Analysis Overview
SHA256
80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67
Threat Level: Shows suspicious behavior
The file 80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:50
Reported
2024-11-09 15:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nLjFmIn06300 = "C:\\ProgramData\\nLjFmIn06300\\nLjFmIn06300.exe" | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
| N/A | N/A | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe |
| PID 2068 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe |
| PID 2068 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe |
| PID 2068 wrote to memory of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
"C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"
C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe
"C:\ProgramData\nLjFmIn06300\nLjFmIn06300.exe" "C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 194.28.113.214:80 | tcp | |
| UA | 91.193.194.40:80 | tcp | |
| UA | 91.193.194.40:80 | tcp | |
| US | 194.28.113.214:80 | tcp | |
| US | 194.28.113.214:80 | tcp | |
| US | 194.28.113.214:80 | tcp | |
| US | 194.28.113.214:80 | tcp | |
| US | 194.28.113.214:80 | tcp |
Files
memory/2068-0-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2068-5-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2068-4-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2068-3-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2068-1-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2068-6-0x0000000000400000-0x00000000004B3000-memory.dmp
\ProgramData\nLjFmIn06300\nLjFmIn06300.exe
| MD5 | 738910a2344632f408260f06e63a1757 |
| SHA1 | 177c126be19d855b78f0721e0685913824d38164 |
| SHA256 | 95df4d76caf3b76c397b514d3444c9df32af0c5c35a04caafa2c222c9d44e008 |
| SHA512 | be24a1238331c0c65216513244371955958abb9a94ab4aa8db7a629d3a048cef9b660a8bd7750121cf3226e93deb4c72945370f30571cbd8cb95f3a15a32ec8c |
memory/2288-19-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2288-24-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2068-27-0x0000000000403000-0x0000000000404000-memory.dmp
memory/2068-28-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2288-30-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2288-38-0x0000000000400000-0x00000000004B3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:50
Reported
2024-11-09 15:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aEiNhOi06300 = "C:\\ProgramData\\aEiNhOi06300\\aEiNhOi06300.exe" | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
| N/A | N/A | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 548 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe |
| PID 548 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe |
| PID 548 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe | C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe
"C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 584
C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe
"C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe" "C:\Users\Admin\AppData\Local\Temp\80ec12742318b0eb9ca57a44d77e86b03d300200e55a829765fde8fd04a29e67N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 76
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2128 -ip 2128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 752
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 194.28.113.214:80 | tcp | |
| UA | 91.193.194.40:80 | tcp | |
| US | 194.28.113.214:80 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 194.28.113.214:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/548-0-0x0000000000403000-0x0000000000404000-memory.dmp
memory/548-4-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-1-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-3-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-6-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-5-0x0000000000400000-0x00000000004B3000-memory.dmp
C:\ProgramData\aEiNhOi06300\aEiNhOi06300.exe
| MD5 | 938c4ba1fa5227886b53f0aa7e621e55 |
| SHA1 | 95885b14422ef1f5dc9a42b14b2d8679143766e0 |
| SHA256 | fbb2fdf67593ddb8d94cc4e8cc9c891de4624b8596654bf73c740fcdf5f7c4a4 |
| SHA512 | 95a7cbfb74070783c0a369e46f69f2381ebcffb99552132bd556bff6ea9a5d8ba543f2e2d2e94217e31226c4ae765808a7ebdda35525ee3c1f16b96c1abc9fb1 |
memory/2128-15-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2128-19-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2128-20-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-23-0x0000000000403000-0x0000000000404000-memory.dmp
memory/548-24-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2128-26-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/2128-34-0x0000000000400000-0x00000000004B3000-memory.dmp
memory/548-45-0x0000000000400000-0x00000000004B3000-memory.dmp