Analysis Overview
SHA256
2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39
Threat Level: Shows suspicious behavior
The file 2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Deletes itself
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 01:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 01:09
Reported
2024-03-02 01:10
Platform
win7-20240221-en
Max time kernel
16s
Max time network
20s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe
"C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 10
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
Files
memory/2032-0-0x0000000000D00000-0x0000000000D98000-memory.dmp
memory/2032-1-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2032-2-0x0000000000C70000-0x0000000000CF0000-memory.dmp
memory/2032-6-0x000000001BBE0000-0x000000001BD20000-memory.dmp
memory/2032-8-0x0000000000C70000-0x0000000000CF0000-memory.dmp
memory/2032-9-0x0000000000C70000-0x0000000000CF0000-memory.dmp
memory/2032-10-0x0000000000A30000-0x0000000000A36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1710731C.dll
| MD5 | 5991b35b8d42d8c3ad6437c981d08151 |
| SHA1 | bebe225bf296bda4e7f5e1f98995311bb49a8381 |
| SHA256 | a73e34d7fdf69e8e7f3ba45e8801ebd5d00ae008a68c8a20ab753c9e1ee88513 |
| SHA512 | 10a83a6545821a074766b3d2849169bd053e86d5c6dc702de7b9cba8d4545469d22e7634ffbcb9669daec8156c32f65d984f6ecb765de93ca116188927beb87c |
memory/2032-12-0x0000000000A10000-0x0000000000A16000-memory.dmp
memory/2032-13-0x00000000022D0000-0x00000000022EA000-memory.dmp
memory/2032-14-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp
memory/2564-15-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2996-16-0x00000000026E0000-0x00000000026E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 01:09
Reported
2024-03-02 01:12
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe
"C:\Users\Admin\AppData\Local\Temp\2c0551904aa8a19d6c2e6058b6dba86f9a6638c452887ff19e01abe907afba39.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/2404-0-0x0000021BE14C0000-0x0000021BE1558000-memory.dmp
memory/2404-3-0x00007FFAAFEC0000-0x00007FFAB0981000-memory.dmp
memory/2404-4-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp
memory/2404-6-0x0000021BFBC60000-0x0000021BFBDA0000-memory.dmp
memory/2404-8-0x0000021BE1930000-0x0000021BE1931000-memory.dmp
memory/2404-9-0x0000021BE1930000-0x0000021BE1931000-memory.dmp
memory/2404-10-0x0000021BE1930000-0x0000021BE1936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1710731C.dll
| MD5 | 5991b35b8d42d8c3ad6437c981d08151 |
| SHA1 | bebe225bf296bda4e7f5e1f98995311bb49a8381 |
| SHA256 | a73e34d7fdf69e8e7f3ba45e8801ebd5d00ae008a68c8a20ab753c9e1ee88513 |
| SHA512 | 10a83a6545821a074766b3d2849169bd053e86d5c6dc702de7b9cba8d4545469d22e7634ffbcb9669daec8156c32f65d984f6ecb765de93ca116188927beb87c |
memory/2404-12-0x0000021BE1910000-0x0000021BE1916000-memory.dmp
memory/2404-13-0x0000021BE19A0000-0x0000021BE19BA000-memory.dmp
memory/2404-14-0x0000021BFBB70000-0x0000021BFBB82000-memory.dmp
memory/2404-15-0x0000021BFBBD0000-0x0000021BFBC0C000-memory.dmp
memory/2404-16-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp
memory/2404-17-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp
memory/2404-18-0x00007FFAAFEC0000-0x00007FFAB0981000-memory.dmp
memory/2404-19-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp
memory/2404-20-0x0000021BE1930000-0x0000021BE1931000-memory.dmp
memory/2404-21-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp
memory/2404-22-0x0000021BFBA10000-0x0000021BFBA20000-memory.dmp