Analysis Overview
SHA256
7e63076d377997ecc53c4354ee90916e35b44b9f74d46c1af33cfc40fcd69ea5
Threat Level: Likely benign
The file 15462718181.zip was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-16 09:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 09:23
Reported
2024-05-16 09:26
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1640 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | C:\Windows\system32\WerFault.exe |
| PID 1640 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | C:\Windows\system32\WerFault.exe |
| PID 1640 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe
"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1640 -s 372
Network
| Country | Destination | Domain | Proto |
| NL | 195.20.16.45:80 | tcp | |
| DE | 77.105.147.130:80 | tcp |
Files
memory/1640-2-0x0000000077060000-0x0000000077062000-memory.dmp
memory/1640-0-0x0000000077060000-0x0000000077062000-memory.dmp
memory/1640-6-0x000000013FC8F000-0x000000013FFDB000-memory.dmp
memory/1640-10-0x000000013FA90000-0x0000000140763000-memory.dmp
memory/1640-4-0x0000000077060000-0x0000000077062000-memory.dmp
memory/1640-18-0x000000013FA90000-0x0000000140763000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/1640-19-0x000000013FA90000-0x0000000140763000-memory.dmp
memory/1640-20-0x000000013FA90000-0x0000000140763000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 09:23
Reported
2024-05-16 09:26
Platform
win10-20240404-en
Max time kernel
127s
Max time network
136s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe
"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Network
| Country | Destination | Domain | Proto |
| NL | 195.20.16.45:80 | tcp | |
| DE | 77.105.147.130:80 | tcp | |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/3044-0-0x00007FF69FB5F000-0x00007FF69FEAB000-memory.dmp
memory/3044-1-0x00007FFC7A720000-0x00007FFC7A722000-memory.dmp
memory/3044-3-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp
memory/3044-13-0x00007FF69FB5F000-0x00007FF69FEAB000-memory.dmp
memory/3044-14-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp
memory/3044-15-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-16 09:23
Reported
2024-05-16 09:27
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe
"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| DE | 77.105.147.130:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/4840-0-0x00007FF64046F000-0x00007FF6407BB000-memory.dmp
memory/4840-2-0x00007FF640270000-0x00007FF640F43000-memory.dmp
memory/4840-1-0x00007FF9900D0000-0x00007FF9900D2000-memory.dmp
memory/4840-13-0x00007FF64046F000-0x00007FF6407BB000-memory.dmp
memory/4840-14-0x00007FF640270000-0x00007FF640F43000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-16 09:23
Reported
2024-05-16 09:26
Platform
win11-20240508-en
Max time kernel
121s
Max time network
94s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe
"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Network
| Country | Destination | Domain | Proto |
| NL | 195.20.16.45:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 77.105.147.130:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2764-2-0x00007FF79ADCF000-0x00007FF79B11B000-memory.dmp
memory/2764-1-0x00007FF79ABD0000-0x00007FF79B8A3000-memory.dmp
memory/2764-0-0x00007FFEFB3D0000-0x00007FFEFB3D2000-memory.dmp
memory/2764-13-0x00007FF79ABD0000-0x00007FF79B8A3000-memory.dmp
memory/2764-14-0x00007FF79ADCF000-0x00007FF79B11B000-memory.dmp