Analysis Overview
SHA256
0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688
Threat Level: Shows suspicious behavior
The file 0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 13:42
Reported
2024-10-21 13:44
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqs89B9.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqs89B9.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe
"C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
C:\Users\Admin\AppData\Local\Temp\eqs89B9.tmp
"C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\eqs89B9.tmp
| MD5 | 2b12c44848b539f51748499f99d3762c |
| SHA1 | 46d6ee16760945167e107f19e4100b4e969c2f40 |
| SHA256 | c6e410b1d91ed8cf22fbdc1385d43c3ae2a269f0ba43e88a52e56b4b2c3ac99b |
| SHA512 | 0f0ed7c0a6f57e79dc7633673a3f20ef7b0c824d0154f18b998f8fe164d391dc426553d2dfbb33010336df2b244624b34944887a8cf3d9aed75f00c4853ed699 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | fc7c9842c50e9d54032ab7fa6b0b772a |
| SHA1 | fa7f39bcc95e9715b24e57df1dda1fee30cddb08 |
| SHA256 | 4e699d4a0d0cef1b1a3d72fdedc81838db8c8e9f860c4f04b828c3c747ba7faf |
| SHA512 | 483005bcac23dd0b76339a67166e4a6017b62fc4618848dd718292a1bd498fd3ce57c9f5a423fe905f4a6ea4216562895b0c17204d7f904b42db83286b5662b0 |
C:\Program Files\7-Zip\RCXDD4C.tmp
| MD5 | 31ca51862b31bcf129556d16f467af09 |
| SHA1 | 5a211b99259a8b98aba5b281f57d2dbd6cf3325f |
| SHA256 | c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c |
| SHA512 | ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f |
C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RCXE52D.tmp
| MD5 | ece241325773b09034e036965aff6aa9 |
| SHA1 | 2dea95ca66c980c0f3c5139c9493f7613a0b6d49 |
| SHA256 | 199a8e6acfe3945eeaf145276a95641d7d9241f4afc9f2bbbc7f37827a28eb95 |
| SHA512 | af5a94c0b1dba53f6c4d96f31c0f2ed7cdca5f5b226ca97f6a79b0080dcd13cd1645dc62cc8917e250ed5a0feba833f2aa53795e7d3d6216cc00175b5fac026d |
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 2c5f6b0f7a4fcfb1628f3d7f7f83e783 |
| SHA1 | 4e9f45a29a4d288bad02f32e9135bd8670ade666 |
| SHA256 | 3da3f7cdf2f24eaf4c644d3ef12043409d6b820251cbaaf9b810761ae7051b5c |
| SHA512 | 42e83012c5e564a10338d80b3c02bf322f47c16d5cedb30400ab99015457a1484819465077a84db4c5f2250d6dc68b1813f630127e06f4fc95e6fe18a37e9fa9 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\RCXF10E.tmp
| MD5 | e6f438d111bf7a34a1a4d6fadbbf3b18 |
| SHA1 | e229f19e2a11b6dac111f118794f236e319b69dc |
| SHA256 | 07dd9e527307701c313d267fbe83d43a30899c91401951140f58b4d736d63f48 |
| SHA512 | 54e161a041d00f0eabfbdcfa1e5254a16081186e9e87684e094dc303f7a5cc1bd11a97636a9fe0573c3a27d714bc1dd10110667711254cca60d52b1e615f3701 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 13:42
Reported
2024-10-21 13:44
Platform
win10v2004-20241007-en
Max time kernel
107s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp |
| PID 3616 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp |
| PID 3616 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe | C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe
"C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp
"C:\Users\Admin\AppData\Local\Temp\0797f52124bb6826ddd1775cb1c4d7b89112ab7d27d9f3984d9bea3a1151e688N.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.117.19.2.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| MD | 195.93.218.135:80 | tcp |
Files
memory/3616-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eqs950C.tmp
| MD5 | 2b12c44848b539f51748499f99d3762c |
| SHA1 | 46d6ee16760945167e107f19e4100b4e969c2f40 |
| SHA256 | c6e410b1d91ed8cf22fbdc1385d43c3ae2a269f0ba43e88a52e56b4b2c3ac99b |
| SHA512 | 0f0ed7c0a6f57e79dc7633673a3f20ef7b0c824d0154f18b998f8fe164d391dc426553d2dfbb33010336df2b244624b34944887a8cf3d9aed75f00c4853ed699 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 9860d285650144b5670621106291fd56 |
| SHA1 | 2c0a66c7362d1d2a4ed6a56a86abdeac0ab6239b |
| SHA256 | 7970f96dcc685a3a423bc2a2e156b9e0c3caf0fc8464973bb50c674ffa1c62cd |
| SHA512 | b1635214b6a1a1f9dc984aae0f331368570174548ab06d090119752e0d4dcf69796a4993763783e735d261e30c1c3fdfb0d6939789d8922905a967f56bc1227f |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | af59f8fcc27461a6c9db6cf1c4080da4 |
