Analysis Overview
SHA256
0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00d
Threat Level: Shows suspicious behavior
The file 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
UPX packed file
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:40
Reported
2024-11-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\NWC.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\NWC.EXE | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | N/A |
| File opened for modification | C:\WINDOWS\NWC.EXE | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\WINDOWS\NWC.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WINDOWS\NWC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe
"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"
C:\WINDOWS\NWC.EXE
C:\WINDOWS\NWC.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 264
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sys.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/1360-0-0x0000000000510000-0x0000000000520000-memory.dmp
memory/1360-1-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\NWC.EXE
| MD5 | 58f36f67134fcac45149c01bacc53ca0 |
| SHA1 | b973ce2097c356c3a2452ea4ceb006a0ca3d9817 |
| SHA256 | 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00d |
| SHA512 | aba0a933276968e9b2a06ff4fca0b6e98461bbaeddd15e11388b24fffe5301ca2f9b91ad5ed0dc58743e75a2fb87cf1046322c73d4cf102bd9e91d213c0fccfc |
memory/4068-6-0x0000000000510000-0x0000000000520000-memory.dmp
memory/4068-7-0x00000000001C0000-0x00000000001CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sys.bat
| MD5 | 1c14c9f3df6eec3d4da6223c2105249d |
| SHA1 | 2779a4f686a0c33eef723710c45f5e38dd9fd69c |
| SHA256 | c3cfa5bc5aac47ce0b6e8601471e69c0343538d855d4054aece63833915ccec5 |
| SHA512 | 4c08d021e797bbab0c8ab50f2ef585858cd537ecb85229d8f5978075f13f8f70f2afa5d0680a2a18adbcb7ae92096aa6f048af06203e197998dd1165ed2c927d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:40
Reported
2024-11-09 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe
"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 88
Network
Files
memory/1660-1-0x0000000000020000-0x000000000002E000-memory.dmp
memory/1660-0-0x0000000000510000-0x0000000000520000-memory.dmp
memory/1660-2-0x0000000000510000-0x0000000000520000-memory.dmp