Analysis Overview
SHA256
c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a
Threat Level: Shows suspicious behavior
The file c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Indicator Removal: File Deletion
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 04:53
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 04:53
Reported
2024-10-31 04:56
Platform
win7-20241010-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Update\wuauclt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe
"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2448-0-0x0000000000820000-0x0000000000848000-memory.dmp
\ProgramData\Update\wuauclt.exe
| MD5 | 1b9ccdef36529713682b9ee3230cfe2a |
| SHA1 | 5b944671c115135a15a83dd8e42901626945cabf |
| SHA256 | a61a8d8d05074a9e1fbf251a7acb6311a32ebc8f9fefdfb7a8e1e12a70783b3e |
| SHA512 | 2756fb8dd8487e7f26bc89f0fa7beb854d9fda56f2f4f9eec00f7613bcfa88d9c9dd265dc8e4b2f4647662e44b47537bdef074f6816149795dbede442dbab362 |
memory/2448-5-0x0000000000140000-0x0000000000168000-memory.dmp
memory/2748-7-0x0000000000A60000-0x0000000000A88000-memory.dmp
memory/2448-8-0x0000000000820000-0x0000000000848000-memory.dmp
memory/2448-9-0x0000000000140000-0x0000000000168000-memory.dmp
memory/2748-10-0x0000000000A60000-0x0000000000A88000-memory.dmp
memory/2448-11-0x0000000000820000-0x0000000000848000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 04:53
Reported
2024-10-31 04:56
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Update\wuauclt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe
"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1240-0-0x0000000000E40000-0x0000000000E68000-memory.dmp
C:\ProgramData\Update\wuauclt.exe
| MD5 | eace89df76bdc5bc490b62009552f42f |
| SHA1 | 65b8faac3c1f7db64114282759fcf6cb761ec60b |
| SHA256 | 0d00408b8fa7258e55f47ac27be87358e59185527de8d79c68b884a71aaf52f4 |
| SHA512 | 9a9adabb590d43cbba6a7b89d0a95b2b8261991b69c131c1ce9d2b6dadc730bf47df9502b2b463fc388dce1aa7dc545541b75b28990959043ace045e44d7f096 |
memory/2028-4-0x0000000000990000-0x00000000009B8000-memory.dmp
memory/1240-6-0x0000000000E40000-0x0000000000E68000-memory.dmp
memory/2028-7-0x0000000000990000-0x00000000009B8000-memory.dmp
memory/1240-8-0x0000000000E40000-0x0000000000E68000-memory.dmp