Analysis Overview
SHA256
cfd27b3d61ad0cfcb0c5e31bb47144114b5ea37a7189a31bbf0c9ffa94e6f581
Threat Level: Shows suspicious behavior
The file edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-28 06:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 06:05
Reported
2024-03-28 06:09
Platform
win7-20240221-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe
"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"
C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp" /SL5="$8001C,15648808,1044992,C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"
Network
Files
memory/2208-1-0x0000000000400000-0x000000000050C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-B4KOO.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
| MD5 | 7da27e20661e025f701f1f64927c70f8 |
| SHA1 | 4d01eaaa7251e382c2b71f12af826c2575196188 |
| SHA256 | 9742767b2de0c8c1305a2c3f712c76043ce6bba3f31beae7419fd64913abc3e5 |
| SHA512 | 7e57d809f70844b67b0ee67ba0f2cca5ef5ee30680a9f7fd7d55a61f2cee1bfe61dbe490699955d5d94110e43bfc3f053d7ef3569788be17345d4ff4cb086019 |
memory/2780-8-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2208-10-0x0000000000400000-0x000000000050C000-memory.dmp
memory/2780-11-0x0000000000400000-0x0000000000748000-memory.dmp
memory/2780-14-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2780-26-0x0000000000400000-0x0000000000748000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 06:05
Reported
2024-03-28 06:09
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe
"C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"
C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp" /SL5="$5021C,15648808,1044992,C:\Users\Admin\AppData\Local\Temp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2952-0-0x0000000000400000-0x000000000050C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-5GLQ1.tmp\edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4.tmp
| MD5 | 7da27e20661e025f701f1f64927c70f8 |
| SHA1 | 4d01eaaa7251e382c2b71f12af826c2575196188 |
| SHA256 | 9742767b2de0c8c1305a2c3f712c76043ce6bba3f31beae7419fd64913abc3e5 |
| SHA512 | 7e57d809f70844b67b0ee67ba0f2cca5ef5ee30680a9f7fd7d55a61f2cee1bfe61dbe490699955d5d94110e43bfc3f053d7ef3569788be17345d4ff4cb086019 |
memory/2984-5-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/2952-7-0x0000000000400000-0x000000000050C000-memory.dmp
memory/2984-8-0x0000000000400000-0x0000000000748000-memory.dmp
memory/2984-11-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/2984-31-0x0000000000400000-0x0000000000748000-memory.dmp
memory/2984-35-0x0000000000400000-0x0000000000748000-memory.dmp