Analysis Overview
SHA256
a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83
Threat Level: Known bad
The file a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:18
Reported
2024-06-04 01:21
Platform
win7-20240220-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
| PID 2184 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
| PID 2184 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
| PID 2184 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe
"C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns1.theimageparlour.net | tcp |
Files
\Users\Admin\Admin.exe
| MD5 | cb72e550fe9e96b63224ef628df89335 |
| SHA1 | 67be2430e4cba39db2d2c95e7fb6db20e9ee6fd8 |
| SHA256 | 4c99161df51ea517bcf0d5a525b3e3afc20f99c68c2f8451b869ecdb111acb5d |
| SHA512 | 045413aaf02bafa56c187eb044e85945d657d75392f2f9b3d2234e269187b52d78e01bbe45907d48d360b050a3d26e5285db97bdafa6fde8b0d6385a4e225fc1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:18
Reported
2024-06-04 01:21
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 4588 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
| PID 3608 wrote to memory of 4588 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
| PID 3608 wrote to memory of 4588 | N/A | C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe
"C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\Admin.exe
| MD5 | 975794e0323a23c545362b4b608d5f55 |
| SHA1 | 6400b5a4cc0b97ec48ecb1ec2dd295995bd613fb |
| SHA256 | 08a9dec73cea01d256fe75557f6196ede1af0fa4f232e1f41625dffd10dee7f7 |
| SHA512 | 8b0b9a01b4e57c63eeb194acbdf93531d224c701fa25da5f854c6b086c90adf19b37489cd27d2e4cec678d4c66b51c775044ca042b488ff26b3c85d09d1c21b7 |