Analysis Overview
SHA256
1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552
Threat Level: Shows suspicious behavior
The file 1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:04
Reported
2024-04-07 19:06
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cmdk_ssp\regscont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~28A6.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\makerver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cmdk_ssp\regscont.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\DpiSayed = "C:\\Users\\Admin\\AppData\\Roaming\\cmdk_ssp\\regscont.exe" | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\makerver.exe | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe
"C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe"
C:\Users\Admin\AppData\Roaming\cmdk_ssp\regscont.exe
"C:\Users\Admin\AppData\Roaming\cmdk_ssp\regscont.exe"
C:\Users\Admin\AppData\Local\Temp\~28A6.tmp
"C:\Users\Admin\AppData\Local\Temp\~28A6.tmp"
C:\Windows\SysWOW64\makerver.exe
C:\Windows\SysWOW64\makerver.exe -k
C:\Windows\SysWOW64\cmd.exe
/C 259402190.cmd
C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe"
Network
Files
memory/2368-0-0x0000000000180000-0x00000000001C0000-memory.dmp
\Users\Admin\AppData\Roaming\cmdk_ssp\regscont.exe
| MD5 | 1512a3fc574aac5e8e33c80e18e8bdd1 |
| SHA1 | 5dc5bc9c50117b0a44db5d9b06c1b42f604b324d |
| SHA256 | f6a30aaeb7bdde0e827a0b254f535f55c9f2ce5fb946e86ddbf00fb2e3d72041 |
| SHA512 | b7c9f4a5f5a33eaafd302dc08dc47343cf2fd36bddac5f3ec7f9c8b67d81aa87132fd82adc27df3fc6da5af69605a7072ba53ca9deb32c03800c5c78c1e6ff37 |
\Users\Admin\AppData\Local\Temp\~28A6.tmp
| MD5 | 0117a68dcfec753f0a01a54f24cae171 |
| SHA1 | 296251bfc914d1e7d41315d0b93d4eb1dc419e90 |
| SHA256 | c05d999c57b654e4e4dc656666bd9892248b7f9ebfb16bed30955168872888fb |
| SHA512 | 1f57596139c7688a1ac3bd7c3f9a52e73a0275edddfbc0adfc6644876e7c846177a4423a6b61f6cc2aa69b49bd7a99982310148b99f74de0384b97edb7e5a5ee |
memory/2940-12-0x0000000000070000-0x00000000000B0000-memory.dmp
memory/1256-16-0x0000000002CD0000-0x0000000002D13000-memory.dmp
memory/1256-17-0x0000000002CD0000-0x0000000002D13000-memory.dmp
memory/1256-20-0x0000000002CD0000-0x0000000002D13000-memory.dmp
C:\Windows\SysWOW64\makerver.exe
| MD5 | cf2596af707fc17affa036f944e4d291 |
| SHA1 | b9c47dcf567c8bf76f04cfcb94b14cecc5a3ef28 |
| SHA256 | 1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552 |
| SHA512 | d5c5222d50000148d2d54b093dc048d019db756cb2aed6b8e1273d9479b22400dd5d8f00ea5f61c4cb57e2c4958a82ee449829fbf77b7bac763c42c0c65305b9 |
memory/2688-27-0x0000000000430000-0x0000000000470000-memory.dmp
memory/2688-28-0x0000000000430000-0x0000000000470000-memory.dmp
memory/2688-30-0x0000000000430000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259402190.cmd
| MD5 | 94bd2d4b0a0deee73da22a5299f301eb |
| SHA1 | 1a52d4c9c874e501c986090aacda6439aa818d13 |
| SHA256 | ceba594a2c599fd6b3f090be1e773ae8ffdef9d3ccce7b3faa754ee8e21b817d |
| SHA512 | 65dad864da79848c8022f505e5f2f75fc1e8a3d412c4402f3ff3b64c8cfa401116e7fab3920be66dbf346afc1b152deab1d3419249b6b9ed72b5ab09d10399c1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:04
Reported
2024-04-07 19:06
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\CameNAME\ciphpact.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\findabel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~3C2E.tmp | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bthudiag = "C:\\Users\\Admin\\AppData\\Roaming\\CameNAME\\ciphpact.exe" | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\findabel.exe | C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe
"C:\Users\Admin\AppData\Local\Temp\1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe"
C:\Users\Admin\AppData\Roaming\CameNAME\ciphpact.exe
"C:\Users\Admin\AppData\Roaming\CameNAME\ciphpact.exe"
C:\Windows\SysWOW64\findabel.exe
C:\Windows\SysWOW64\findabel.exe -k
C:\Users\Admin\AppData\Local\Temp\~3C2E.tmp
"C:\Users\Admin\AppData\Local\Temp\~3C2E.tmp"
C:\Windows\SysWOW64\cmd.exe
/C 240598078.cmd
C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4060-0-0x0000000000F20000-0x0000000000F60000-memory.dmp
C:\Users\Admin\AppData\Roaming\CameNAME\ciphpact.exe
| MD5 | 2a88b99520793aeffcca253facc5e9a5 |
| SHA1 | c5625b242c9dc3aec79ddaac21b98231749a8d40 |
| SHA256 | 1544004b089225e612245c361d848f2b200d9511d9e1b4cef0c86677ead99649 |
| SHA512 | 4dff2d535eeb80d6c95f982d4fda016884a43fb4cd3fbd0bef38e2628cedd3a1290534112b8645d316339b7f41cc2a1ec7d98e8eb0afe544da0a09d17ff46cb2 |
memory/3476-17-0x0000000004900000-0x0000000004943000-memory.dmp
memory/4156-20-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/4156-16-0x0000000000E10000-0x0000000000E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~3C2E.tmp
| MD5 | 568562ff48ebc7db62c050ced3f43048 |
| SHA1 | aab2b172876372df44744dcd36bb9d3eff8f080f |
| SHA256 | 7487c26a8cc1a4ff0017da770d714e3c6ac21fee3cc0faf751f966717cd8855c |
| SHA512 | 357f192440f32f7137584ffedd3efbc445ae82eea2528d619331147a82b0675dcdee79be5dca976495a96c1b385954246c8fec2e1422dd852ea4044010d9e169 |
memory/3476-14-0x0000000004900000-0x0000000004943000-memory.dmp
memory/4156-13-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/4856-9-0x0000000000D70000-0x0000000000DB0000-memory.dmp
C:\Windows\SysWOW64\findabel.exe
| MD5 | cf2596af707fc17affa036f944e4d291 |
| SHA1 | b9c47dcf567c8bf76f04cfcb94b14cecc5a3ef28 |
| SHA256 | 1ad9ee172cdeb4b7d0674a1791e63cfeab8363f184ad5037f29334a576df2552 |
| SHA512 | d5c5222d50000148d2d54b093dc048d019db756cb2aed6b8e1273d9479b22400dd5d8f00ea5f61c4cb57e2c4958a82ee449829fbf77b7bac763c42c0c65305b9 |
C:\Users\Admin\AppData\Local\Temp\240598078.cmd
| MD5 | 301c093949cb2af1d73d8b564410e531 |
| SHA1 | 1fd67ca8c9da6d8a4fd9bdd9afaed7748a983ace |
| SHA256 | 52ee3dc6a47a94c21cedd8025faae3a4474d60643be6a6e54e695a46706d15cb |
| SHA512 | 36dbdcab02fbbfeddc14e0972afd838ac28c8db6d350e0cf95a7984e9025a1895112d70577947f2f6df8e2b91b7fe81f050d835bd5a8dbb9cc79b8b569b1f890 |