Analysis Overview
SHA256
fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f
Threat Level: Shows suspicious behavior
The file fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:45
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:45
Reported
2024-06-03 05:47
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" | C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe
"C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe"
Network
Files
memory/2936-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Windows\SysWOW64\macromd\hot girl on the beach sucking cock and fucking guy.mpg.exe
| MD5 | 47b7a733afbbee7c6b2c2b9653d99404 |
| SHA1 | cf069ba413f5c250e87f732ed683f35043f0d05d |
| SHA256 | acb3e745102b18c80750a684d77ae24faf7f32e96bc2d345889d65b64502226a |
| SHA512 | 772bb6dcb11b686255075606bbf7ca3f5ad15ad56ca256eb0debbb8569d881e86d08b4aad90ce5187559c6225bb922418ce065dc231204a61f0641c752947774 |
memory/2936-34-0x0000000000400000-0x0000000000467000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:45
Reported
2024-06-03 05:47
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
102s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" | C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe
"C:\Users\Admin\AppData\Local\Temp\fa0058f0f8524970bb77d263fb7ded1c3ade477beacfed8fc2bb3f118f69e53f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3364-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Windows\SysWOW64\macromd\AIM Account Stealer.exe
| MD5 | 843ad864f2e885be2e917d8472ba104e |
| SHA1 | 6f55d52e185299d9cfafa0fa0114678be86d7225 |
| SHA256 | 0c482d999a51c5445c727d899221c4bf993cfb00993a5d2d93cd996248619b79 |
| SHA512 | af2656ef1c258cd4da27549e475f46b176618abec277b9831c491a21a192993ec175190fd3b1fc3302cc584c5aaf4ef48ddc7e90c331b143ac70a4e05c479912 |
memory/3364-34-0x0000000000400000-0x0000000000467000-memory.dmp