Analysis Overview
SHA256
026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
Threat Level: Likely malicious
The file a283db04904b9d8eae5c34026a062ce0.bin was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Loads dropped DLL
Deletes itself
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:15
Reported
2024-06-14 02:18
Platform
win7-20240611-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies AppInit DLL entries
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\qanhllaok.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\qanhllao.dll | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
| File created | C:\Windows\SysWOW64\qanhllaok.exe | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qanhllaok.exe | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe
"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"
C:\Windows\SysWOW64\qanhllaok.exe
C:\Windows\system32\qanhllaok.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat
Network
Files
\Windows\SysWOW64\qanhllaok.exe
| MD5 | a283db04904b9d8eae5c34026a062ce0 |
| SHA1 | 3b4aa391b874eff540aa6c4e0e8c723e9b898bfd |
| SHA256 | 026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa |
| SHA512 | 2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600 |
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat
| MD5 | 4e86e0288408cefe8566776a5f434f7d |
| SHA1 | 7b98b6172199ce8a488b3c90adbf831237f14b7e |
| SHA256 | 81a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044 |
| SHA512 | 54c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:15
Reported
2024-06-14 02:18
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\qanhllaok.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\qanhllao.dll | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
| File created | C:\Windows\SysWOW64\qanhllaok.exe | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qanhllaok.exe | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\qanhllaok.exe |
| PID 2352 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\qanhllaok.exe |
| PID 2352 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\qanhllaok.exe |
| PID 2352 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2352 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2352 wrote to memory of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe
"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"
C:\Windows\SysWOW64\qanhllaok.exe
C:\Windows\system32\qanhllaok.exe ˜‰
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\qanhllaok.exe
| MD5 | a283db04904b9d8eae5c34026a062ce0 |
| SHA1 | 3b4aa391b874eff540aa6c4e0e8c723e9b898bfd |
| SHA256 | 026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa |
| SHA512 | 2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600 |
C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat
| MD5 | 4e86e0288408cefe8566776a5f434f7d |
| SHA1 | 7b98b6172199ce8a488b3c90adbf831237f14b7e |
| SHA256 | 81a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044 |
| SHA512 | 54c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c |