Analysis Overview
SHA256
cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49
Threat Level: Shows suspicious behavior
The file cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-07 16:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 16:42
Reported
2024-06-07 16:45
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49.exe
"C:\Users\Admin\AppData\Local\Temp\cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.163.47.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1412-0-0x00000000008D0000-0x0000000000970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/1412-14-0x00000000008D0000-0x0000000000970000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 16:42
Reported
2024-06-07 16:45
Platform
win11-20240426-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49.exe
"C:\Users\Admin\AppData\Local\Temp\cfd38f950ce061f5782b50f49f1e5a7eded503d0e06fcc315b8a8b1ad765ee49.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| IE | 52.111.236.21:443 | tcp |
Files
memory/1876-0-0x0000000000C90000-0x0000000000D30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/1876-14-0x0000000000C90000-0x0000000000D30000-memory.dmp