Analysis Overview
SHA256
445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0
Threat Level: Likely benign
The file 445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe was found to be: Likely benign.
Malicious Activity Summary
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:14
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:14
Reported
2024-06-14 01:17
Platform
win7-20240611-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2100 set thread context of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2128 set thread context of 1268 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2128 set thread context of 2968 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\write.exe |
| PID 2968 set thread context of 1268 | N/A | C:\Windows\SysWOW64\write.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\write.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\write.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe
"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"
C:\Windows\SysWOW64\write.exe
"C:\Windows\SysWOW64\write.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\scroll
| MD5 | db6785e9322897354fe19bf85d0ac3d4 |
| SHA1 | 40a149185c562422409a323009dde774174be772 |
| SHA256 | 4cd0ce24b2b2e0bca5066c5469ecba0a84dbebc4f49f27f15abba3e8e49d3cfb |
| SHA512 | e6e803398d25093b291f29908c6588a8f096a2e12645489ac52d2d1a52d56d482ef9d3952b80fe4b8d19472d774bc240b5e9a3c18b500ef8613a1b5d1e506077 |
memory/2100-11-0x0000000000150000-0x0000000000154000-memory.dmp
memory/2128-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2128-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2128-14-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
memory/2128-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2128-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2128-17-0x00000000001E0000-0x0000000000204000-memory.dmp
memory/1268-18-0x0000000008D20000-0x0000000009635000-memory.dmp
memory/2968-19-0x00000000000C0000-0x00000000000FF000-memory.dmp
memory/2968-20-0x00000000000C0000-0x00000000000FF000-memory.dmp
memory/2128-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2128-22-0x00000000001E0000-0x0000000000204000-memory.dmp
memory/2968-23-0x0000000002070000-0x0000000002373000-memory.dmp
memory/2968-24-0x00000000000C0000-0x00000000000FF000-memory.dmp
memory/2968-25-0x00000000007F0000-0x0000000000893000-memory.dmp
memory/1268-26-0x0000000008D20000-0x0000000009635000-memory.dmp
memory/2968-27-0x00000000000C0000-0x00000000000FF000-memory.dmp
memory/2968-28-0x00000000007F0000-0x0000000000893000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:14
Reported
2024-06-14 01:17
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 416 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1924 set thread context of 3400 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1924 set thread context of 3620 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\write.exe |
| PID 3620 set thread context of 3400 | N/A | C:\Windows\SysWOW64\write.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\write.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\write.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 416 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 416 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 416 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 416 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3400 wrote to memory of 3620 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\write.exe |
| PID 3400 wrote to memory of 3620 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\write.exe |
| PID 3400 wrote to memory of 3620 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\write.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe
"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"
C:\Windows\SysWOW64\write.exe
"C:\Windows\SysWOW64\write.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.am1-728585.com | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | www.witoharmuth.com | udp |
| US | 8.8.8.8:53 | www.magnoliahairandco.com | udp |
| US | 8.8.8.8:53 | www.binpvae.lol | udp |
| US | 8.8.8.8:53 | www.duzane.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut4BBE.tmp
| MD5 | db6785e9322897354fe19bf85d0ac3d4 |
| SHA1 | 40a149185c562422409a323009dde774174be772 |
| SHA256 | 4cd0ce24b2b2e0bca5066c5469ecba0a84dbebc4f49f27f15abba3e8e49d3cfb |
| SHA512 | e6e803398d25093b291f29908c6588a8f096a2e12645489ac52d2d1a52d56d482ef9d3952b80fe4b8d19472d774bc240b5e9a3c18b500ef8613a1b5d1e506077 |
memory/416-12-0x0000000001F90000-0x0000000001F94000-memory.dmp
memory/1924-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1924-14-0x0000000000E00000-0x000000000114A000-memory.dmp
memory/1924-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1924-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1924-17-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1924-18-0x0000000002960000-0x0000000002984000-memory.dmp
memory/3400-19-0x000000000E220000-0x000000000F9B1000-memory.dmp
memory/3620-20-0x0000000000530000-0x000000000056F000-memory.dmp
memory/3620-21-0x0000000000530000-0x000000000056F000-memory.dmp
memory/1924-23-0x0000000002960000-0x0000000002984000-memory.dmp
memory/1924-22-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3620-24-0x0000000002630000-0x000000000297A000-memory.dmp
memory/3620-25-0x0000000000530000-0x000000000056F000-memory.dmp
memory/3620-26-0x0000000002530000-0x00000000025D3000-memory.dmp
memory/3400-27-0x000000000E220000-0x000000000F9B1000-memory.dmp
memory/3620-28-0x0000000000530000-0x000000000056F000-memory.dmp
memory/3400-30-0x0000000002F60000-0x0000000003058000-memory.dmp
memory/3400-31-0x0000000002F60000-0x0000000003058000-memory.dmp