Analysis Overview
SHA256
9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5e
Threat Level: Shows suspicious behavior
The file 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies Internet Explorer Phishing Filter
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:09
Reported
2024-10-25 21:11
Platform
win7-20240903-en
Max time kernel
120s
Max time network
116s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\svest\3ED979F323C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe | N/A |
| N/A | N/A | C:\svest\3ED979F323C.exe | N/A |
| N/A | N/A | C:\svest\3ED979F323C.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AXZZI9IYVAYWEANJXPXOTBS = "C:\\svest\\3ED979F323C.exe /q" | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\svest\3ED979F323C.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery | C:\Users\Admin\AppData\Local\Temp\RN990CB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"
C:\svest\3ED979F323C.exe
"C:\svest\3ED979F323C.exe"
C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
"C:\Users\Admin\AppData\Local\Temp\RN990CB.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 89.149.202.144:3000 | tcp | |
| US | 8.8.8.8:53 | druid1kkun.com | udp |
| NL | 188.72.233.21:8080 | tcp | |
| N/A | 127.0.0.1:49267 | tcp | |
| US | 8.8.8.8:53 | druid1kkun.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | microwavecolosol.com | udp |
| US | 8.8.8.8:53 | microwavecolosol.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 184.25.193.234:80 | www.microsoft.com | tcp |
Files
memory/2868-0-0x0000000000480000-0x0000000000483000-memory.dmp
memory/2868-1-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2868-2-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2868-3-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2868-4-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2868-6-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2868-5-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2868-10-0x0000000000400000-0x00000000004CE000-memory.dmp
C:\svest\3ED979F323C.exe
| MD5 | 5dc3523309ca2b02be4accac2c562140 |
| SHA1 | 134ad5ff01e268d7065cc86e751b6bcb9dc0ec8a |
| SHA256 | 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5e |
| SHA512 | 140d05724590d1329a614af34d47ef79bb8a2b310a03c7023f8263709a5eb8c8aa44ca588ff1421da3ef2bb46b9d795fa1904bca7fceb8ad3d115c87e9d07b8e |
memory/1832-19-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/2868-18-0x0000000000480000-0x0000000000483000-memory.dmp
memory/1832-20-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1832-21-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1832-25-0x0000000000400000-0x00000000004CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
| MD5 | 29090b6b4d6605a97ac760d06436ac2d |
| SHA1 | d929d3389642e52bae5ad8512293c9c4d3e4fab5 |
| SHA256 | 98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272 |
| SHA512 | 9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be |
memory/1128-32-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-41-0x0000000002010000-0x000000000205E000-memory.dmp
C:\svest\66AF4C4F9A638E2
| MD5 | 6bdc7b3b994a9bc3d2a9f3cd8ef98295 |
| SHA1 | b21d0f954d12ed53b7343bd9fdd3d9f846d4ada5 |
| SHA256 | 7a6d61da8cbbd3e27170650bedb960c6bfa781791e32ead108be9bd1c111ef23 |
| SHA512 | d9874173defb090a41d4722c83c8193f1cb04ce1c2123a262614e1c1a666735686391d619535cf3825b91bc72946165908dd6624314902a7a38b3e8e363b4845 |
memory/1128-39-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-38-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-37-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-45-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-47-0x00000000001B0000-0x00000000001B5000-memory.dmp
memory/1128-52-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-51-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-50-0x0000000001000000-0x0000000001004000-memory.dmp
memory/1128-49-0x0000000001001000-0x0000000001002000-memory.dmp
memory/1128-48-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-46-0x00000000001A0000-0x00000000001A5000-memory.dmp
memory/1128-44-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-68-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-71-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-79-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-84-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-88-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-89-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-91-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-90-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-87-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-86-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-85-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-83-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-99-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-98-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-96-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-95-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-94-0x0000000002010000-0x000000000205E000-memory.dmp
memory/1128-93-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-82-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/2868-100-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1128-130-0x00000000754C7000-0x00000000754C9000-memory.dmp
memory/2868-128-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2868-127-0x00000000773EF000-0x00000000773F1000-memory.dmp
memory/1128-81-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-80-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-78-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-77-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-76-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-75-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-74-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-73-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-70-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-69-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-72-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-66-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-65-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-63-0x00000000001B0000-0x00000000001B5000-memory.dmp
memory/1128-62-0x000000000BAD0000-0x000000000BB1E000-memory.dmp
memory/1128-55-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-54-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1128-144-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-143-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-142-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-146-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-145-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-147-0x00000000001A0000-0x00000000001A5000-memory.dmp
memory/1128-148-0x00000000001B0000-0x00000000001B5000-memory.dmp
memory/1128-149-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-150-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-151-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-152-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-153-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-154-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-156-0x00000000754B0000-0x00000000755B0000-memory.dmp
memory/1128-166-0x00000000754B0000-0x00000000755B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:09
Reported
2024-10-25 21:11
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4176 -ip 4176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 476
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |