Analysis Overview
SHA256
54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219
Threat Level: Shows suspicious behavior
The file 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:21
Reported
2024-11-09 22:24
Platform
win7-20240729-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe
"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\ime\333.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\905\a905.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\905\905.bat" "
Network
Files
C:\Windows\IME\333.bat
| MD5 | bf85d58b5f8c87407c68d4479c08397d |
| SHA1 | e5ef875b5e00d45b544f2b2cdc9c7dc45de2d29a |
| SHA256 | 0e27eb46977ef3837953d1adefeaf7d52ea03d5743368710eda7999aaba28afd |
| SHA512 | 702f91fa62bea645e04d6468f1cd299f07c8b3e21caca78cb27f90a4d0b21a9a934ab5636553414187181c1082654eb39fbcf1af3cc9ab2f651cafdf005c4985 |
C:\905\a905.vbs
| MD5 | d4e4d2395f0ae37c8f74469887420c42 |
| SHA1 | 6aac31f197f2173591c7c3c131b811339763ba6a |
| SHA256 | 8dc70d5200420fcac09b1fbe93c1bc2ee6cb27d22812bd3e5f7a70edd84a7845 |
| SHA512 | b1ff3496fe98ddc34d0bfb4f661f24f3bd6df2a40d3174167f4d6a96f3cf8a400da00de9f0b57d6f04e7014228c597bcf377c8e055378421bbd2f50a4560d774 |
C:\905\905.bat
| MD5 | 491bdc8435bff0c077992159aeec3686 |
| SHA1 | afb5fe597cd0850a0f907f70f36ee951c01edae9 |
| SHA256 | f1e74a0c392bad5b5a8bb0b1c808592dca7f2f9f7dbc7f08f6d3f089436a9be2 |
| SHA512 | a330510e193c26d9363c9d1930765c62a72eebeb43bc3f7e17efa4ee7038ac8663c72ccf240e9a30c2ae803ffe7630aa0e30a2dfa555b85e9f99a4df4ec9ffff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:21
Reported
2024-11-09 22:24
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe
"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows\ime\333.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\905\a905.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\905\905.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\windows\ime\333.bat
| MD5 | bf85d58b5f8c87407c68d4479c08397d |
| SHA1 | e5ef875b5e00d45b544f2b2cdc9c7dc45de2d29a |
| SHA256 | 0e27eb46977ef3837953d1adefeaf7d52ea03d5743368710eda7999aaba28afd |
| SHA512 | 702f91fa62bea645e04d6468f1cd299f07c8b3e21caca78cb27f90a4d0b21a9a934ab5636553414187181c1082654eb39fbcf1af3cc9ab2f651cafdf005c4985 |
C:\905\a905.vbs
| MD5 | d4e4d2395f0ae37c8f74469887420c42 |
| SHA1 | 6aac31f197f2173591c7c3c131b811339763ba6a |
| SHA256 | 8dc70d5200420fcac09b1fbe93c1bc2ee6cb27d22812bd3e5f7a70edd84a7845 |
| SHA512 | b1ff3496fe98ddc34d0bfb4f661f24f3bd6df2a40d3174167f4d6a96f3cf8a400da00de9f0b57d6f04e7014228c597bcf377c8e055378421bbd2f50a4560d774 |
C:\905\905.bat
| MD5 | 491bdc8435bff0c077992159aeec3686 |
| SHA1 | afb5fe597cd0850a0f907f70f36ee951c01edae9 |
| SHA256 | f1e74a0c392bad5b5a8bb0b1c808592dca7f2f9f7dbc7f08f6d3f089436a9be2 |
| SHA512 | a330510e193c26d9363c9d1930765c62a72eebeb43bc3f7e17efa4ee7038ac8663c72ccf240e9a30c2ae803ffe7630aa0e30a2dfa555b85e9f99a4df4ec9ffff |