Analysis Overview
SHA256
dbcc0fa52ba88fab709435d08c15045f814435650873e11ec214f0d7c66cbf4d
Threat Level: Shows suspicious behavior
The file [SA]LimitAdjaster.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 00:00
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 00:00
Reported
2024-05-18 00:00
Platform
win10v2004-20240426-en
Max time kernel
24s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe
"C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
Files
memory/3128-0-0x00000000021F0000-0x00000000021F1000-memory.dmp
memory/3128-1-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3128-3-0x00000000021F0000-0x00000000021F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 00:00
Reported
2024-05-18 00:00
Platform
win11-20240508-en
Max time kernel
23s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe
"C:\Users\Admin\AppData\Local\Temp\[SA]LimitAdjaster.exe"
Network
Files
memory/3796-0-0x0000000000750000-0x0000000000751000-memory.dmp
memory/3796-1-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3796-2-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3796-3-0x0000000000750000-0x0000000000751000-memory.dmp