Analysis Overview
SHA256
0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8
Threat Level: Known bad
The file 0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8 was found to be: Known bad.
Malicious Activity Summary
Detect Socks5Systemz Payload
Socks5Systemz
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Checks installed software on the system
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 01:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 01:47
Reported
2024-08-11 01:50
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
Loads dropped DLL
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 45.155.250.90 | N/A | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe
"C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe"
C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp" /SL5="$D0042,4414815,54272,C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe"
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
"C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe" -i
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
"C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe" -s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| SE | 45.155.250.90:53 | aqbnabf.ru | udp |
| CH | 185.196.8.214:80 | aqbnabf.ru | tcp |
| NL | 89.105.201.183:2023 | tcp | |
| US | 8.8.8.8:53 | 214.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.250.155.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.201.105.89.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\is-RK5RQ.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp
| MD5 | 85fc5b8836d8625fbfa40a092386e645 |
| SHA1 | a90bb83f5d8d024bb357a44682267a50406071d6 |
| SHA256 | 6dda4c9c34d1898b592ebeccee9f4b2a2bffefd68296da6310435e13fb63d950 |
| SHA512 | c50e53c2c695c7ba24b4cc2c2f958e1e9ce4eea9b541684ea41c7cae513919bb80171dcaaf1c18a8f37221737e6a1f8ba0881a224abd3dd09407d0c4edb96aae |
C:\Users\Admin\AppData\Local\Temp\is-O8U31.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-O8U31.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1976-13-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4684-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/4684-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
| MD5 | 21837b6f19f5fcf8a90a3d6f5f27e0b3 |
| SHA1 | e1c17e321eddd3f8ed611684bceff0a2983453a7 |
| SHA256 | f62f9ac2bdf1b12049d1ed404649698322a2375c00e496a019c09e8ac144a581 |
| SHA512 | 432531f985165fc7954e3c9a678b13f572ff5b6e9539b8161fe624dffb00cd4c3f3e0a9ac33cefed363a8e2f79080813441aac720811ee1f8b4cc9e854ca9628 |
memory/3776-58-0x0000000000400000-0x0000000000815000-memory.dmp
memory/3776-59-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-65-0x0000000000400000-0x0000000000815000-memory.dmp
memory/3776-62-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4684-66-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1976-67-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4844-68-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-71-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-74-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-77-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-80-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-81-0x0000000000AC0000-0x0000000000B62000-memory.dmp
memory/4844-85-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-90-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-93-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-96-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-99-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-102-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-105-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-106-0x0000000000AC0000-0x0000000000B62000-memory.dmp
memory/4844-107-0x0000000000AC0000-0x0000000000B62000-memory.dmp
memory/4844-111-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4844-114-0x0000000000400000-0x0000000000815000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 01:47
Reported
2024-08-11 01:50
Platform
win11-20240802-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
Loads dropped DLL
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe
"C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe"
C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp" /SL5="$50106,4414815,54272,C:\Users\Admin\AppData\Local\Temp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.exe"
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
"C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe" -i
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
"C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe" -s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| LT | 91.211.247.248:53 | erkwzaf.ua | udp |
| CH | 185.196.8.214:80 | erkwzaf.ua | tcp |
| NL | 45.156.23.96:2023 | tcp | |
| US | 8.8.8.8:53 | 96.23.156.45.in-addr.arpa | udp |
| NL | 142.250.179.195:443 | www.google.at | tcp |
| NL | 45.156.23.96:2023 | tcp |
Files
memory/5888-1-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5888-2-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PRKBI.tmp\0e9dc9861a27c2605e3a5a3808b7a01fd24d150aae097093b4257d5feb37e5a8.tmp
| MD5 | 85fc5b8836d8625fbfa40a092386e645 |
| SHA1 | a90bb83f5d8d024bb357a44682267a50406071d6 |
| SHA256 | 6dda4c9c34d1898b592ebeccee9f4b2a2bffefd68296da6310435e13fb63d950 |
| SHA512 | c50e53c2c695c7ba24b4cc2c2f958e1e9ce4eea9b541684ea41c7cae513919bb80171dcaaf1c18a8f37221737e6a1f8ba0881a224abd3dd09407d0c4edb96aae |
memory/4948-13-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-6IGMP.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-6IGMP.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\AVI Codec\avicodec32_64.exe
| MD5 | 21837b6f19f5fcf8a90a3d6f5f27e0b3 |
| SHA1 | e1c17e321eddd3f8ed611684bceff0a2983453a7 |
| SHA256 | f62f9ac2bdf1b12049d1ed404649698322a2375c00e496a019c09e8ac144a581 |
| SHA512 | 432531f985165fc7954e3c9a678b13f572ff5b6e9539b8161fe624dffb00cd4c3f3e0a9ac33cefed363a8e2f79080813441aac720811ee1f8b4cc9e854ca9628 |
memory/2744-61-0x0000000000400000-0x0000000000815000-memory.dmp
memory/2744-58-0x0000000000400000-0x0000000000815000-memory.dmp
memory/2744-63-0x0000000000400000-0x0000000000815000-memory.dmp
memory/2744-59-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-66-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-67-0x0000000000400000-0x0000000000815000-memory.dmp
memory/5888-68-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4948-69-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4200-70-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-73-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-74-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-77-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-80-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-83-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-85-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-89-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-94-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-97-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-100-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-103-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-106-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-109-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-111-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-110-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-115-0x0000000000400000-0x0000000000815000-memory.dmp
memory/4200-116-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-117-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-119-0x0000000000C50000-0x0000000000CF2000-memory.dmp
memory/4200-122-0x0000000000400000-0x0000000000815000-memory.dmp