Analysis Overview
SHA256
e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267
Threat Level: Likely malicious
The file e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267 was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Deletes itself
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 03:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 03:40
Reported
2024-11-13 03:43
Platform
win7-20241023-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\zskhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\zskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\zskhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\zskhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe
"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E53BDC~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | G35yLgUWLS.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | qkG9cexd4g.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | QwxLN8xlou.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 0cfWe5Rt2c.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | aIqiP3uVmp.nnnn.eu.org | udp |
Files
C:\Windows\Debug\zskhost.exe
| MD5 | 46416814fb52be25d0767e6ad564c1db |
| SHA1 | 7a417bccaca29e7b34379eff889e4b52de985063 |
| SHA256 | b27963c7052fcd49820d436ccdd934db446042e983af4062360a1b034ba7170e |
| SHA512 | 7b6a49a3ddac24d233e94008a1594653d15f804fdb1cde9dbf00f363714f1fa807d8bf8a8a991eae918cb4ad9f0f42dec30fca9b4f00a50b9c3df472c3d9cb55 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 03:40
Reported
2024-11-13 03:43
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
134s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\guehost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\guehost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Debug\guehost.exe | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
| File opened for modification | C:\Windows\Debug\guehost.exe | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\guehost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\guehost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\guehost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe
"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\guehost.exe
C:\Windows\Debug\guehost.exe
C:\Windows\Debug\guehost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E53BDC~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.47.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | DDxNyLHj1c.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nteYFJHrlq.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | NZLkWnlyVY.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xGWvIlEaEm.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | XwE6ZFiiy0.nnnn.eu.org | udp |
Files
C:\Windows\debug\guehost.exe
| MD5 | dea7cdca568ec35982918b5dafabe5a5 |
| SHA1 | d5315d1776b4f332c1af85c763fbd828aae3c67e |
| SHA256 | f4bb62e5f0fd7054721daa56c796e99094d617ffc6f73b9c89f50c2b84e0767b |
| SHA512 | 210b65902dbf0098d9ce30e698b2470c30cd55a416e686bb7686ccf4d9c417c71fa0d378eb7615f45d118e84ca8c4056038a4352a94c1b16570decbac86ea142 |