Analysis Overview
SHA256
0601884653e665bf25bf10ab338d342f06a104d678245c18719e8236d14a619a
Threat Level: Shows suspicious behavior
The file a28223d61c86de0061330bdcda890a45.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks installed software on the system
Maps connected drives based on registry
Drops file in Windows directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:08
Reported
2024-06-14 02:11
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intent Caravan\Intent Caravan.exe | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum | C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\LifeCare.job | C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe
"C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe"
C:\Users\Admin\AppData\Roaming\Intent Caravan\Intent Caravan.exe
"C:\Users\Admin\AppData\Roaming\Intent Caravan\Intent Caravan.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ringmynorth.biz | udp |
| US | 8.8.8.8:53 | allmodel-pro.com | udp |
| US | 204.11.56.48:80 | allmodel-pro.com | tcp |
| US | 8.8.8.8:53 | center-ring.link | udp |
| US | 45.33.2.79:80 | center-ring.link | tcp |
| US | 8.8.8.8:53 | get-bluesee.info | udp |
Files
memory/2408-0-0x0000000000A70000-0x0000000000AB0000-memory.dmp
memory/2408-2-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2408-11-0x0000000000760000-0x0000000000787000-memory.dmp
C:\Users\Admin\AppData\Roaming\Intent Caravan\Intent Caravan.exe
| MD5 | 02446070cb56d8cadd602ff2c76ad7c3 |
| SHA1 | 0b29794ba3335c718780df39ee9931df7990670f |
| SHA256 | 80e8d1c27ad79ef100aad5704d51a1fe87861a2d5bf5a84c6b8dcbb4650d1841 |
| SHA512 | 49290d7923bf8c93e3556fdedae764abbe95a40407b8abb0913579c4d02a421dff995ac1adc62f8289ee988a56e379677c381549425c01a865b117c34f5d6333 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:08
Reported
2024-06-14 02:11
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\LifeCare.job | C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe
"C:\Users\Admin\AppData\Local\Temp\a28223d61c86de0061330bdcda890a45.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ringmynorth.biz | udp |
| US | 8.8.8.8:53 | allmodel-pro.com | udp |
| US | 8.8.8.8:53 | center-ring.link | udp |
| US | 8.8.8.8:53 | get-bluesee.info | udp |
Files
memory/960-1-0x0000000001590000-0x00000000015BF000-memory.dmp
memory/960-8-0x0000000001440000-0x0000000001540000-memory.dmp
memory/960-9-0x0000000005180000-0x00000000051A7000-memory.dmp
memory/960-23-0x0000000001440000-0x0000000001540000-memory.dmp