Analysis Overview
SHA256
eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5
Threat Level: Known bad
The file eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-16 20:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 20:19
Reported
2024-06-16 20:21
Platform
win7-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
MetaSploit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\temp\9999.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
| PID 2232 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
| PID 2232 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
| PID 2232 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe
"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"
C:\windows\temp\9999.exe
"C:\windows\temp\9999.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.232.128:9999 | tcp |
Files
\Windows\Temp\9999.exe
| MD5 | 4bbe06c7549d05c5753ad8a66ae9e7db |
| SHA1 | 10ef56dc6d7caaee5b0a5ae4a9e7c934edbc40d9 |
| SHA256 | 5af31bbe66bbb434fde759c6ec9c2e401d68b00f41e5d8d94472be7e1d4e681e |
| SHA512 | 0853216991deee65f4631d6b964d1c00f5a520f14a488cd682cf5ce7172df30683d0edd308ade8ad99e318ebb071d772fdc0076741bee82269743d3110949491 |
memory/2232-11-0x0000000002370000-0x0000000002375000-memory.dmp
memory/2232-10-0x0000000002370000-0x0000000002375000-memory.dmp
memory/2284-14-0x0000000140000000-0x0000000140004278-memory.dmp
memory/2232-15-0x0000000002390000-0x0000000002391000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 20:19
Reported
2024-06-16 20:21
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
MetaSploit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\temp\9999.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
| PID 5028 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe | C:\windows\temp\9999.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe
"C:\Users\Admin\AppData\Local\Temp\eaaa0aa016cb8cb46396a477c47ed5b55ac2492e6d45769edad65fb650ae17e5.exe"
C:\windows\temp\9999.exe
"C:\windows\temp\9999.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.232.128:9999 | tcp |
Files
C:\Windows\Temp\9999.exe
| MD5 | 4bbe06c7549d05c5753ad8a66ae9e7db |
| SHA1 | 10ef56dc6d7caaee5b0a5ae4a9e7c934edbc40d9 |
| SHA256 | 5af31bbe66bbb434fde759c6ec9c2e401d68b00f41e5d8d94472be7e1d4e681e |
| SHA512 | 0853216991deee65f4631d6b964d1c00f5a520f14a488cd682cf5ce7172df30683d0edd308ade8ad99e318ebb071d772fdc0076741bee82269743d3110949491 |
memory/2552-11-0x0000000140000000-0x0000000140004278-memory.dmp