Analysis Overview
SHA256
7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
Threat Level: Shows suspicious behavior
The file 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:33
Reported
2024-11-10 01:36
Platform
win7-20241010-en
Max time kernel
106s
Max time network
18s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fihspepz = "C:\\Program Files (x86)\\rvsolbevkh\\pdcosw.exe" | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Synaptics.7z | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
| File opened for modification | C:\Windows\Synaptics.rs | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
| File created | C:\Windows\Synaptics.7z | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| File created | C:\Windows\Synaptics.rs | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\rvsolbevkh\pdcosw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\update.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Program Files (x86)\rvsolbevkh\pdcosw.exe
"C:\Program Files (x86)\rvsolbevkh\pdcosw.exe"
Network
Files
memory/2904-0-0x0000000000260000-0x000000000026B000-memory.dmp
memory/2904-1-0x0000000000260000-0x000000000026B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.bat
| MD5 | 755ae2509932ae47b07c7b96b3ea41bf |
| SHA1 | 8b27354184939c4483d0c07bc0b067af13617e9f |
| SHA256 | e326773bedbc28e66842933901c9a277960dbf17e4cdf40465bbd39e14701b0f |
| SHA512 | e4cbff4b674d3e72efdd3e949b1ddff681b60c9f9999f3767101fb189e349fbf2b3fd9c2c5242090863257c441294127f12615a49353f2ff551ee61366f69ad5 |
\Program Files (x86)\rvsolbevkh\pdcosw.exe
| MD5 | e547e76f0f4d9826d52b97c35ef3322f |
| SHA1 | 40598d7df8245c5ee9842003bb6761b4254ac8af |
| SHA256 | 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd |
| SHA512 | 33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9 |
C:\Windows\Synaptics.rs
| MD5 | ea29a928121503e9659a143a41bcc81a |
| SHA1 | bb39d03bbd600d6ffdb9b763797493eaccd61f64 |
| SHA256 | e90a70e3fd28c4b44e1e3c5e2fd6993e31f1821cefd305a227393c9fb9013a13 |
| SHA512 | 52119eb71742b63f215443389d3e39148131ca5ba0b3675b27c7ecf297fabb5b0ac80bc8a5f609482afb30778e5ffc7ce590815500e1c752eee807446e25c399 |
memory/2840-22-0x0000000000350000-0x000000000035B000-memory.dmp
C:\Windows\Synaptics.7z
| MD5 | 3ce00833d4427d727d98f8f4105ad476 |
| SHA1 | 119e9267eb9e33346fd3344024619c9edc42c43d |
| SHA256 | 0188fec66b72b38273b934e4f3c91b9e713d21f6aaac1ca012a69e956e5b1cc8 |
| SHA512 | 913e1207043a4e46261d9de697d2e10580ad276b1b17ddd166ece0583e6f251607e59881006afbe43795b68ea0bb2c967b4b78797ce195d21d28491a733aeea1 |
memory/2840-18-0x0000000000350000-0x000000000035B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:33
Reported
2024-11-10 01:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skqyealh = "C:\\Windows\\dxxmuvdll\\pfsgc.exe" | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\dxxmuvdll\pfsgc.exe | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| File opened for modification | C:\Windows\Synaptics.7z | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
| File opened for modification | C:\Windows\Synaptics.rs | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
| File created | C:\Windows\Synaptics.7z | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| File created | C:\Windows\Synaptics.rs | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| File created | C:\Windows\dxxmuvdll\pfsgc.exe | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe | N/A |
| N/A | N/A | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
| N/A | N/A | C:\Windows\dxxmuvdll\pfsgc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe
"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Windows\dxxmuvdll\pfsgc.exe
"C:\Windows\dxxmuvdll\pfsgc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/1384-0-0x00000000025E0000-0x00000000025EB000-memory.dmp
memory/1384-1-0x00000000025E0000-0x00000000025EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.bat
| MD5 | 152003139841d58f909f8ca56fda521a |
| SHA1 | 96bfbe5604145b2fe44b46157779f57ca291ab31 |
| SHA256 | bdb7479d8dcc715a82e7dda74a7f9679dc876eb1952fc58df6598be6be7f3a7b |
| SHA512 | c387d8cc4fa834bf72f2326794947ec22918e04cdcaab0c59291819d4398adcd25d2b0eb5895f47de6fd090e1d2fa02164cadcc22f23cdd0cd5b23a5f9b4a158 |
C:\Windows\dxxmuvdll\pfsgc.exe
| MD5 | e547e76f0f4d9826d52b97c35ef3322f |
| SHA1 | 40598d7df8245c5ee9842003bb6761b4254ac8af |
| SHA256 | 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd |
| SHA512 | 33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9 |
C:\Windows\Synaptics.rs
| MD5 | 04d02ca8fb5a9059fb3f67f95529ff20 |
| SHA1 | 387900e985fae707bd81af35b91aabf6ada7b956 |
| SHA256 | ed7af1f4475ff6498b936e0b92f69c2d5c127c2eaf4e4e4d9d5c706406016340 |
| SHA512 | 3004f939bd4ba8d87b116521c94298be9041b41ae9fc8929ca3ccc32a05b4aa969b5537c6364ffa8724b5e271dab298f626370437e3a43cf9dd951d7723b1c1f |
memory/440-16-0x0000000000A50000-0x0000000000A5B000-memory.dmp
memory/440-12-0x0000000000A50000-0x0000000000A5B000-memory.dmp