Analysis Overview
SHA256
0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5
Threat Level: Likely malicious
The file 0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5 was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Adds Run key to start application
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:45
Reported
2024-11-11 12:48
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\stubpath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apple.exe" | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe
"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | exeinfo1.org | udp |
| US | 8.8.8.8:53 | blog.chosun.com | udp |
| KR | 218.145.28.120:80 | blog.chosun.com | tcp |
| US | 8.8.8.8:53 | blog.daum.net | udp |
| US | 8.8.8.8:53 | opaoxf112.blog.163.com | udp |
| CN | 59.111.160.244:80 | opaoxf112.blog.163.com | tcp |
| US | 8.8.8.8:53 | lokias111234.blog.163.com | udp |
| CN | 59.111.160.244:80 | lokias111234.blog.163.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | 07c55247fd9e8ad5cb866186ea6b5339 |
| SHA1 | 8a48049ee19eaf4b5a9095de677e35ed8246f3d7 |
| SHA256 | 7384d731390de7ecc588a1aadf77fc4244ff9ecf3e618f4b505e47b6e218280c |
| SHA512 | 514f3e154348cc2b01ee8d6b64bc8f994a0f474d2b76806ac956cf8b4f13eceb602edf0c678b23c6241abbc3c659338fa063bd2f2a706fb85c144ee211244e7c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:45
Reported
2024-11-11 12:48
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
134s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\3614402243784737 | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\3614402243784737\stubpath = "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\apple.exe" | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe
"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\3614402243784737" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | exeinfo1.org | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blog.chosun.com | udp |
| KR | 218.145.28.120:80 | blog.chosun.com | tcp |
| US | 8.8.8.8:53 | blog.daum.net | udp |
| US | 8.8.8.8:53 | opaoxf112.blog.163.com | udp |
| CN | 59.111.160.244:80 | opaoxf112.blog.163.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.28.145.218.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lokias111234.blog.163.com | udp |
| CN | 59.111.160.244:80 | lokias111234.blog.163.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | 07c55247fd9e8ad5cb866186ea6b5339 |
| SHA1 | 8a48049ee19eaf4b5a9095de677e35ed8246f3d7 |
| SHA256 | 7384d731390de7ecc588a1aadf77fc4244ff9ecf3e618f4b505e47b6e218280c |
| SHA512 | 514f3e154348cc2b01ee8d6b64bc8f994a0f474d2b76806ac956cf8b4f13eceb602edf0c678b23c6241abbc3c659338fa063bd2f2a706fb85c144ee211244e7c |