Analysis Overview
SHA256
5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25
Threat Level: Shows suspicious behavior
The file 5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:29
Reported
2024-11-09 22:31
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\.Trash-100\ActivateDesktop.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\.Trash-100\ActivateDesktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
| PID 1444 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
| PID 1444 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
| PID 1444 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe
"C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe"
C:\.Trash-100\ActivateDesktop.exe
C:\.Trash-100\ActivateDesktop.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raumjr.ru.swtest.ru | udp |
| US | 8.8.8.8:53 | api.vk.com | udp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
| RU | 87.240.190.75:80 | api.vk.com | tcp |
Files
\.Trash-100\ActivateDesktop.exe
| MD5 | d2fa3a33c74cf8b5118358e323ae0d64 |
| SHA1 | 6a1e4255fbc8945cd1ee4fc2b1ad31d385d8329b |
| SHA256 | 19f5a8931d2ae300b15246edc5727a5f2722f84c06f13db205e1fc629d3a2089 |
| SHA512 | 2697d0ad9d2e9a9f9116a9e9304397bc52f856ff4dead2f5c631772204f78847d9681190bc79869264729bf158656e735b3f068d6138ecd3778ad4ced3072aca |
C:\.Trash-100\db\version
| MD5 | d9f5e405a7f74ed652a8f0b31a87f636 |
| SHA1 | 8f7a4cf1d8fb52d12619fb0c6cafc42abf5a5e61 |
| SHA256 | ab4cbdd8d697c57b18419764dffd2f4f39eff2bc0ff9ee1019cf1b68cf34f86d |
| SHA512 | cf7b04462ec6f47966cb9c456ef3c1260ba4953543aed0b28e093508a1c732cd87ee20d506e33133b84c9ebe6e8553fe7dc0b884b5ac7f1a9b18efe30822b12a |
C:\.Trash-100\db\framework_exe
| MD5 | 665009c6d258a06e710ff8c7810f4697 |
| SHA1 | abf7abc9bae75e5323a12b1d58336dfe0fd58e22 |
| SHA256 | 98dcba6d93cc19d148e629c278d99243009359eb08816c1e7eae125fce78b53a |
| SHA512 | a27669035751658896afe937847a3752525b548208d5b8929f9c3b576ccc3528820d3faf10ac80047ada1d47acc5d6246f877f15cec9b4a032eb04da1ee63635 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:29
Reported
2024-11-09 22:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\.Trash-100\ActivateDesktop.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\.Trash-100\ActivateDesktop.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
| PID 2292 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
| PID 2292 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe | C:\.Trash-100\ActivateDesktop.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe
"C:\Users\Admin\AppData\Local\Temp\5773adb23199c7e0bab8e02090900eb96e42cff0c4825f58bdd6debc61863a25.exe"
C:\.Trash-100\ActivateDesktop.exe
C:\.Trash-100\ActivateDesktop.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raumjr.ru.swtest.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.vk.com | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 130.137.240.87.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
| RU | 87.240.137.130:80 | api.vk.com | tcp |
Files
C:\.Trash-100\ActivateDesktop.exe
| MD5 | 40f98cef980824cb6398e4577be6575c |
| SHA1 | bbad8ccf0ab6d997a30164b11dd3089f6c3fd8b2 |
| SHA256 | 5223f4e1ea7b4ed24eacec06b92545cba06e19d4abed8bcef9fb1c03f272631c |
| SHA512 | 916bcc209a75ec8f59116a8716d6aaeb3fe78ab4dd7dc143350a5c87b12ea165ab33568016da20cba50111971cce58d432423871176c3da4776ac1dc3ced77c8 |
C:\.Trash-100\db\framework_exe
| MD5 | 665009c6d258a06e710ff8c7810f4697 |
| SHA1 | abf7abc9bae75e5323a12b1d58336dfe0fd58e22 |
| SHA256 | 98dcba6d93cc19d148e629c278d99243009359eb08816c1e7eae125fce78b53a |
| SHA512 | a27669035751658896afe937847a3752525b548208d5b8929f9c3b576ccc3528820d3faf10ac80047ada1d47acc5d6246f877f15cec9b4a032eb04da1ee63635 |
C:\.Trash-100\db\version
| MD5 | d9f5e405a7f74ed652a8f0b31a87f636 |
| SHA1 | 8f7a4cf1d8fb52d12619fb0c6cafc42abf5a5e61 |
| SHA256 | ab4cbdd8d697c57b18419764dffd2f4f39eff2bc0ff9ee1019cf1b68cf34f86d |
| SHA512 | cf7b04462ec6f47966cb9c456ef3c1260ba4953543aed0b28e093508a1c732cd87ee20d506e33133b84c9ebe6e8553fe7dc0b884b5ac7f1a9b18efe30822b12a |