Analysis Overview
SHA256
6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903
Threat Level: Shows suspicious behavior
The file 6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 20:59
Platform
win7-20240903-en
Max time kernel
18s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ketiz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\ketiz.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\ketiz.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| N/A | N/A | C:\Users\Admin\ketiz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
"C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe"
C:\Users\Admin\ketiz.exe
"C:\Users\Admin\ketiz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 280
Network
Files
memory/2860-0-0x0000000000400000-0x0000000000412000-memory.dmp
\Users\Admin\ketiz.exe
| MD5 | ba8689c682bfbf1ff06d38be5801a76c |
| SHA1 | 537ec49c56706bcbe4c565ea792e84e277e1b227 |
| SHA256 | dde069830909ca2bf90f8909aaf0904218489f31817ec73d48d95aedd88049bd |
| SHA512 | 7f118e632185878d187e374e80bb3c08ffb128f159ef7eba49d099c838a5b46585167dfe070ca9ec96b103fa26fc20d944de32d5dd5616aceae11aac1a50f7ac |
memory/2156-16-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2860-15-0x0000000003830000-0x0000000003842000-memory.dmp
memory/2860-14-0x0000000003830000-0x0000000003842000-memory.dmp
memory/2156-25-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2860-26-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:57
Reported
2024-11-09 20:59
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
101s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\seikux.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\seikux.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\seikux.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | N/A |
| N/A | N/A | C:\Users\Admin\seikux.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4204 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | C:\Users\Admin\seikux.exe |
| PID 4204 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | C:\Users\Admin\seikux.exe |
| PID 4204 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe | C:\Users\Admin\seikux.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe
"C:\Users\Admin\AppData\Local\Temp\6cf9e260e605ba7d6da7abaa529d170c1398c14f16ef39898f0ee2b110832903N.exe"
C:\Users\Admin\seikux.exe
"C:\Users\Admin\seikux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4204-0-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\seikux.exe
| MD5 | 8214e2e085ecf68e6480dc36b75cc62f |
| SHA1 | ae12030961a2bda1d8c69bc16b16ad86ac3ff5d1 |
| SHA256 | a7f647a4f5bd0d733bb33e51c616bb90faef3aa85768ad14e4e19b0f98230e03 |
| SHA512 | a1d7d017e6bd9c77b89a95c19be9655c0ec9e594d226b61b43283960378769e2aee8aca783bc175e348916beac54f0a0f0ebc9cb9adf49b2499ef01fbef486df |
memory/2104-33-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4204-37-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2104-38-0x0000000000400000-0x0000000000412000-memory.dmp