Analysis Overview
SHA256
5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4
Threat Level: Shows suspicious behavior
The file 5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:33
Reported
2024-04-06 21:37
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
165s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\m00uc4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zwm5k5a4 = "C:\\Users\\Admin\\AppData\\Roaming\\m00uc4.exe" | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2572 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\m00uc4.exe |
| PID 2572 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\m00uc4.exe |
| PID 2572 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\m00uc4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe
"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"
C:\Users\Admin\AppData\Roaming\m00uc4.exe
C:\Users\Admin\AppData\Roaming\m00uc4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lcogum.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lcogum.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 34.41.229.245:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\m00uc4.exe
| MD5 | 1b0073367042e96feae864aaf4784f4d |
| SHA1 | 50d23c9b6c6191694d247cb623ba3fbaf7b53e69 |
| SHA256 | e41d313942ed013cc25c9e465ba71bf079b5671c6179091cc11bfbbd183cd5c6 |
| SHA512 | 38075f8ac0de4ae90ad8a2164cff65a94f8d6f746c89764c91748baf6b400be28f53cb089e3598b19d2160fe90adb92e2ef602204c4431764feee61948bc5e06 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:33
Reported
2024-04-06 21:36
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\rbjiqos4 = "C:\\Users\\Admin\\AppData\\Roaming\\fnh05pjgdw.exe" | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe |
| PID 2504 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe |
| PID 2504 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe |
| PID 2504 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe | C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe
"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"
C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe
C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lcogum.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 34.41.229.245:80 | ow5dirasuek.com | tcp |
Files
\Users\Admin\AppData\Roaming\fnh05pjgdw.exe
| MD5 | 8192b0595c809d40071996dafc5b7fd0 |
| SHA1 | d02dd9f079b7d8fd879d8b049f8614cb1b077c87 |
| SHA256 | d4585f3090675053a7427d2222c5ae00dd159f709ee1fc8ce416eec2ab630918 |
| SHA512 | 08101bdb911260d2e454a0f38b5f30228abb195422bf13ddeb1f61ef80bf1a8842af62c7b42e17e884d9750705432b6fbe3240fda25c0dfeb2cde75b70093edc |