Analysis Overview
SHA256
2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117
Threat Level: Shows suspicious behavior
The file 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 20:59
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
Network
Files
memory/2132-0-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2476-12-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
| MD5 | ff60563cfb05887ea20ddbdb61521a89 |
| SHA1 | d90e3ca11c540ed7d7c2a5620d3294729a4f0942 |
| SHA256 | 09b1701ef9e163324e8690a8fc1a184039599df3d218cd3d83a9ff9942f38d64 |
| SHA512 | c7e46063de41381c30ad9954679d86a68272a12e9d8eb0bd788dbea9e03d95191c2de1027bf14e85edc2e158d76eae26f39da2b74ea756aeaec145123fd85824 |
memory/2132-10-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2132-9-0x0000000000130000-0x0000000000172000-memory.dmp
memory/2476-18-0x0000000000130000-0x0000000000172000-memory.dmp
memory/2476-13-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2476-19-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 20:59
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
141s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe |
| PID 2916 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe |
| PID 2916 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe | C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 396
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2916-0-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe
| MD5 | 575c192f028e3517cf5183da7f89b1a6 |
| SHA1 | 0edfe6be93c52fcb5560c20cede61b9742c49271 |
| SHA256 | 4887e86ec32ff5d838892b52c44bed85d5165f2d843de9ede314ce9e1ad40fdc |
| SHA512 | f078c93505832ac03baf9147a77a72e7fe409c39f9794751c46441076068c853b5152bb731598782f5523e626d906365288691d0b2f384ce177acafed82b6162 |
memory/2916-8-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3692-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3692-14-0x00000000014E0000-0x0000000001522000-memory.dmp
memory/3692-9-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3692-15-0x0000000000400000-0x0000000000442000-memory.dmp