Analysis Overview
SHA256
8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031
Threat Level: Shows suspicious behavior
The file 8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win7-20240903-en
Max time kernel
36s
Max time network
37s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
| PID 2840 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
| PID 2840 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
| PID 2840 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe
"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"
C:\Users\Admin\AppData\Local\Temp\edur.exe
"C:\Users\Admin\AppData\Local\Temp\edur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thenoblelaw.com | udp |
| US | 104.26.3.206:443 | thenoblelaw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
memory/2840-1-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2840-0-0x0000000000290000-0x0000000000296000-memory.dmp
memory/2840-7-0x0000000000290000-0x0000000000296000-memory.dmp
\Users\Admin\AppData\Local\Temp\edur.exe
| MD5 | f15167d3ca43016df589e1afe9324418 |
| SHA1 | 124a7bec9f8fa41d367144191321cf376ed8c30d |
| SHA256 | 7b40152214aec3fcf393098a0b8ab5ef95e31296f928cc5d7de1a94335a0600c |
| SHA512 | 939d08a1da8aeb831c1c4477f7591a22b6abcd9187b47ef1875f5eaf3347d86fc6b8992e943bdba93e175851d866ee475d2faccb5e955190f1b4215124dc0f30 |
memory/2896-18-0x00000000003F0000-0x00000000003F6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
100s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\edur.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
| PID 3048 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
| PID 3048 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe | C:\Users\Admin\AppData\Local\Temp\edur.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe
"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"
C:\Users\Admin\AppData\Local\Temp\edur.exe
"C:\Users\Admin\AppData\Local\Temp\edur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thenoblelaw.com | udp |
| US | 104.26.3.206:443 | thenoblelaw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 206.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3048-0-0x00000000021C0000-0x00000000021C6000-memory.dmp
memory/3048-1-0x00000000021C0000-0x00000000021C6000-memory.dmp
memory/3048-2-0x0000000000400000-0x0000000000405000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\edur.exe
| MD5 | f15167d3ca43016df589e1afe9324418 |
| SHA1 | 124a7bec9f8fa41d367144191321cf376ed8c30d |
| SHA256 | 7b40152214aec3fcf393098a0b8ab5ef95e31296f928cc5d7de1a94335a0600c |
| SHA512 | 939d08a1da8aeb831c1c4477f7591a22b6abcd9187b47ef1875f5eaf3347d86fc6b8992e943bdba93e175851d866ee475d2faccb5e955190f1b4215124dc0f30 |
memory/952-23-0x0000000002020000-0x0000000002026000-memory.dmp