Analysis Overview
SHA256
63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92
Threat Level: Shows suspicious behavior
The file 63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 22:03
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 22:03
Reported
2024-06-10 22:05
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92.exe
"C:\Users\Admin\AppData\Local\Temp\63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.163.47.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
Files
memory/1188-0-0x0000000000440000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/1188-15-0x0000000000440000-0x00000000004E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 22:03
Reported
2024-06-10 22:05
Platform
win11-20240426-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92.exe
"C:\Users\Admin\AppData\Local\Temp\63628a61920145140b67b1531bc557960a61b525bebaa1e860e741ee341f4a92.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| US | 8.8.8.8:53 | 214.163.47.161.in-addr.arpa | udp |
Files
memory/1672-0-0x0000000000AF0000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/1672-14-0x0000000000AF0000-0x0000000000B90000-memory.dmp