Analysis Overview
SHA256
0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3
Threat Level: Shows suspicious behavior
The file 0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:17
Reported
2024-04-07 18:20
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe
"C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe"
Network
Files
C:\Windows\SysWOW64\Shohdi.hdi
| MD5 | 666b80251f7f255736d436ee241115ad |
| SHA1 | 8d37a7553b49f9ae1cb7355fce90e4bebe233f71 |
| SHA256 | 0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3 |
| SHA512 | 2a7c3f7a623bf18ca44a3883080e71e9d8d67988e9908e741b72db908af727fe2710d1f155b9c280b2a045ec73b4400de616fe58588ffa1cf05bbcfb1a11b412 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | ff770d586e13c91bed490bccb6d32f44 |
| SHA1 | c1b717a80647fa60713c3abc2df863af9c7f332b |
| SHA256 | 8ca6788c055e9298de1c6225b1947876c0b67f6c5726b4b35d6d27fd1ae30e6c |
| SHA512 | 4e6413d9282936c66c2ef2b85c4d9326a357ff7882341fdca6bb63b029598f3f4a7777289c6a0fff8a0592b52140b6bac342e3ef77e1f19dcdae66476ca2cf4a |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 53a679db7ee8118419b26acf6ea6e679 |
| SHA1 | cdafa9dd738b32d7c35da53b3623c298685adfe7 |
| SHA256 | 7d58a2bef603ea18734d28f1026acc5e351cba57bbce26f3c2ea2ceff487657f |
| SHA512 | 42ba838b55e8bab442e48dc40dac998fb9bc5387b76ebcfe537d8f4d9bb478609f1e07e338b08c19eb52ec62f471d49040e80c4ce4480836e96adb8f1610b6e7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:17
Reported
2024-04-07 18:20
Platform
win10v2004-20240319-en
Max time kernel
61s
Max time network
156s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shohdi.hdi | C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe | N/A |
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe
"C:\Users\Admin\AppData\Local\Temp\0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4480 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| GB | 172.165.61.93:443 | tcp | |
| IE | 94.245.104.56:443 | tcp | |
| GB | 51.140.244.186:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp |
Files
C:\Windows\SysWOW64\Shohdi.hdi
| MD5 | 666b80251f7f255736d436ee241115ad |
| SHA1 | 8d37a7553b49f9ae1cb7355fce90e4bebe233f71 |
| SHA256 | 0677e005ed8fd37cc1ea57177ea394e8d5f64292776788f10eb93f9434dd71d3 |
| SHA512 | 2a7c3f7a623bf18ca44a3883080e71e9d8d67988e9908e741b72db908af727fe2710d1f155b9c280b2a045ec73b4400de616fe58588ffa1cf05bbcfb1a11b412 |