Analysis Overview
SHA256
1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3
Threat Level: Likely malicious
The file 1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Deletes itself
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 23:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 23:58
Reported
2024-11-14 00:00
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\rwmhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\rwmhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe
"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1EB072~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fD4pa7lls.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | FtF0s5Ftct.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | pawCdZiUL7.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | Pm7NuXCc5L.nnnn.eu.org | udp |
Files
memory/1852-0-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\debug\rwmhost.exe
| MD5 | 613e1c70cd6706b2c63c8be5682ec133 |
| SHA1 | 34c9c9f29ab73384cbaeb4802b553d01234d2dfe |
| SHA256 | c6cf4e38d188df766b46a79ee045da2bd15504d8ad56a38c3b982f015c9ff6cb |
| SHA512 | a0e0d4f59aaa67d8a9511bd07d76e41bda68ea1f4dfbaaf04f7759601c5227787c75b80727d71e583edffa4c8958ae3ff38be9f790c981ab745fd42726473bce |
memory/1852-5-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2936-6-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 23:58
Reported
2024-11-14 00:00
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
96s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\tuehost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\tuehost.exe | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| File opened for modification | C:\Windows\Debug\tuehost.exe | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| File opened for modification | C:\Windows\Debug\tuehost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\tuehost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe
"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\tuehost.exe
C:\Windows\Debug\tuehost.exe
C:\Windows\Debug\tuehost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1EB072~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | VeV17Px9.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8hVI8vqnUD.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iNCTQtKvER.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | I3tfhrJ3y9.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1208-0-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Windows\debug\tuehost.exe
| MD5 | c52f07726bf21d1df1b250ffc1a40ea5 |
| SHA1 | 92fdfe3d41a932a64b9ab5f3234cb00c149397a1 |
| SHA256 | b44bc3c9e4c23d7bf459a8cc675bd3f98f852d93212d8404b08feec2271cddce |
| SHA512 | aa5ded977c03e306038c2ea4a36728392e06481e08f743a217a9d85716a25f64b67f1be5c3752dd86b7855dc18c823d84598aeb51cca809ea767ff24e3180f5b |
memory/2820-5-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2820-6-0x0000000000400000-0x0000000000411000-memory.dmp