Analysis Overview
SHA256
56217fbcfcdcddb213a05093c6b65587a98f96dd46ea819273dcf1db50bfba89
Threat Level: Shows suspicious behavior
The file 3e5165aeda9ff532d44c0b2a85da72c0N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:11
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
| PID 2396 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 216.58.214.163:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.71:80 | crl.microsoft.com | tcp |
Files
memory/2396-0-0x0000000000400000-0x00000000004ED000-memory.dmp
\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
| MD5 | 6a06b5a3c823a63cc9db02f22d961501 |
| SHA1 | 4e5cb3409cb6249d2f564db18f10fede528f5aeb |
| SHA256 | 1d4dedcdc2778ced3a98923749ed79092210a4240376f0481ef4d3cd20cb2d08 |
| SHA512 | ae5c7e20666a0161ab39b1a788f136a37ff5c08504be4d9b18f9af73e419eca63dc1b767bab469e86a3fcf278a94e3be98090c7314f887c1620c2dd612b018a9 |
memory/2396-6-0x0000000002E90000-0x0000000002F7D000-memory.dmp
memory/2872-10-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/2396-8-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/2872-12-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2872-17-0x0000000002CF0000-0x0000000002DDD000-memory.dmp
memory/2872-33-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2872-39-0x00000000066D0000-0x0000000006773000-memory.dmp
memory/2872-40-0x0000000000400000-0x00000000004ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:11
Platform
win10v2004-20240802-en
Max time kernel
104s
Max time network
117s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3300 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
| PID 3300 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
| PID 3300 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe | C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 344
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 216.58.214.163:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3300-0-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/3300-7-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/2012-6-0x0000000000400000-0x00000000004ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
| MD5 | 6312d7d1f0874f3510bbeb6a899a234f |
| SHA1 | c0b475a68085b10c49023b0ea6fd3bdc607333b4 |
| SHA256 | 59d38bcc7fa2cd36c052cae065762fad69a4f35a58d74dfa8dc8e96348251b7d |
| SHA512 | 3db7c8a55444f6dda61e22cc15465813a88dbf214437b8cf08f64f090089b32b0da72bfe6ddc0d2552740830507a015e9894986121e85cc6b767f6bebd68916c |
memory/2012-8-0x0000000004E70000-0x0000000004F5D000-memory.dmp
memory/2012-9-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2012-21-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2012-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp
memory/2012-28-0x0000000000400000-0x00000000004ED000-memory.dmp