Analysis Overview
SHA256
2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae
Threat Level: Shows suspicious behavior
The file 2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Obfuscated with Agile.Net obfuscator
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 01:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 01:23
Reported
2024-03-02 01:23
Platform
win7-20240215-en
Max time kernel
12s
Max time network
12s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe
"C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /s /t 10
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2220-0-0x0000000000C80000-0x0000000000D18000-memory.dmp
memory/2220-1-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/2220-2-0x000000001BBA0000-0x000000001BC20000-memory.dmp
memory/2220-6-0x000000001BF00000-0x000000001C022000-memory.dmp
memory/2220-8-0x000000001BBA0000-0x000000001BC20000-memory.dmp
memory/2220-9-0x000000001BBA0000-0x000000001BC20000-memory.dmp
memory/2220-10-0x000000001BBA0000-0x000000001BC20000-memory.dmp
memory/2220-11-0x0000000000690000-0x0000000000696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4C2B613E.dll
| MD5 | 260ad92d3a2891e6a93abbfa4fd72aab |
| SHA1 | c4465333c0341c9345726947473bc11cc7660ee0 |
| SHA256 | c82d4be824a05f31db90806ba031b5d75d94414583d100ef53db18096ba61c7f |
| SHA512 | aa9c1213f1d631a5bad0520783150fbf71ebf91012040ddb700743cddbdf0f40047ea973c95124cd0107fe480c1fd282409a53b2c6b34e752e0e5a2d59ede8ae |
memory/2220-13-0x00000000006A0000-0x00000000006BA000-memory.dmp
memory/2220-14-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp
memory/2732-15-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/3068-16-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 01:23
Reported
2024-03-02 01:25
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe
"C:\Users\Admin\AppData\Local\Temp\2657d2eb97464fad0a61d8daaa2540ac27e6533ae053a4c45b25b906b479c1ae.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/732-0-0x00000234F45D0000-0x00000234F4668000-memory.dmp
memory/732-3-0x00007FF8B7BB0000-0x00007FF8B8671000-memory.dmp
memory/732-4-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-6-0x00000234F6DF0000-0x00000234F6F12000-memory.dmp
memory/732-8-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-9-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-10-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-11-0x00000234F4A40000-0x00000234F4A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4C2B613E.dll
| MD5 | 260ad92d3a2891e6a93abbfa4fd72aab |
| SHA1 | c4465333c0341c9345726947473bc11cc7660ee0 |
| SHA256 | c82d4be824a05f31db90806ba031b5d75d94414583d100ef53db18096ba61c7f |
| SHA512 | aa9c1213f1d631a5bad0520783150fbf71ebf91012040ddb700743cddbdf0f40047ea973c95124cd0107fe480c1fd282409a53b2c6b34e752e0e5a2d59ede8ae |
memory/732-13-0x00000234F62B0000-0x00000234F62CA000-memory.dmp
memory/732-14-0x00000234F6370000-0x00000234F6382000-memory.dmp
memory/732-15-0x00000234F7060000-0x00000234F709C000-memory.dmp
memory/732-16-0x00007FF8B7BB0000-0x00007FF8B8671000-memory.dmp
memory/732-17-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-18-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-19-0x00000234F4A30000-0x00000234F4A40000-memory.dmp
memory/732-20-0x00000234F4A30000-0x00000234F4A40000-memory.dmp