Analysis Overview
SHA256
abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2
Threat Level: Shows suspicious behavior
The file abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
UPX packed file
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:24
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:24
Reported
2024-06-13 08:27
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2.exe
"C:\Users\Admin\AppData\Local\Temp\abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.163.47.161.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4956-0-0x0000000000630000-0x00000000006D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/4956-15-0x0000000000630000-0x00000000006D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:24
Reported
2024-06-13 08:27
Platform
win11-20240611-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2.exe
"C:\Users\Admin\AppData\Local\Temp\abd203739e09d0bb33bebbe59d90b168474919ca60eb5bd94cb8ecf286ffbfe2.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.programworkshop.com | udp |
| US | 161.47.163.214:80 | www.programworkshop.com | tcp |
Files
memory/4736-0-0x0000000000CA0000-0x0000000000D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe
| MD5 | 368332fca74f48697d842c5f4698ae1d |
| SHA1 | 0275153a1e62bd0eca0b02168895517ed66aac56 |
| SHA256 | 3a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59 |
| SHA512 | fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5 |
memory/4736-15-0x0000000000CA0000-0x0000000000D40000-memory.dmp