Analysis Overview
SHA256
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
Threat Level: Known bad
The file 8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51 was found to be: Known bad.
Malicious Activity Summary
Xred family
ModiLoader Second Stage
Modiloader family
Cobaltstrike family
Detects Zeppelin payload
Zloader family
Zeppelin family
Revengerat family
Njrat family
AutoIT Executable
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 15:01
Signatures
Cobaltstrike family
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Njrat family
Revengerat family
Xred family
Zeppelin family
Zloader family
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 15:00
Reported
2024-11-10 15:04
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe
"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 15:00
Reported
2024-11-10 15:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe
"C:\Users\Admin\AppData\Local\Temp\8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |