Analysis Overview
SHA256
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43
Threat Level: Shows suspicious behavior
The file 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 10:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 10:36
Reported
2024-06-12 10:39
Platform
win7-20240419-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
"C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\regsvr32.exe /u /s "C:\Users\Admin\AppData\Local\Temp\DeskmgrShellExtx64.dll"
C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | masterconn11.qq.com | udp |
Files
\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\dr.dll
| MD5 | 68a34245c650829c613e9068bdc6f79d |
| SHA1 | f877ad637c2097915ba894fdccb1a596a52a726e |
| SHA256 | c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf |
| SHA512 | 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe |
C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt
| MD5 | bb2bc660ceba457e96e328d6771f93cb |
| SHA1 | 5387c389561eee423fc284a887ae752d478e3dd6 |
| SHA256 | c784f85e2d745af795236284f46b9c0a0cab51d8cd5dffc7d94e2421cefeae5c |
| SHA512 | 6ced4915cd8988895bf9a8f96d75508f57a20b8f5f7952f09706bdc5c8dd651d0f2ea52397a370abd8a578215e7828dbffba36e695c80920475d859ba3de00a0 |
C:\ProgramData\Tencent\DeskGo\DeskGoUninst_20240612103645.Log
| MD5 | 504f91f57777bd4627607d14db6fbb18 |
| SHA1 | b9ba3d86410f2e9ff3d8ab07f7ba5ef25be34310 |
| SHA256 | ff1dd094265dc8e7ac3cea200590ebfe5506f946fac45bdfa99ffc1e7573707b |
| SHA512 | 84ca8294b058971a4780bebde1b6916b2041b8455e63c9d22f58897320c55189d27cba4717e58690675c4675fe394c19a2a3a9f8e80bc9d2af3c99daeb9b088a |
memory/1620-84-0x0000000000A40000-0x0000000000B41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 10:36
Reported
2024-06-12 10:39
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
"C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3060,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\regsvr32.exe /u /s "C:\Users\Admin\AppData\Local\Temp\DeskmgrShellExtx64.dll"
C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | masterconn11.qq.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| CN | 157.255.4.39:443 | masterconn11.qq.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.107.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\dr.dll
| MD5 | 68a34245c650829c613e9068bdc6f79d |
| SHA1 | f877ad637c2097915ba894fdccb1a596a52a726e |
| SHA256 | c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf |
| SHA512 | 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe |
C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt
| MD5 | bb2bc660ceba457e96e328d6771f93cb |
| SHA1 | 5387c389561eee423fc284a887ae752d478e3dd6 |
| SHA256 | c784f85e2d745af795236284f46b9c0a0cab51d8cd5dffc7d94e2421cefeae5c |
| SHA512 | 6ced4915cd8988895bf9a8f96d75508f57a20b8f5f7952f09706bdc5c8dd651d0f2ea52397a370abd8a578215e7828dbffba36e695c80920475d859ba3de00a0 |
C:\ProgramData\Tencent\DeskGo\DeskGoUninst_20240612103645.Log
| MD5 | 6e90345be94139cedc00b15a0800ca05 |
| SHA1 | 5d7b1ec9a267c8757d699dac4b3cd41eb87425d8 |
| SHA256 | c540cb289544198f5db1fff946ad9515301dcef0af4c5b178527cb3ff1b91e0e |
| SHA512 | dd26b8be27bca9acc8a51926696cf12782959f7b8a9897e868cbbe9a7f298b1f5172aa4a6684f33e0d921b57f687733c9804f11330265f4a7240a80a7a421eff |
memory/1628-180-0x0000000000590000-0x0000000000691000-memory.dmp