Analysis Overview
SHA256
2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1
Threat Level: Shows suspicious behavior
The file 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:35
Reported
2024-11-09 21:38
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8759.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8759.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8759.tmp |
| PID 2124 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8759.tmp |
| PID 2124 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8759.tmp |
| PID 2124 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8759.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"
C:\Users\Admin\AppData\Local\Temp\8759.tmp
"C:\Users\Admin\AppData\Local\Temp\8759.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe B2FDF4A9BC336CF73A5A9740013E82DE7A064F4726EE0DECFC463CA2B59F5D60AB86CE0282123F30FEDD32402F715BEB6E5D40635000D1127A7BAD22795D6545
Network
Files
memory/2124-0-0x0000000000400000-0x0000000000849000-memory.dmp
\Users\Admin\AppData\Local\Temp\8759.tmp
| MD5 | 4a361c2133e7d08b7d9f50fba3807206 |
| SHA1 | b112f40e37606350d1147c8cf5eab0cfb45ff807 |
| SHA256 | 6102479a7f626ac32b1c7537f1b2ea074c3b0a9e6de6ee08a1d3a6bc873bece1 |
| SHA512 | ce8281680e5715e469b782f16179daccdf6b1685921492a5b4e34636c1cfe44cf5510949d760931cb874b9e38edb324c020822e829dd5aa08b10df39df23d742 |
memory/2004-9-0x0000000000400000-0x0000000000849000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:35
Reported
2024-11-09 21:38
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
99s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1384 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp |
| PID 1384 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp |
| PID 1384 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe | C:\Users\Admin\AppData\Local\Temp\8ACB.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe
"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"
C:\Users\Admin\AppData\Local\Temp\8ACB.tmp
"C:\Users\Admin\AppData\Local\Temp\8ACB.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 5801788DF0E758572BCA325F42B460B21612BBA1252C9A03704E3225F0AB93877132693E6C327102A2AF256AA3BE5913B860DB99B5E972D2EFA8F3B27A29ED0C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1384-0-0x0000000000400000-0x0000000000849000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ACB.tmp
| MD5 | 43059ac88567bf5fa9d40eeb41d796a8 |
| SHA1 | f79376c5cefe73dbd824fd82dcf61dcc21daed93 |
| SHA256 | fd619d55766168fed7289775ba8f9865ce19d7a5128dcc7a6853ff06166ccd68 |
| SHA512 | 3346cebde2d7348401cd36994d56214b64e72d3815f17bd450ab7dc1ae1950e1bb24b902cd24d33e72ca77fd41f00c0c6e1d745a193d1a1cf3211f4b49d68e81 |
memory/2544-5-0x0000000000400000-0x0000000000849000-memory.dmp