Analysis Overview
SHA256
2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba
Threat Level: Shows suspicious behavior
The file 2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 20:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 20:36
Reported
2024-06-06 20:39
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Syssrc32 = "C:\\Windows\\Syssrc32.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fndfst32 = "C:\\Windows\\System\\fndfst32.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer Shell = "C:\\Windows\\System\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System applets = "C:\\Windows\\System\\applets.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
Drops file in Windows directory
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\Explore = "%SystemRoot%\\SysWow64\\NOTEPAD.EXE %1" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\System\\Sysexp32.exe %1" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2984 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2984 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2984 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe
"C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 92
Network
Files
C:\Windows\system\Sysexp32.exe
| MD5 | 0301adddc1061e328bd8925d0bf79900 |
| SHA1 | f87e342a6d5df4a6968b5b751548d7e6de5762b7 |
| SHA256 | 0614cf528a59024bba7a6d5bd678c948a8e9637a93ef54119d07624db510c244 |
| SHA512 | ec4176d0688fcb559025b6c7fe6a90503d3613f9f27807405f3549974f57cabbcaa4e04d0feefe48cf22676620464cc0563616fe7485371f3ee5b8bb56517e52 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 20:36
Reported
2024-06-06 20:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System applets = "C:\\Windows\\System\\applets.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Syssrc32 = "C:\\Windows\\Syssrc32.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fndfst32 = "C:\\Windows\\System\\fndfst32.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer Shell = "C:\\Windows\\System\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
Drops file in Windows directory
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\Explore = "%SystemRoot%\\SysWow64\\NOTEPAD.EXE %1" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\System\\Sysexp32.exe %1" | C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe
"C:\Users\Admin\AppData\Local\Temp\2b8620bb5c22ce747db82ad31287ee5c9db897d83fa9be75db6ea2e746b537ba.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 336
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.130:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\System\Sysexp32.exe
| MD5 | 445c98de81464c3c6def3d0a382b1a02 |
| SHA1 | 18e2c6d68f657acafcf857f7de4bb2b760f60b45 |
| SHA256 | fc38232e89373b1549e9df32e9ec901ac398be9fd927df6013724d3da75669f3 |
| SHA512 | 713122b7abe0b40477cdaad44c07570042d06144167417f45eecfae651b248ab628fd26177bfd5484daa32d225a045a0588b1b0b1c1237dbf36f8676b2ed7b8b |