Analysis Overview
SHA256
501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45
Threat Level: Likely malicious
The file 501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45 was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (175) files with added filename extension
Renames multiple (214) files with added filename extension
Drops file in Drivers directory
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-19 21:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-19 21:07
Reported
2024-10-19 21:09
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Renames multiple (175) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\uninstall\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
| File created | C:\Windows\RichDll.dll | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe
"C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/1180-4-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/2672-8-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe.Exe
| MD5 | d989bb0c38865b73f40e9028d5f5716f |
| SHA1 | 5dca3d8cc289bd792c8371621d8d0e635c0d0728 |
| SHA256 | abbec2ddcd903b49cd028c4513c6c63c9052a36e336c9feccfb05f03245b5a9f |
| SHA512 | a6fea72d540c531769165dc37435ca1f12a70cb8e08726fa5d726b8367eebf5f637cf76fb16f51d9da91d2d27d2c03f9277c6b8ff431bff00b54b0445e29b6b1 |
C:\Program Files\7-Zip\RCX77F0.tmp
| MD5 | a402ff457ebbd85e4f5e7f647bd97701 |
| SHA1 | c89b786623033d5a4e30d2130e88baa7f2c6a214 |
| SHA256 | 69e3871728ce42ee46119d2f9dabb195bac6c949faf1c7debec99a1e9905201b |
| SHA512 | 67e13eac5517efe2460428e17ec437e87d8aa7d6b6357932efbf5be34aaad794af7f94435a77a6af7d0c4172031f9650eda5f73a1358def65964b601583322c7 |
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX7E9C.tmp
| MD5 | 9337347b4a486bbe8f46ee591547df01 |
| SHA1 | ff20a4fc72649ea9be3f963dddad1dda3b1396f6 |
| SHA256 | 63c42a0ece5143d28c4c4dd9d39b2e4a979becf7fc4ba34a17a5802753ef5045 |
| SHA512 | f8c7bd5b5b5c3e9072e51a53374e0f35a0a65bdfecbf573d2dbaf1d89345bf73bbdb5e820f0473f64d7c97ba59470dfe2012ea7dba9add0e4d3bf014a14f5f64 |
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCX7ECE.tmp
| MD5 | 8ee6d107f45f4b178e2fa93929761804 |
| SHA1 | 8dbbcb12577b6e84b5c595105a663708026375ae |
| SHA256 | 09839c8a3ebdded5f8d940858fb0e36cf34e541e13418e149ab31c9648eee017 |
| SHA512 | 3ef8d870c5482b90d8a0f7d4a1e5d157e72254aa22cd6d4d0836cdfca878c9e4cef747a551428726bd6ec32193dd8c92054444c353b9a72b3bd7a303038cdc98 |
C:\Program Files (x86)\Google\Update\1.3.36.151\RCX7F46.tmp
| MD5 | 87719795f1279cb6ed1f85833d469007 |
| SHA1 | c73ca58ccfd8b7f91a79034ece8c346914efe596 |
| SHA256 | 9d2f7cdb64b06c8b556a4aa7876a5e4d31a4a5b5600a32c5e36a7b226c64edd5 |
| SHA512 | e9d852881c49cc9de287efb8298907f2415d754982cfe62ee7fa904b02608db251af3d5f56302bccea62489e85f83a183de3611778e5813626252fd8165fdc49 |
C:\Program Files (x86)\Mozilla Maintenance Service\RCX7F9A.tmp
| MD5 | 8bf62cf8fc663f35aea0fcc8388138cc |
| SHA1 | caff0a288c1eaa5a2c43ad4a1787a892718a2f29 |
| SHA256 | ae89218d6415eebd9ada2a23e4b36fb114659026d5952cc99bc3d4e1b6543271 |
| SHA512 | 7fe823a37d1b4c6fc27ceaa073041b91388360354fcdd763bed3632f69a601b7ff1dd6b6b78f124e8abe53fb98a18b90a7ec03b461f6df21dcb316dbf4ee50b6 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RCX83EF.tmp
| MD5 | 9f71409d74c492bde324824066d8df3e |
| SHA1 | 6ab1e8af700e91d61fda7e2adcbce132a532c7cc |
| SHA256 | 60b7cc01ae655611930ff7f017f9258accb8682da5bf14abf980eaa1077453d0 |
| SHA512 | 222b50232a232a60bc26e87250d356b61f09409c62dfde33f7ee4c0410567ff3599fab124a2caba6160ed4e869cb53f28539a0e9386e954a51deca06f23b6ec3 |
memory/2672-940-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-950-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-19 21:07
Reported
2024-10-19 21:09
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Renames multiple (214) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\uninstall\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
