Analysis Overview
SHA256
ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a
Threat Level: Shows suspicious behavior
The file ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Indicator Removal: File Deletion
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:39
Reported
2024-11-10 01:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
Indicator Removal: File Deletion
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Update\wuauclt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe
"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
\ProgramData\Update\wuauclt.exe
| MD5 | 4965ceb9a2b8357efc11809dea7f9038 |
| SHA1 | 0ba7e246d7d8da9206b31e9b7875db8e1bbac3b7 |
| SHA256 | c6c1038954847dfdd07204efb73fba838a2b2165114f65c0206c81a787b5242d |
| SHA512 | fe0983149cd93765a697e0a9dbb5e210f23253d73ec03c9d532b01e8d42ec942c81875a8b897f3de2a25ebf7dfa5c529859e6b0050ccab6ae3f9d0cb2d2d7ff2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:39
Reported
2024-11-10 01:42
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
Indicator Removal: File Deletion
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Update\wuauclt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe
"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\ProgramData\Update\wuauclt.exe
| MD5 | 1aab322529410bb409300f5a6b8f0287 |
| SHA1 | a9a124adcbe19ad6b76cdb1c1c90a70d898ea419 |
| SHA256 | a37a07e88c7833f19e9ae63eb534e7ea7bb4cf86e619b07ef93522ca6abc79fb |
| SHA512 | 604fa4f4b89a87314035c63ab5bece23c2386f879eec8e308e93deb34d693432a4b61b55c63c2272748e091241daa5b2cee994c3f588abdadad0d812410d8d33 |