Analysis Overview
SHA256
56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b
Threat Level: Shows suspicious behavior
The file 56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:25
Reported
2024-11-09 22:28
Platform
win7-20241010-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| N/A | N/A | C:\WINDOWS\VWFLH\rMX.exe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\VWFLH\rMX.exe | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| File created | \??\c:\windows\rMX.exe.bat | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File created | C:\WINDOWS\VWFLH\rMX.exe.exe | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File opened for modification | C:\WINDOWS\VWFLH\rMX.exe.exe | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File opened for modification | \??\c:\windows\nk.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\WINDOWS\VWFLH\rMX.exe | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\VWFLH\rMX.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe
"C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe"
C:\WINDOWS\VWFLH\rMX.exe
C:\WINDOWS\VWFLH\rMX.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c echo 0>>c:\windows\nk.txt
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\29.vbs
C:\WINDOWS\VWFLH\rMX.exe.exe
C:\WINDOWS\VWFLH\rMX.exe.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\15.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\29.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\15.vbs"
Network
Files
\Windows\VWFLH\rMX.exe
| MD5 | 629bfaf98f31bf35cfbe3d755b124701 |
| SHA1 | 8a9ade804afb8145adf9be87091f4b635b9edbd2 |
| SHA256 | 56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b |
| SHA512 | 3f7beab0c8a41eb91e4a10c3187c3aa3d04519a93284708ad8f4891e4660a2d706a4b62103d656b27871641a186a0f88f1a9cd1e6c11ea7f5622811bd38da985 |
memory/2148-14-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
memory/2460-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
C:\WINDOWS\VWFLH\rMX.exe.exe
| MD5 | 3097e7234ca2bfb209fefdac6b57f4d3 |
| SHA1 | afc10ad252fc18ecc120d51daf410b71e0a3340a |
| SHA256 | e05a1f961d97ba413f2d6ddd612b142709a623b5f2d080a724241e0ec143566b |
| SHA512 | e9f47f44af5f00b031d6b308e57823ddc132e943cf94c6335c0942a82269f535f2dcf7ef76d6081a2266642626251107c1a8446c57577ce348eebbb32fcf2940 |
C:\29.vbs
| MD5 | e634baf3e6b0b44b3e8f91ce4fae07f6 |
| SHA1 | 4f30f28fdf35afe7f43f89b87a4a2a33cf2d0511 |
| SHA256 | 3403251e771249d68d8e5904639a907f42d7b1ae1cac23ab2743d242d808dca2 |
| SHA512 | 7cb02c7a5b1dabb3e62aa0755db38a58f9ae9395797bde7d6cc74f1cea84bc893e3ea8f2e6637bd70d23e5d8b9c31338dcb4d7c9641a40ad1a5ee146960f6596 |
memory/2068-34-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
C:\15.vbs
| MD5 | d5f9682cec25774050d718fdb8056700 |
| SHA1 | b422402abb7479e3aede020734b750d6fbc82278 |
| SHA256 | dde7ac9cf62b56b556d7209636deca4433e00c36900b136bfaae1ba0fdccbb24 |
| SHA512 | bb4f70beba1bf8cf0834f21e85ee6ecb0f01824525a62a317a2a215fc7e33341579cd1547a92a7b36dc9be66e048efb42bbb7625237fe8482f2fb403274bfd28 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:25
Reported
2024-11-09 22:28
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| N/A | N/A | C:\WINDOWS\VWFLH\rMX.exe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\VWFLH\rMX.exe | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| File opened for modification | C:\WINDOWS\VWFLH\rMX.exe | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
| File created | \??\c:\windows\rMX.exe.bat | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File created | C:\WINDOWS\VWFLH\rMX.exe.exe | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File opened for modification | C:\WINDOWS\VWFLH\rMX.exe.exe | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| File opened for modification | \??\c:\windows\nk.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\VWFLH\rMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\VWFLH\rMX.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe
"C:\Users\Admin\AppData\Local\Temp\56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b.exe"
C:\WINDOWS\VWFLH\rMX.exe
C:\WINDOWS\VWFLH\rMX.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c echo 0>>c:\windows\nk.txt
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\62.vbs
C:\WINDOWS\VWFLH\rMX.exe.exe
C:\WINDOWS\VWFLH\rMX.exe.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\47.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\62.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\47.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\VWFLH\rMX.exe
| MD5 | 629bfaf98f31bf35cfbe3d755b124701 |
| SHA1 | 8a9ade804afb8145adf9be87091f4b635b9edbd2 |
| SHA256 | 56a9a9e91d8258e5c16e8b0df01ca353b6228c739a72916b270697c2fa23bb1b |
| SHA512 | 3f7beab0c8a41eb91e4a10c3187c3aa3d04519a93284708ad8f4891e4660a2d706a4b62103d656b27871641a186a0f88f1a9cd1e6c11ea7f5622811bd38da985 |
memory/224-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
memory/4848-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
C:\Windows\VWFLH\rMX.exe.exe
| MD5 | ec74d68f093a318fb6c6d37d5c2f3b80 |
| SHA1 | eb3d95c45ed256ca65706c64b8c711e154965e83 |
| SHA256 | f01785b0ce876f263f21a453695d18f43255a0600f693ab2bac9264534870fe3 |
| SHA512 | 1c0ecc09c817815943cd7dec1115841fc1af19e81ec68e55b8362885c06d6c50fa918701930a552f25a84cc6275ac2a0c4fe6ada16c3094efb8c59bbaa087aa9 |
memory/2684-16-0x000000007EEE0000-0x000000007EEFF000-memory.dmp
C:\47.vbs
| MD5 | 5f14e6c2f5fc3077f93dbf1005efbb00 |
| SHA1 | c2b39df0984c8fb2525ba8ddd7ac2b5e59c72930 |
| SHA256 | 65375d13c158a7304852d05ffa183215d68577cdd57fd679a50c0ecd0c31bf49 |
| SHA512 | 61d85d37af72323797d9362c3f02bfcbfc32f0d925989e1b493e4ad78afff656191de9749d7a04ee3762a787cd80bbbeeb8f5a69f4087ac3dbf10394d107373e |
C:\62.vbs
| MD5 | 5cf982b08199b89a5a4e6ebb282e4215 |
| SHA1 | 5ef1295ebdf8fcf7cd7d46079c6844502a707565 |
| SHA256 | 034d477d88b50a839cefc06fefa5f22b202c8812ddeb1286f495aaabd81ef278 |
| SHA512 | 7eca660d8fecec3666e72be09debb18856f8e8f235360dbd15530ed92da5db190761599af2a145f7a69f36091807bed6fe4afab5b693fc58a92185e342a60b8c |