Analysis Overview
SHA256
8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd
Threat Level: Known bad
The file 8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:10
Reported
2024-04-07 23:13
Platform
win7-20240215-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
| PID 2900 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
| PID 2900 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
| PID 2900 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe
"C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns1.theimageparlour.net | tcp |
Files
\Users\Admin\Admin.exe
| MD5 | c9d01ddd1467d0720644eca861b1f8be |
| SHA1 | f6bb6bf28100a4adb150a4c55bf45546254df8c8 |
| SHA256 | 912a9091051e4109da6086f764be71a77e39a340c65eb2a9940ac7b4581b7459 |
| SHA512 | 8a6c639de33717e174bf7069b541fe79088ee940cefa438908a2d23dbf71829ee780e271fced5af0904e98518ed8ac5c656c4784690cebd38788f1e0de904a4f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:10
Reported
2024-04-07 23:13
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
132s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
| PID 2844 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
| PID 2844 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe
"C:\Users\Admin\AppData\Local\Temp\8b9c661a495ec8c5520a8792e845a6f2c2d79260e57e4f480b9829d49dddf9bd.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\Admin.exe
| MD5 | b1c39538a37235006e06a554e3ddb1b2 |
| SHA1 | 7341d3a8d67ab10206b7a6d6f621a48a2a304745 |
| SHA256 | 87fb2a194a936a740e82815d66dce40cc90a35ecf4909c35f4325d4bd4451b9f |
| SHA512 | d8af9faa858790749d6d79de346dfdd13400a231e6294cc8a9a8f1e95385edad4b4f042dc6e485e1fd8e514edd92631ad4d51732db25b13cf9e8471a5aec4c74 |