Analysis Overview
SHA256
712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1
Threat Level: Shows suspicious behavior
The file 712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Reads data files stored by FTP clients
Reads local data of messenger clients
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 11:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 11:36
Reported
2024-11-05 11:38
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2148 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
"C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzmrcd2q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE26.tmp"
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
Network
Files
memory/2148-0-0x0000000074D61000-0x0000000074D62000-memory.dmp
memory/2148-1-0x0000000074D60000-0x000000007530B000-memory.dmp
memory/2148-2-0x0000000074D60000-0x000000007530B000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\yzmrcd2q.0.cs
| MD5 | cb25540570735d26bf391e8b54579396 |
| SHA1 | 135651d49409214d21348bb879f7973384a7a8cb |
| SHA256 | 922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743 |
| SHA512 | 553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080 |
\??\c:\Users\Admin\AppData\Local\Temp\yzmrcd2q.cmdline
| MD5 | fac0cee2f983bc3d8218c914544cc64c |
| SHA1 | ce6a6e4069202b2d663503263650fe7badfb8c12 |
| SHA256 | fd95f0b290b24697ba06056a359626fd71acbebd7aff6aeeae07f2d75b05ea63 |
| SHA512 | 87379d3d688c850a866eac867b31d723318b4d1b8129dae9761261b4363935bb4889caa4dc96dd2b977d856ae52bf6da9e652b42179e5fd0e8d34bc3ca848616 |
memory/2812-8-0x0000000074D60000-0x000000007530B000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCEE26.tmp
| MD5 | 6a9043f0d3023726547aea3bcb95e374 |
| SHA1 | da9c8c71dfb9d0c53cc879142de89adf4971a825 |
| SHA256 | 4dacb2898bcfdb22a24f8a2b75bc6a9d53c34fa4cb9d1fd94d34746420b1ede0 |
| SHA512 | 8af9e0e74e1478a1a605c324f2e38f3c00e3fe6bf7525f5ed62515676b8c3367f2c0f60050c977606204d425b60e44bf5c25fbb20d2269d2529e47561607b10d |
C:\Users\Admin\AppData\Local\Temp\RESEE27.tmp
| MD5 | 82f625436ab88e3c2cf806b48bdd1378 |
| SHA1 | bb886e580652e79864791e3aa341b981ad6cc8a3 |
| SHA256 | 91b10e96bca90011c2333bf916f226c464c8e9923996b878297886569c8ed32f |
| SHA512 | d2fee939d159d2ec329ef1a9d2c58c963fd8770fb0270f1a7af72bf125b6a553d5e19d7b2d168d409cc6619ab8fd8edd375331eebbba5b053c403d1f7e44d969 |
memory/2812-15-0x0000000074D60000-0x000000007530B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yzmrcd2q.dll
| MD5 | 0e27754d04f04cd13d09fe7103dc2112 |
| SHA1 | 30c59081743c7c52e4eb7b3deeb65d94e53a3995 |
| SHA256 | aa03af7a753d24c102ee8e9130a3b6b3800b2652d30faf74637d0c32d832eb5d |
| SHA512 | d3ed5460ab67b43fd08a8003d73a0cc493cbb00dd17c981bc42d4e0d094538a6d2d52fecbf3afa7bdf0bdee9028ba6ba6bc7bc67c7678f8347a579b9006aa0dc |
memory/2708-25-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
| MD5 | d89fdbb4172cee2b2f41033e62c677d6 |
| SHA1 | c1917b579551f0915f1a0a8e8e3c7a6809284e6b |
| SHA256 | 2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383 |
| SHA512 | 48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed |
memory/2708-38-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-37-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-34-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-31-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-30-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-29-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2708-27-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2148-39-0x0000000074D60000-0x000000007530B000-memory.dmp
memory/2708-42-0x0000000000400000-0x0000000000457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 11:36
Reported
2024-11-05 11:38
Platform
win10v2004-20241007-en
Max time kernel
101s
Max time network
103s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4620 set thread context of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
"C:\Users\Admin\AppData\Local\Temp\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sg2sluoe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC4D6.tmp"
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3960 -ip 3960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/4620-0-0x0000000074F92000-0x0000000074F93000-memory.dmp
memory/4620-1-0x0000000074F90000-0x0000000075541000-memory.dmp
memory/4620-2-0x0000000074F90000-0x0000000075541000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\sg2sluoe.cmdline
| MD5 | dae7a3d5309991ace32f45d20a746c02 |
| SHA1 | 019c0d21b0776e29598e0d9df13c925a0bbc12c6 |
| SHA256 | ac51058c6b610116731cc3e4b7238a182d6e0b919c902251a13b6818a9211ac9 |
| SHA512 | 122b2c90171400b03e1ed312a217dae830fb3c7628ccc06b95f4dfa78ff3a537309023c5a898ad4a1eed6bcd90de827ba719525bb831fc6af0718f7c7d9c5bcb |
\??\c:\Users\Admin\AppData\Local\Temp\sg2sluoe.0.cs
| MD5 | cb25540570735d26bf391e8b54579396 |
| SHA1 | 135651d49409214d21348bb879f7973384a7a8cb |
| SHA256 | 922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743 |
| SHA512 | 553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080 |
memory/4860-8-0x0000000074F90000-0x0000000075541000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCC4D6.tmp
| MD5 | 22dbfae4ccd63a09314b166cf87af127 |
| SHA1 | debb4fe76e4fb960e73425644de9c188d5e6e78d |
| SHA256 | 0b8be3c5795932a23913c1b95599f532dd8879eb907aeee553d0ce0d773e9f71 |
| SHA512 | babb7bd0b49569953017091a9ed29b4fa2f273b99fbd0b41bfeaf51808ed51faa63379c9a09f5d1ae791389ef2cb84fd8a919d3076c783a65fe9b3b3c18bae90 |
C:\Users\Admin\AppData\Local\Temp\RESC4D7.tmp
| MD5 | 741978141cb7efb4d6381d445cc03291 |
| SHA1 | 99cbd06cb66c403ecb913e035504ec94bf8644de |
| SHA256 | a64bd8c3d880cf6dec97a1d701eedf4d9e6436ec8c5716f378ce9e50743d9267 |
| SHA512 | 33b918283b394aa33001e95f34ab537e2ecb56df7a7101912fe950ae9f8ab7f6065fc815527f0e0a3381c96a8f666d3dd89b97cb9d9f78cac777fffac85e0c9b |
memory/4860-15-0x0000000074F90000-0x0000000075541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sg2sluoe.dll
| MD5 | 0cb827a60bd57d2e368d0e145f5ccdb1 |
| SHA1 | 1be1858fa5d9f9697e1b636a43ef807860a1bd68 |
| SHA256 | 5b66fd361e3d97d975ffc2cb6eb5ffb3215018c0056a85cb9ab06ed558e29bb6 |
| SHA512 | e40b2017fef7e0c851728eccb75c5b4075826c97d70c3f4f6bcffb2275a86929b85ef7b7dce215caa883c887ee675d9dc2b030bf81d23be2b81ae273542e1147 |
C:\Users\Admin\AppData\Roaming\712d3c23cb7fc3bab8cd48e4c0ed64190c38efcfa95d0514be8ec1661ae732e1N.exe
| MD5 | d89fdbb4172cee2b2f41033e62c677d6 |
| SHA1 | c1917b579551f0915f1a0a8e8e3c7a6809284e6b |
| SHA256 | 2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383 |
| SHA512 | 48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed |
memory/4620-22-0x0000000074F90000-0x0000000075541000-memory.dmp