Analysis Overview
SHA256
04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295
Threat Level: Shows suspicious behavior
The file 04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 18:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 18:43
Reported
2024-06-13 18:46
Platform
win7-20240508-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
| PID 1232 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
| PID 1232 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
| PID 1232 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe
"C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe"
C:\Users\Admin\AppData\Local\Temp\kdeohw.exe
"C:\Users\Admin\AppData\Local\Temp\kdeohw.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\kdeohw.exe
| MD5 | cb565232cf4b5ad157feeb9b22e0faa6 |
| SHA1 | 0e40f1ba04a01332db9f3194f1678712804f5da4 |
| SHA256 | 71b258ef903c71b3fd5c2dbdfb837abf987d8dd7dc1dee39c459697a1c427e74 |
| SHA512 | 45ae76cdc0dfc139e87eff85c5a6fd12cd1615a3e3897606235d98df4930536885255fb650d5e67bedbae5b2f48d38e9be3124fa5d58398885a32d46f212e8c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 18:43
Reported
2024-06-13 18:46
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
51s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1392 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
| PID 1392 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
| PID 1392 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe | C:\Users\Admin\AppData\Local\Temp\kdeohw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe
"C:\Users\Admin\AppData\Local\Temp\04649c0a877ac6fa6d3388376df7a558d4151f81ef0eed781e6f3b541c328295.exe"
C:\Users\Admin\AppData\Local\Temp\kdeohw.exe
"C:\Users\Admin\AppData\Local\Temp\kdeohw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\kdeohw.exe
| MD5 | cb565232cf4b5ad157feeb9b22e0faa6 |
| SHA1 | 0e40f1ba04a01332db9f3194f1678712804f5da4 |
| SHA256 | 71b258ef903c71b3fd5c2dbdfb837abf987d8dd7dc1dee39c459697a1c427e74 |
| SHA512 | 45ae76cdc0dfc139e87eff85c5a6fd12cd1615a3e3897606235d98df4930536885255fb650d5e67bedbae5b2f48d38e9be3124fa5d58398885a32d46f212e8c9 |