Analysis Overview
SHA256
bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9
Threat Level: Shows suspicious behavior
The file bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:28
Reported
2024-11-09 22:31
Platform
win7-20240903-en
Max time kernel
79s
Max time network
17s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
"C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe"
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
Network
Files
memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1620-6-0x0000000000170000-0x000000000019F000-memory.dmp
memory/1620-1-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1620-15-0x0000000000320000-0x000000000034F000-memory.dmp
memory/1620-16-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
| MD5 | dcc221e66cd39b4f16136cc7e6571f12 |
| SHA1 | 9224c42e657b8223a1ffea0fea8a968e0f4dc20b |
| SHA256 | d473bd71b998d2cf6ec210637d142428237b9ae2e8a486648d1fe8f03caa17f0 |
| SHA512 | 71b8bc8f5d031275aa042c8e55bf076bd50b8666fa90d0ed08c6efbd02bf1997856a1a3718bf6f116586487ee039f4bf6862d36291453779dca21382bdf0424d |
memory/2308-18-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2308-24-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2308-29-0x00000000001A0000-0x00000000001BB000-memory.dmp
memory/2308-30-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:28
Reported
2024-11-09 22:31
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
"C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe"
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5024-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5024-1-0x00000000001C0000-0x00000000001EF000-memory.dmp
memory/5024-2-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bcc48a36a25e1b221ffe5a90744453ad0d99cb3de345755adb4eddc529a326d9N.exe
| MD5 | 528a5b42afd57b2f0f61aa152b81449b |
| SHA1 | f3e2c22b823c0627e27f142d9d530d62c84fe18e |
| SHA256 | 626cd585b7a1dbeb7d1c3f53de0696174360c83af4ff3aa61fd39c2ae37e5600 |
| SHA512 | 99c8347cdb637d05daddfb0bb7a75c4b7b5e8e891707fca3dad13ea2e133ef705aeb0aea7643976dc9b615937827ea00a9fd7ab55a48ee3131521b49a8f377df |
memory/2292-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5024-11-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2292-14-0x00000000001B0000-0x00000000001DF000-memory.dmp
memory/2292-25-0x00000000014D0000-0x00000000014EB000-memory.dmp
memory/2292-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2292-26-0x0000000000400000-0x000000000042F000-memory.dmp