Analysis Overview
SHA256
ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516
Threat Level: Known bad
The file ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:42
Reported
2024-11-10 01:45
Platform
win7-20241023-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Admin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 596 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
| PID 596 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
| PID 596 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
| PID 596 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe
"C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns1.theimageparlour.net | tcp |
Files
\Users\Admin\Admin.exe
| MD5 | 2ae272efca5a8f74f1cb73abcc8aebeb |
| SHA1 | f163b9364b3322ad9c5760908075412c94757694 |
| SHA256 | e984ad31248f7f296c936bf49027e18a94bbdcd82e053e2497bf22cda5349d40 |
| SHA512 | 0b38e3e4ceb4bd4654a632f7674d664fe60bd7e5cd43cd6d8dd02379139cf79dc30c8843189022f4c95a86d4cfd4f7894c95829e3b81ecd3cf30c17a7209e9fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:42
Reported
2024-11-10 01:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Admin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1948 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
| PID 1948 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
| PID 1948 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe
"C:\Users\Admin\AppData\Local\Temp\ae150a883e0db18a07a8330047b9ca6c38b9efc26302acc30ab46dc17b4f7516.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\Admin.exe
| MD5 | b613a3a998366e15c7ceda4a0431e9f9 |
| SHA1 | 46b2cb6e02efbb0a6a866c93ec8bb5a0a73db9e9 |
| SHA256 | 5b8d53fd00e1ad230fafe54b439cc25d7843e4611ed862990326d1edeaeced86 |
| SHA512 | ac49bbb5f2f3ee3e00ba7f4d9e2720194727a35905cba094278b63d3b151f7a3ff06262ec9b9c585742dab6de76ec3b5c9b9770e1d0ef24520b90b0fa7ac177a |