Analysis Overview
SHA256
e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c
Threat Level: Shows suspicious behavior
The file e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:04
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:04
Reported
2024-06-13 02:06
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2648 set thread context of 1172 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2648 set thread context of 2584 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2584 set thread context of 1172 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
Network
Files
memory/2168-11-0x0000000000270000-0x0000000000274000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jinrikisha
| MD5 | da0227fbe8330d1408a4d3faa465be0a |
| SHA1 | ee14a891e166d16850b4883311ee05584735165a |
| SHA256 | 5a388efe7461b3845cbd5f9ff89f97937fbdf08edf226646d27421d393ee9825 |
| SHA512 | 365240a84c7935bf4021d494261a0a7511a1f5da98a54a5eabad77f3ce06c3a8bd8d3bf43c10ae90a53f1cf1604d2cfcb6892da3443187e0af02eb86d968bf01 |
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | ca8e6c01282b57405ae4b2af66adbafa |
| SHA1 | dab881b117a4e3515ff9315e30ce1a0a814ad42d |
| SHA256 | e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c |
| SHA512 | e8bffdcd21fa92b902b2b3b0e1dee8ce38b2c9956758acd217b1b89a085d435bac293a7d11cacd043855fcb999c8d302af42ad8d340af748834013c1875a6da4 |
C:\Users\Admin\AppData\Local\Temp\jinrikisha
| MD5 | 57c62d7a4a364c245acb493ac7deef9a |
| SHA1 | 50d7a78d29adb01ffbf6b7e9391107c310e932aa |
| SHA256 | 9a9176a646d48e6b74c77538c62579e18bd709095e5d40dd7a5a6648514f1f14 |
| SHA512 | 18c7f5578071f1a1c8bff259a2e4e18065531e05f2437517f77437da5b8053186b3b3b823914d1910c2d9e9614054ac20a2f010c42a7e277c73298100aa53cb3 |
C:\Users\Admin\AppData\Local\Temp\Graff
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2528-31-0x00000000001C0000-0x00000000002F3000-memory.dmp
memory/2648-33-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2528-34-0x00000000001C0000-0x00000000002F3000-memory.dmp
memory/2648-35-0x0000000000870000-0x0000000000B73000-memory.dmp
memory/2648-36-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2648-37-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2648-39-0x00000000003B0000-0x00000000003D5000-memory.dmp
memory/2648-38-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1172-40-0x0000000003B20000-0x0000000003C20000-memory.dmp
memory/1172-41-0x0000000009010000-0x000000000BF9E000-memory.dmp
memory/2584-42-0x0000000000090000-0x00000000000CF000-memory.dmp
memory/2584-43-0x0000000000090000-0x00000000000CF000-memory.dmp
memory/2648-45-0x00000000003B0000-0x00000000003D5000-memory.dmp
memory/2648-44-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2584-46-0x0000000000090000-0x00000000000CF000-memory.dmp
memory/2584-47-0x0000000000090000-0x00000000000CF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:04
Reported
2024-06-13 02:06
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Reads user/profile data of web browsers
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3064 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1948 set thread context of 3348 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1948 set thread context of 2196 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 set thread context of 3348 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 2196 set thread context of 4392 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Program Files\Mozilla Firefox\Firefox.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.comcecliqueaqui.shop | udp |
| US | 8.8.8.8:53 | www.iacsoft.org | udp |
| ES | 217.76.128.34:80 | www.iacsoft.org | tcp |
| US | 8.8.8.8:53 | 34.128.76.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.regierungsluegen.org | udp |
| DE | 217.160.223.34:80 | www.regierungsluegen.org | tcp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.223.160.217.in-addr.arpa | udp |
| DE | 217.160.223.34:80 | www.regierungsluegen.org | tcp |
| DE | 217.160.223.34:80 | www.regierungsluegen.org | tcp |
| DE | 217.160.223.34:80 | www.regierungsluegen.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\aut24E8.tmp
| MD5 | da0227fbe8330d1408a4d3faa465be0a |
| SHA1 | ee14a891e166d16850b4883311ee05584735165a |
| SHA256 | 5a388efe7461b3845cbd5f9ff89f97937fbdf08edf226646d27421d393ee9825 |
| SHA512 | 365240a84c7935bf4021d494261a0a7511a1f5da98a54a5eabad77f3ce06c3a8bd8d3bf43c10ae90a53f1cf1604d2cfcb6892da3443187e0af02eb86d968bf01 |
memory/1432-12-0x0000000001110000-0x0000000001114000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | ca8e6c01282b57405ae4b2af66adbafa |
| SHA1 | dab881b117a4e3515ff9315e30ce1a0a814ad42d |
| SHA256 | e1dc04d5611806a578a793ef0d188c49858c004a291529e1818585e57993396c |
| SHA512 | e8bffdcd21fa92b902b2b3b0e1dee8ce38b2c9956758acd217b1b89a085d435bac293a7d11cacd043855fcb999c8d302af42ad8d340af748834013c1875a6da4 |
C:\Users\Admin\AppData\Local\Temp\jinrikisha
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Graff
| MD5 | 2456358082381cfbd59c47ddaa58edec |
| SHA1 | 498b677a53f41f660f095ef549280dc23a43b680 |
| SHA256 | f9e93076b397c10d887645865170f0fb0a0dd4fcaae025d62563412430d82f93 |
| SHA512 | a3767b7c724e1b8abc3bc1e525eb89d6523205e96fb3e8c244cc6ef6cf2594d929860df25d2bb7277713be9a6846282c1527b68f81ac74c32acd4e5162e6a6df |
memory/1948-32-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1948-33-0x0000000001A00000-0x0000000001D4A000-memory.dmp
memory/1948-34-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1948-35-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1948-36-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1948-37-0x00000000018B0000-0x00000000018D5000-memory.dmp
memory/3348-38-0x000000000E640000-0x000000000F6FE000-memory.dmp
memory/2196-39-0x0000000000E50000-0x0000000000E8F000-memory.dmp
memory/2196-40-0x0000000000E50000-0x0000000000E8F000-memory.dmp
memory/1948-41-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1948-42-0x00000000018B0000-0x00000000018D5000-memory.dmp
memory/2196-43-0x0000000002DB0000-0x00000000030FA000-memory.dmp
memory/2196-44-0x0000000000E50000-0x0000000000E8F000-memory.dmp
memory/2196-45-0x0000000000E50000-0x0000000000E8F000-memory.dmp
memory/3348-46-0x0000000008C10000-0x0000000008D15000-memory.dmp
memory/4392-52-0x00000172738C0000-0x000001727397D000-memory.dmp