Analysis Overview
SHA256
d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217
Threat Level: Shows suspicious behavior
The file d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:17
Reported
2024-11-09 23:19
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
Network
Files
memory/2108-0-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2056-10-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
| MD5 | 569457bbcb17d66e889c771feed83f20 |
| SHA1 | 0d00687239a3921327d56f8c936a0efe02760740 |
| SHA256 | eb7c33e9d417c902c44d55ae15cf7b0bff41de2651b7978e31e4232fce9f6063 |
| SHA512 | 2f3f60b5c328dd9279837bd8633522c6ba01eff2d08742a6db864248fcfb764a0edebc8f87062e3dfead0562ed5c9628b66d6df9535579f2a02f5115e3578ef8 |
memory/2056-11-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2056-16-0x00000000001E0000-0x000000000021F000-memory.dmp
memory/2108-8-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2056-17-0x0000000000400000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:17
Reported
2024-11-09 23:19
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
97s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1200 -ip 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 396
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 368
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1200-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe
| MD5 | 0afda532c1634b9355ac08fc388c346e |
| SHA1 | 15532e223061969e93c3a756638d5d5f5e0b4e0c |
| SHA256 | ea63cd6bc9144b9c3c5970feee7d2efbdaff30fe39fd232f91d1f3bad59ed48e |
| SHA512 | 831ab184257c0ac116386ed101fe4309de6e1939dc08db4abc09a6ce6cf123e49ef265f1228c43f07a8e3592c8837d3e373f50e8c68b29239bf6f1189ddc13fe |
memory/4544-6-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1200-7-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4544-13-0x00000000014A0000-0x00000000014DF000-memory.dmp
memory/4544-8-0x0000000000400000-0x000000000041A000-memory.dmp
memory/4544-14-0x0000000000400000-0x000000000043F000-memory.dmp