Analysis Overview
SHA256
5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769
Threat Level: Shows suspicious behavior
The file 5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe
"C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe"
C:\Users\Admin\AppData\Local\Temp\true_update.exe
"C:\Users\Admin\AppData\Local\Temp\true_update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | adultagencyads.com | udp |
| DE | 136.243.60.66:80 | adultagencyads.com | tcp |
Files
memory/1684-1-0x0000000000403000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\true_update.exe
| MD5 | 887a720bd7433ffc7a3546c22122acde |
| SHA1 | 51bdbb69387e0989adb47cbfdd77355450bd71ee |
| SHA256 | ad5ab19740a0db433d88b21cce5e9d345626006446a34334c55c60ef05a08928 |
| SHA512 | 6584e2856e39b266e26dc57b7997ab77990d28251424e161672042bf292030b6e5f183eb194123b1648aa74f29e96cd1c1debb79da15311ddb42de580e29ae41 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\true_update.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1176 wrote to memory of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe | C:\Users\Admin\AppData\Local\Temp\true_update.exe |
| PID 1176 wrote to memory of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe | C:\Users\Admin\AppData\Local\Temp\true_update.exe |
| PID 1176 wrote to memory of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe | C:\Users\Admin\AppData\Local\Temp\true_update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe
"C:\Users\Admin\AppData\Local\Temp\5c8fc022fbe712cba4b8285d2464a9d72c98f80036fb403db0599a57ca262769.exe"
C:\Users\Admin\AppData\Local\Temp\true_update.exe
"C:\Users\Admin\AppData\Local\Temp\true_update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | adultagencyads.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 136.243.60.66:80 | adultagencyads.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.60.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1176-1-0x0000000000403000-0x0000000000404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\true_update.exe
| MD5 | 887a720bd7433ffc7a3546c22122acde |
| SHA1 | 51bdbb69387e0989adb47cbfdd77355450bd71ee |
| SHA256 | ad5ab19740a0db433d88b21cce5e9d345626006446a34334c55c60ef05a08928 |
| SHA512 | 6584e2856e39b266e26dc57b7997ab77990d28251424e161672042bf292030b6e5f183eb194123b1648aa74f29e96cd1c1debb79da15311ddb42de580e29ae41 |
memory/3932-9-0x0000000000400000-0x0000000000407000-memory.dmp