Analysis Overview
SHA256
5608a618bc19fa3e21e6272d91d6443512da3c3965bd62e18092b4c7ec07cd29
Threat Level: Shows suspicious behavior
The file sunshine-windows-installer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Embeds OpenSSL
Unsigned PE
Enumerates physical storage devices
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:28
Signatures
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:28
Reported
2024-11-09 19:32
Platform
win10v2004-20241007-es
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe
"C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsyFA63.tmp\UserInfo.dll
| MD5 | 8e1998776ffd1d578a80d603c55721fc |
| SHA1 | 48ff2d677739d0f34f6c8cda41258af3989f534d |
| SHA256 | 7616de346ee28e4314d8a5bf67575c0010b1b07c93c6c29798f9106589ba25ae |
| SHA512 | 90c0800e485bd56177576b1d245457427d15b81b475eca4154a65225b82fe9c2ae7f07b07d48a61a3f622c4b2a2cb0b834a5d0b0b895f5bbf88b5bdead2257eb |
C:\Users\Admin\AppData\Local\Temp\nsyFA63.tmp\InstallOptions.dll
| MD5 | ff6cb85adb441e639dc58948651d54d2 |
| SHA1 | 2ba0514b1e64ce4c13c987c30f1b6e61225f192c |
| SHA256 | bbd81555abbfeff33aacdc8c34c307c2eb680953c7f4c4c02b20a8fe10e88bd6 |
| SHA512 | bf4c8e862b548011f7d465c82d3c4bc84e7836c4bcd943ffa6dbfbe95d43fc355cf00936cfc4db34822906212bbbc69271f356b74d70051b52cfb9b74f58149d |
C:\Users\Admin\AppData\Local\Temp\nsyFA63.tmp\ioSpecial.ini
| MD5 | 82ca818094abc1a235c5001657901254 |
| SHA1 | fbe65197b61e0695b76c35aa55eade65753a1099 |
| SHA256 | 17882fb252373868873d73e01104c9d0d0d831a581a41fee66aaa2e1ddf0c7af |
| SHA512 | a64bf6ac8759adfea96a101a0cda5e9861369f9a6293d06c2ee6dc2d908b951c249485e17e0640eabb3b1199cb6a85d5a10ed9621f623166c1a2efc822c26342 |
memory/4284-89-0x00007FFE15120000-0x00007FFE15134000-memory.dmp
memory/4284-88-0x0000000140000000-0x000000014018A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:28
Reported
2024-11-09 19:32
Platform
win10ltsc2021-20241023-es
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe
"C:\Users\Admin\AppData\Local\Temp\sunshine-windows-installer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nscFE37.tmp\UserInfo.dll
| MD5 | 8e1998776ffd1d578a80d603c55721fc |
| SHA1 | 48ff2d677739d0f34f6c8cda41258af3989f534d |
| SHA256 | 7616de346ee28e4314d8a5bf67575c0010b1b07c93c6c29798f9106589ba25ae |
| SHA512 | 90c0800e485bd56177576b1d245457427d15b81b475eca4154a65225b82fe9c2ae7f07b07d48a61a3f622c4b2a2cb0b834a5d0b0b895f5bbf88b5bdead2257eb |
C:\Users\Admin\AppData\Local\Temp\nscFE37.tmp\InstallOptions.dll
| MD5 | ff6cb85adb441e639dc58948651d54d2 |
| SHA1 | 2ba0514b1e64ce4c13c987c30f1b6e61225f192c |
| SHA256 | bbd81555abbfeff33aacdc8c34c307c2eb680953c7f4c4c02b20a8fe10e88bd6 |
| SHA512 | bf4c8e862b548011f7d465c82d3c4bc84e7836c4bcd943ffa6dbfbe95d43fc355cf00936cfc4db34822906212bbbc69271f356b74d70051b52cfb9b74f58149d |
C:\Users\Admin\AppData\Local\Temp\nscFE37.tmp\ioSpecial.ini
| MD5 | 053a55bfa43b4a229022eb167e24dfc7 |
| SHA1 | 073d6b52be3a0e948fdc06615a3e69495b8a5633 |
| SHA256 | 41aa1ff939b78049b3af0eca52b7b7c5681493f54e01a23888aa884bab3b562d |
| SHA512 | c247e497a4483d5523f6086d6219960ed15ef19a996df3d047399e371758d215bd1bb93387496961d00c9ce8ce7144dcc39634ee4e5e5a3557051944a11df789 |
memory/4868-89-0x00007FFC2B500000-0x00007FFC2B514000-memory.dmp
memory/4868-88-0x0000000140000000-0x000000014018A000-memory.dmp