Analysis Overview
SHA256
c124357189899324dbdad0529912d352f7fc9c1d2fb2ad6cd6f436563de113c8
Threat Level: Shows suspicious behavior
The file CrystalDiskMark3_0_3b-en.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:26
Reported
2024-06-12 18:31
Platform
win10v2004-20240508-en
Max time kernel
328s
Max time network
249s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RunDll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp |
| PID 1244 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp |
| PID 1244 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp |
| PID 380 wrote to memory of 4208 | N/A | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp | C:\Windows\SysWOW64\RunDll32.exe |
| PID 380 wrote to memory of 4208 | N/A | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp | C:\Windows\SysWOW64\RunDll32.exe |
| PID 380 wrote to memory of 4208 | N/A | C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp | C:\Windows\SysWOW64\RunDll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe
"C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe"
C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp" /SL5="$501C6,1095529,195584,C:\Users\Admin\AppData\Local\Temp\CrystalDiskMark3_0_3b-en.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-VHT9P.tmp\OCSetupHlp.dll",_OCPRD310OpenCandy2@16 380
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
Files
memory/1244-3-0x0000000000401000-0x0000000000412000-memory.dmp
memory/1244-0-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E04SC.tmp\CrystalDiskMark3_0_3b-en.tmp
| MD5 | d5696c0cbc3c518c6901f7fd718af16a |
| SHA1 | b3b1959e8c20ae126127ef85da8284c47431f158 |
| SHA256 | 25f81953c3ae2dc4276668821f6f855ad99d5c5d3170968f701781f5d8f332a4 |
| SHA512 | 56c365b63e92e14e2dad2bfebe6306d831bfbd9839e03dc3652ed23543eacc1ffe3d939a50a100429d930aa29455418676b15039b3e89a2316c429cb554b584e |
memory/380-7-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1244-12-0x0000000000400000-0x000000000043A000-memory.dmp
memory/380-13-0x0000000000400000-0x000000000053D000-memory.dmp
memory/380-17-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VHT9P.tmp\OCSetupHlp.dll
| MD5 | a60cd235e75424d8db432acb2a65c10f |
| SHA1 | 72e6d61d5ac4f6a706a2b679d5f5673a2c1803d7 |
| SHA256 | d7cd71201d5bde456bb653828dabea16f373a1e89f768b4eb1fa907771a49f1f |
| SHA512 | 3de9ddce3d837af7cb07fe9fe98d942ded66cb61f5a5e918bfb6af9edd942791c1251881990d4ba80be864e87b5eb854747e23f07fde36781448fb8c14f110c9 |
memory/4208-35-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/380-37-0x0000000000400000-0x000000000053D000-memory.dmp
memory/380-39-0x0000000000400000-0x000000000053D000-memory.dmp
memory/4208-40-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/380-64-0x0000000000400000-0x000000000053D000-memory.dmp