Analysis Overview
SHA256
a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455
Threat Level: Shows suspicious behavior
The file a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 16:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 16:32
Reported
2024-10-27 16:38
Platform
win7-20240903-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp |
| PID 1724 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp |
| PID 1724 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp |
| PID 1724 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe
"C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
C:\Users\Admin\AppData\Local\Temp\eqsC439.tmp
"C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\eqsC439.tmp
| MD5 | 9a1dd1d96481d61934dcc2d568971d06 |
| SHA1 | f136ef9bf8bd2fc753292fb5b7cf173a22675fb3 |
| SHA256 | 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525 |
| SHA512 | 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 687c9b771137683b9d66ebd661981a5c |
| SHA1 | 7acd675b9de790f13bd3595e98394f7ebfd44811 |
| SHA256 | d13c5f38b2d20a5cf1c384768a1ba4b854fcfb3623f02fdaa93c22a3d32dfbc4 |
| SHA512 | abd2277079923d7f77076c1f040fd9824a2d26cbe27605416131826ad98351e1607e5bfea0a47be070975d770cb29074db037112921c91a9bf59e656dc532bad |
C:\Program Files\7-Zip\RCX1AA9.tmp
| MD5 | 31ca51862b31bcf129556d16f467af09 |
| SHA1 | 5a211b99259a8b98aba5b281f57d2dbd6cf3325f |
| SHA256 | c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c |
| SHA512 | ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f |
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
| MD5 | f8924c9f594cdf6c907d34c666961623 |
| SHA1 | d4e8581586a443811ae6ed7d52f789539f33a1eb |
| SHA256 | e529a429f61857415436be79562ba20d471ab85ffb56a76191c6da2205aa5b45 |
| SHA512 | da09d001261fe1362ce92e6edcebff41bbdad203d28b36bec03b37b6da2a3000726c0a81f3dc3f16a2231f4dd36aa5428bf6b644fb337a1dc683c44431b8ad73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 16:32
Reported
2024-10-27 16:43
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3776 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp |
| PID 3776 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe | C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe
"C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp
"C:\Users\Admin\AppData\Local\Temp\a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\eqs77B0.tmp
| MD5 | 9a1dd1d96481d61934dcc2d568971d06 |
| SHA1 | f136ef9bf8bd2fc753292fb5b7cf173a22675fb3 |
| SHA256 | 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525 |
| SHA512 | 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa |
C:\Program Files\7-Zip\7z.exe
| MD5 | a00d4b318d50ecf08163152ac42688d0 |
| SHA1 | 939067f42103beddfbdb18d85a14b8f5c625e18b |
| SHA256 | a90eb8c84b5a86eea13bf59ed9f21b737f95b010687f08b53936c0c948304455 |
| SHA512 | 82190d1814dcecd1523451c5fe7eb881d0ae7dda2d5d5bbff8eaa445f82df9b1a4dd14b3ab850ae089eb2dbe8f864fadeeacc86e478b4447a4a5a7ba8d4c0230 |
C:\Program Files\7-Zip\RCX2CAC.tmp
| MD5 | 31ca51862b31bcf129556d16f467af09 |
| SHA1 | 5a211b99259a8b98aba5b281f57d2dbd6cf3325f |
| SHA256 | c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c |
| SHA512 | ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX7606.tmp
| MD5 | 8235f9a7dee83ae3d73106b9251955e2 |
| SHA1 | b52abb012d8bf8ce8ad295627d04a6426a78eb8d |
| SHA256 | 9bbe361214bfe67297317b49a7b995cc8849a5ac298bbe7a8782c214d82ed1d6 |
| SHA512 | 544a02f19d6f53930979232ac63ed53b749b70ec606e1ed06bd9a0b02cdd1cd0f24968149c265d8198560c8dcc11480b837a20aa489fddc524f28c8b6c119b5c |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe
| MD5 | 90ef8b52adf2917ed0bf8abcfd634d42 |
| SHA1 | a3e11a32e6531f5f681e5869878290d90dad93c3 |
| SHA256 | 5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db |
| SHA512 | 04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX7AFE.tmp
| MD5 | 53889c85c32108f93022352ea52f0ddd |
| SHA1 | a0f6da80f0a2a2b700a2670e89c3e58a27ea956f |
| SHA256 | b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647 |
| SHA512 | 5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e |
C:\Program Files (x86)\Google\Update\1.3.36.371\RCXBD16.tmp
| MD5 | c016ef1a86325eaa8e3c7c1d0cbe6a9c |
| SHA1 | 1c0e466ceaae36cc5d24d59e03430a0ca07b6db7 |
| SHA256 | 703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3 |
| SHA512 | 93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCD8D.tmp
| MD5 | 2ee82bf31f8f29f17aa432e16e8a9192 |
| SHA1 | 2b9c59b13c5544f818b34536511aa0e89d7df435 |
| SHA256 | fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334 |
| SHA512 | c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 59dbe39c9ae8f8f6b2a667d65dcbcb56 |
| SHA1 | 61393a4c69407671fc5a8fc30ddcc4d5c27b7868 |
| SHA256 | c1cb0ee24ce7657126b2cbc8820ea012eb9d0f72cba5184721dd23ce4aea07ee |
| SHA512 | 610a251c3ba3f851bbdf85084f0f960bae98ac4c6a02e09723ce0b53c23dd2e84179f52286d798e104dc5c3e18719ecfe986a5bd14207ac710197e9728d28eec |