| SHA1 | cf69515b95e1cf51f70180dc1c4bec61fb69a6bf |
| SHA256 | 6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d |
| SHA512 | 3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4A56.tmp
| MD5 | 1f75518e4bdc08ad0e5872e6d6fa0a3b |
| SHA1 | 045c2f37078d5bbbcedc98fb554330eace8bbbe9 |
| SHA256 | ccfa1e9e25c36c6d6a9fa8c80a5e794fee8a2d8934bcf6c4f03e663509aa9a2f |
| SHA512 | 74010c987b997df3908577cb0191400b16035d72cf6c51acb5f17f340ffcb1d5f505c315aaff816a1049444133d869720003a1731e8a5f16de04d8cbb283ffdf |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX4AF3.tmp
| MD5 | d54a18ccac3e291cf5d1780314b6959d |
| SHA1 | f1892ac192f6421782c5d3f4fa46e83d956dbc1e |
| SHA256 | 9b3a5b4f572bcce0f6838b9fb5eba7a2d2d7d9ec1e208bfc0f451ff61d098bde |
| SHA512 | 172dbc0d4b280e0212d82bc83f049505f99b429076d87a6b740483e33f63159087544e3cd6ab67ff05ec1eb0e5f89521da96db42187862b4574f9231a9341700 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX4BA1.tmp
| MD5 | 53889c85c32108f93022352ea52f0ddd |
| SHA1 | a0f6da80f0a2a2b700a2670e89c3e58a27ea956f |
| SHA256 | b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647 |
| SHA512 | 5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e |
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe
| MD5 | 6b4f640db3307cc5cc16ac202286c355 |
| SHA1 | 6f4470a76d29112d91ec6c52f912fb5fb19ae522 |
| SHA256 | deecb970becf18df794f979c050aadd547ef7421cccfc2143ab1c5d014f161db |
| SHA512 | a48c92e769454be4fcefb661fd4503576d06aba3106c769728e4973c19fe58aa65d690e163a4db9020b77bf9dc78c62753ef3ba62b88187ab67edc6828658445 |
C:\Program Files (x86)\Google\Update\RCX5863.tmp
| MD5 | 24bd9543a93a1ae90854cd838044cb1a |
| SHA1 | 3fc631dfe58a660159607a13f22697e61004cd29 |
| SHA256 | 71040e6ab05bc9a3ad564a3ce408e16d2099cfa3eda03c20070ff0fc5cd08bda |
| SHA512 | 58802d2d66dd2107af8cc2bcfd2ab1478fb9b4c626bcd3cb34ef9e8e7884ab92921b74f00774b6b3a5d0fa7df0f66eb292de790e1a616a3b7f29b13b330f23dc |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX5E85.tmp
| MD5 | 2ee82bf31f8f29f17aa432e16e8a9192 |
| SHA1 | 2b9c59b13c5544f818b34536511aa0e89d7df435 |
| SHA256 | fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334 |
| SHA512 | c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe
| MD5 | f6515f978068fe2cf28dc4b3a44ed16b |
| SHA1 | e6f4c144b0f190a74ae8da6473bc08332d3d5f20 |
| SHA256 | 4bb6de4aba4472b03088267b255b6feb3ee4b76e3f50d61cb31fa9739ed7091b |
| SHA512 | d99c4793e14d44a5654d3e9d30e555791c41df91c0d9d299ec611e229801d64d98f66c0a808890e06c647ddc08edc75b523c491225736bd40922f130036f27a5 |
C:\Program Files (x86)\Mozilla Maintenance Service\RCX5F38.tmp
| MD5 | 77dbc4532d0527b80563fef9ab9f7d32 |
| SHA1 | a27cee72780384bc67865e57c2db9b4b4e655d08 |
| SHA256 | 43e174176205b249709b329d274c6493ea3cb4e252bca7b2dcb3a067d8896f43 |
| SHA512 | bfa715736ba0bfad1723b8fa98e98164f7645ffa741a1b5b957e96a09fc36c8ac96ba3c20b6a4f07e7ebec8a4e7ec3f87a70dda3acf5b0254f925fcda7fc35bf |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX6092.tmp
| MD5 | e51281f5acbc298a898ebf7cd270fad4 |
| SHA1 | aa54f61b89db033d5d6b39cca971f76730aba054 |
| SHA256 | dca3096afaab558ecf91ef35f9d3427f7ed2cbc17341067203b9e3e103045867 |
| SHA512 | bae3e66e0273abc67c174244a6b14468043ac73b013f9d5a3510d615f8de91f5ce76afc3339d4ac7546274cadeb28261ead730791e252bc42623c2d5f218683c |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 59dbe39c9ae8f8f6b2a667d65dcbcb56 |
| SHA1 | 61393a4c69407671fc5a8fc30ddcc4d5c27b7868 |
| SHA256 | c1cb0ee24ce7657126b2cbc8820ea012eb9d0f72cba5184721dd23ce4aea07ee |
| SHA512 | 610a251c3ba3f851bbdf85084f0f960bae98ac4c6a02e09723ce0b53c23dd2e84179f52286d798e104dc5c3e18719ecfe986a5bd14207ac710197e9728d28eec |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe
| MD5 | eb8d0840836181126ee23df607d9eaea |
| SHA1 | a22788e9444bc72b37071a5445ad5be85a6ce283 |
| SHA256 | dbb6ccc5364745f5370f6e743588677982dc8dc0ec0e6384a3cac86d7f138b9e |
| SHA512 | 983efbfcfe8d7ba2a5ccb58e23cef8009be18f52d68df998569abca8b56ec2df69027f3729bb77d868cc38715a79eb0525610f85d8cac18ec783bc65b34c51f4 |