Analysis Overview
SHA256
aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a
Threat Level: Shows suspicious behavior
The file aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 20:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 20:09
Reported
2024-09-04 20:12
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe
"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"
C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp" /SL5="$A0032,4595545,205824,C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/5108-0-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5108-2-0x0000000000401000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-S4MU4.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
| MD5 | 2e5268d21ee1d98eccf3b34eec423da1 |
| SHA1 | 8a2438cd614bb41e25840bd2d4093624340340c1 |
| SHA256 | 16eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7 |
| SHA512 | aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94 |
memory/1396-7-0x0000000000400000-0x0000000000588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BSUCN.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/5108-17-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1396-18-0x0000000000400000-0x0000000000588000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-04 20:09
Reported
2024-09-04 20:12
Platform
win11-20240802-en
Max time kernel
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe
"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"
C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp" /SL5="$40248,4595545,205824,C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"
Network
Files
memory/2728-2-0x0000000000401000-0x0000000000417000-memory.dmp
memory/2728-1-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H3KU9.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
| MD5 | 2e5268d21ee1d98eccf3b34eec423da1 |
| SHA1 | 8a2438cd614bb41e25840bd2d4093624340340c1 |
| SHA256 | 16eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7 |
| SHA512 | aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94 |
C:\Users\Admin\AppData\Local\Temp\is-N7697.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/564-12-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2728-17-0x0000000000400000-0x000000000043C000-memory.dmp
memory/564-18-0x0000000000400000-0x0000000000588000-memory.dmp