Analysis Overview
SHA256
1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2
Threat Level: Shows suspicious behavior
The file 1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 18:50
Reported
2024-04-03 18:53
Platform
win7-20240319-en
Max time kernel
123s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe
"C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe"
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
Network
Files
\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
| MD5 | ea640a8a335b6870ad01287870de3d2b |
| SHA1 | 78859d20f360499abc11b7c9dc196a85b9d5a3c9 |
| SHA256 | 6e3fb27b9162467623458bb5a9a06155eb0e5a6d3029f9bcbd8507818c720db1 |
| SHA512 | 1b5402d41e704a6d0ed085090a526805e58aba8ed832ed57ef503eb0a41df74fdadda438265d6bcd074a0161aa2a25f4bc8464d529302d6ee3077bdd7da67a81 |
C:\Windows\SysWOW64\Shohdi.hdi
| MD5 | 2f1fdba0569561eea3a201daf15e0cb3 |
| SHA1 | 59b6826ba5557f4c0a30a36f25c64a6c1cc13cad |
| SHA256 | 1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2 |
| SHA512 | 5a864c095c8e9c300352f0dc2f49c5122f23f6d689a8466c6db5abdfa0a8ffa3767fcdd88fdad6efa28eb5a2e718f063479a27e3561022b09fd6766c6d53db29 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 18:50
Reported
2024-04-03 18:53
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
| File created | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | N/A |
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho |
| PID 1076 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe | C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho |
Processes
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe
"C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.exe"
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2.sho
| MD5 | ea640a8a335b6870ad01287870de3d2b |
| SHA1 | 78859d20f360499abc11b7c9dc196a85b9d5a3c9 |
| SHA256 | 6e3fb27b9162467623458bb5a9a06155eb0e5a6d3029f9bcbd8507818c720db1 |
| SHA512 | 1b5402d41e704a6d0ed085090a526805e58aba8ed832ed57ef503eb0a41df74fdadda438265d6bcd074a0161aa2a25f4bc8464d529302d6ee3077bdd7da67a81 |
C:\Windows\SysWOW64\Shohdi.hdi
| MD5 | 2f1fdba0569561eea3a201daf15e0cb3 |
| SHA1 | 59b6826ba5557f4c0a30a36f25c64a6c1cc13cad |
| SHA256 | 1298f513bba42bfad3fb53d0792d01b7dfba743b4b2e3ef8d513f77bd5116ff2 |
| SHA512 | 5a864c095c8e9c300352f0dc2f49c5122f23f6d689a8466c6db5abdfa0a8ffa3767fcdd88fdad6efa28eb5a2e718f063479a27e3561022b09fd6766c6d53db29 |