| PID 2456 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
| PID 2456 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe
"C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | all-internal.info | udp |
Files
memory/2456-0-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2208-13-0x0000000000400000-0x0000000000415000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:20
Reported
2024-01-07 19:23
Platform
win10v2004-20231222-en
Max time kernel
130s
Max time network
155s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
| PID 4944 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
| PID 4944 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe
"C:\Users\Admin\AppData\Local\Temp\a44a78759af5b0c48feca4412b21d018.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | all-internal.info | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/4944-0-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\Admin.exe
| MD5 | 25bddff425095b5b63ad5df50ef8e2d1 |
| SHA1 | 2e8f60a0e6938187545d915c5d1ba0bc38b74c48 |
| SHA256 | 27835c742a967efb20b632df59fadf2ed706d58eacbf123d41335ed5fbd42e68 |
| SHA512 | e102b6b1b630d387487556646aae0738f0bc83fb4b799ddb1624fd38b93b68a8f69921e70689cfc15bd2e8df2da923355d5ab0e152a5c577fa83f27f6511a401 |
memory/2868-33-0x0000000000400000-0x0000000000415000-memory.dmp