Analysis Overview
SHA256
d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd
Threat Level: Known bad
The file d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 04:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 04:18
Reported
2024-06-14 04:21
Platform
win7-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
| PID 2080 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
| PID 2080 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
| PID 2080 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe
"C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns1.theimageparlour.net | tcp |
Files
\Users\Admin\Admin.exe
| MD5 | 8b944f7c172733d2a87b56e826cabe7a |
| SHA1 | 15dc89a9872f6d539c16f37b0c5622a95498966b |
| SHA256 | 1566e2784c6095230a08717f63ef3cdd3910a2535c0141dcee1bdb7c838e349f |
| SHA512 | a96ad233b7807cecc3e84e383584a69f0ba3421194e3340091d8fcb28db0ed69a833b3ad55f6ff5d1eb0275474d6dfe5ab8acfe2e9762ac7f0a8fab606c3599e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 04:18
Reported
2024-06-14 04:21
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3932 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
| PID 3932 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
| PID 3932 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe
"C:\Users\Admin\AppData\Local\Temp\d119d6bfe9ef50cbeae6af851d82ca7e7d28c5f439aec528504d88f4962cc3bd.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3648 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\Admin.exe
| MD5 | d71963103efade3704fb034ca492a1e9 |
| SHA1 | 3f736f6fa1476e71a138aae3f4e81eaf1c0be069 |
| SHA256 | b00d868a5f693afaaae26e8e2cec8910ecb04fc66e74f36c4fb9a7e0e8d07403 |
| SHA512 | 43dd7a296762b0c11d4f581a17f421c493734ae44fba88e2d1fa4143a65a383b1e8571e4a8d0031be6197f55191ef8b2fa4763f768b6846c840f5028a098185c |