| File created | C:\Windows\RichDll.dll | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe
"C:\Users\Admin\AppData\Local\Temp\501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3512-4-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe.Exe
| MD5 | 70501eaba6942d8645bdbcc75f971112 |
| SHA1 | 15be29066da06b3d2e7e771afb1ffb637d966987 |
| SHA256 | 501c02b960d8ea6d7488e9590bd9b92a4d36c536846d29c383aaba805da04f45 |
| SHA512 | 999c020d80f6bbe99399218afcc68d9a9e43fd8896e6b87a39982b64ab97ce258bff1119468e2a1434c9e3d0406a24bf8b3e089ab26436581fb3b6b6e227cfa0 |
C:\Program Files\7-Zip\RCXC80.tmp
| MD5 | a402ff457ebbd85e4f5e7f647bd97701 |
| SHA1 | c89b786623033d5a4e30d2130e88baa7f2c6a214 |
| SHA256 | 69e3871728ce42ee46119d2f9dabb195bac6c949faf1c7debec99a1e9905201b |
| SHA512 | 67e13eac5517efe2460428e17ec437e87d8aa7d6b6357932efbf5be34aaad794af7f94435a77a6af7d0c4172031f9650eda5f73a1358def65964b601583322c7 |
C:\Program Files\Mozilla Firefox\RCX1075.tmp
| MD5 | 3e8e889ddb7b472fac3b70a69e8fa6c3 |
| SHA1 | 108c3e381038027e58afaaef3502142cc0060ca3 |
| SHA256 | 6ac53e7a88461b299735954c8a581a974534d7efc735158dd6df560f180de3b3 |
| SHA512 | c4f11bfbe27145affeae0230db2c33a6c44136e9ec5bcb9f55e24a2bace9b6b8d883c35cb0cdd9f7df986df8fefc0acd8a23ec9ed5e3de517375f7dacf16ac73 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX182D.tmp
| MD5 | 22a55220e185fa75586462f7bf60ec8b |
| SHA1 | 8df2ba075416c124ada30cf26de57492499e59eb |
| SHA256 | b0f3791e255c1581176d1d0bb60110d9824c636af3957cbef3076cd605666f48 |
| SHA512 | 5752c1d931df61f7a939e0b0c1579589b03ddb9637a7764c089023f8cdc37f7ba96447daacbd56352827eee143a8dbc8d00563a6cface6252f4164b27ce7640e |
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX1AB0.tmp
| MD5 | efd51ee79a74d16a34a8a345d0858840 |
| SHA1 | 10852222d1008f66fe513717de7ca693bd6dc45b |
| SHA256 | 32f3923b0239cc901263ef48da48fded9e19e5c738fb72479ab63e045cf2fc00 |
| SHA512 | 5791d4cfb0a7b49fb9d0176fa3fab22224f138cae15af6fbfbab4c68895b063aaa24600a56bdf9c089fc3a6ddb3cfffa864bbb702c40d9346bd076e68959e6f9 |
C:\Program Files (x86)\Google\Update\1.3.36.371\RCX1B16.tmp
| MD5 | 87719795f1279cb6ed1f85833d469007 |
| SHA1 | c73ca58ccfd8b7f91a79034ece8c346914efe596 |
| SHA256 | 9d2f7cdb64b06c8b556a4aa7876a5e4d31a4a5b5600a32c5e36a7b226c64edd5 |
| SHA512 | e9d852881c49cc9de287efb8298907f2415d754982cfe62ee7fa904b02608db251af3d5f56302bccea62489e85f83a183de3611778e5813626252fd8165fdc49 |
memory/3512-883-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX1C18.tmp
| MD5 | 34b923320ea23512cba38db535c3fb06 |
| SHA1 | 161a01b989d086074488b178073e5cd891c452e8 |
| SHA256 | 9c164795ab939eeadfd13ce5eaf4790849a30c42715e291913f1db3dfcbd02a5 |
| SHA512 | 3b38625a9f262cc08a0eb4f6c4b14c3c8e6d1f6b1e984ce1d522c40de92a19860698a6641536f70d7eb326038755d950f51764b5512f513667bb959bec47f0d2 |
C:\Program Files (x86)\Mozilla Maintenance Service\RCX1C9D.tmp
| MD5 | 8bf62cf8fc663f35aea0fcc8388138cc |
| SHA1 | caff0a288c1eaa5a2c43ad4a1787a892718a2f29 |
| SHA256 | ae89218d6415eebd9ada2a23e4b36fb114659026d5952cc99bc3d4e1b6543271 |
| SHA512 | 7fe823a37d1b4c6fc27ceaa073041b91388360354fcdd763bed3632f69a601b7ff1dd6b6b78f124e8abe53fb98a18b90a7ec03b461f6df21dcb316dbf4ee50b6 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.Exe
| MD5 | 80c627dd3293baeb867b871686005735 |
| SHA1 | 2e5c588daa5b727350bc36d25b9f86fb91a28b49 |
| SHA256 | 418b01a4d043ace982a07529b52fbff0108f898d168ab5979e2d23b55f4fd191 |
| SHA512 | 84d8329c721fedb96035a245ad444c7ccffbf0093c72cd90db0e842704aa6f1f21c1e76338d7e5a407383af40d4133a2e2eacc4e663af82c22ba8c7aae7a1464 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RCX2133.tmp
| MD5 | 9f71409d74c492bde324824066d8df3e |
| SHA1 | 6ab1e8af700e91d61fda7e2adcbce132a532c7cc |
| SHA256 | 60b7cc01ae655611930ff7f017f9258accb8682da5bf14abf980eaa1077453d0 |
| SHA512 | 222b50232a232a60bc26e87250d356b61f09409c62dfde33f7ee4c0410567ff3599fab124a2caba6160ed4e869cb53f28539a0e9386e954a51deca06f23b6ec3 |
memory/3512-1112-0x0000000000400000-0x0000000000429000-memory.dmp