Analysis Overview
SHA256
03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6c
Threat Level: Shows suspicious behavior
The file 03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Indicator Removal: File Deletion
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:24
Reported
2024-11-13 02:26
Platform
win7-20241010-en
Max time kernel
81s
Max time network
91s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Graphics\guifx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
Indicator Removal: File Deletion
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Graphics\guifx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe
"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"
C:\ProgramData\Graphics\guifx.exe
"C:\ProgramData\Graphics\guifx.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| KR | 165.194.123.67:443 | tcp | |
| KR | 165.194.123.67:443 | tcp |
Files
\ProgramData\Graphics\guifx.exe
| MD5 | 63290cb42842747694ee188892fc9f11 |
| SHA1 | b4a2ca0d670ea721e581a8bc5755701f399512b9 |
| SHA256 | 5597b2853fe6e79614ba0f855c5f9402411e8b6aa9e0fec35df9fddc2e7c7af9 |
| SHA512 | 6cb3d6bb5d8372c8921e154f20a32a4709e20b326b9757e05903e114b759addcf87571782bda44c3e4b503308a0d48dcf886226f050b7b520ee30671dd358300 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:24
Reported
2024-11-13 02:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Graphics\guifx.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
Indicator Removal: File Deletion
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Graphics\guifx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe
"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"
C:\ProgramData\Graphics\guifx.exe
"C:\ProgramData\Graphics\guifx.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| KR | 165.194.123.67:443 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 165.194.123.67:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\Graphics\guifx.exe
| MD5 | b984e80a9b1dacb5a72c964fac5dc9d7 |
| SHA1 | 6dff49909f6b9ba0b63395ce8935a2a37022f8a5 |
| SHA256 | 5185718249aeeeb74f5ad2de8b56cc624f86836e51eeb01d904e2e57025ac039 |
| SHA512 | d947f16eb5cc5803fb96389091bd9ef0a5c5e1ebd3212825f2f2f004168f7c369f1ed106d9ec60b1d1c7207646bd375c61360299000e8b501ad99ab2e0595c33 |