Analysis Overview
SHA256
de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918
Threat Level: Shows suspicious behavior
The file de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Modifies Internet Explorer settings
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 22:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 22:21
Reported
2024-06-14 22:23
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe
"C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn-file-ssl-wan.ludashi.com | udp |
| US | 8.8.8.8:53 | s.ludashi.com | udp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| CN | 61.170.80.233:80 | cdn-file-ssl-wan.ludashi.com | tcp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| CN | 61.170.80.230:80 | cdn-file-ssl-wan.ludashi.com | tcp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
Files
memory/1676-0-0x0000000000400000-0x0000000000858000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
\Users\Admin\AppData\Local\Temp\WdGame_xycs2\NetBridge.dll
| MD5 | 8831f7909db45f47b721a9cd60e6a28d |
| SHA1 | 1ce12b34fdc4c310c92439115f33beac9bcff5e8 |
| SHA256 | cbf87bfcc410374b15ca60d9cba2a7ccd4800bd0c0f9cdbb399c48e4d21b1c07 |
| SHA512 | 7cfc73ce48e9bd8dc2f4c9cd40f0a2cbed7d72fb2281f7c63c606453d31d0f9671071d181df724619fa56e5a7515ce66dd4a0270389666092a727d24e5562eba |
memory/1676-48-0x0000000000400000-0x0000000000858000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 22:21
Reported
2024-06-14 22:23
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe
"C:\Users\Admin\AppData\Local\Temp\de0d908581472a3325a382ae6caa05af751b07498e44c9865c9224586b967918.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn-file-ssl-wan.ludashi.com | udp |
| CN | 61.170.80.233:80 | cdn-file-ssl-wan.ludashi.com | tcp |
| US | 8.8.8.8:53 | s.ludashi.com | udp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| CN | 61.170.80.229:80 | cdn-file-ssl-wan.ludashi.com | tcp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| CN | 106.15.139.192:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/3080-0-0x0000000000400000-0x0000000000858000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WdGame_xycs2\NetBridge.dll
| MD5 | 8831f7909db45f47b721a9cd60e6a28d |
| SHA1 | 1ce12b34fdc4c310c92439115f33beac9bcff5e8 |
| SHA256 | cbf87bfcc410374b15ca60d9cba2a7ccd4800bd0c0f9cdbb399c48e4d21b1c07 |
| SHA512 | 7cfc73ce48e9bd8dc2f4c9cd40f0a2cbed7d72fb2281f7c63c606453d31d0f9671071d181df724619fa56e5a7515ce66dd4a0270389666092a727d24e5562eba |
memory/3080-22-0x0000000000400000-0x0000000000858000-memory.dmp