Analysis Overview
SHA256
15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29
Threat Level: Likely malicious
The file 15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Checks computer location settings
Executes dropped EXE
Deletes itself
Indicator Removal: File Deletion
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 05:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 05:12
Reported
2024-11-13 05:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\rwmhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\rwmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\rwmhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\rwmhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe
"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\15A41E~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | nc5NCFdJxM.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | NImZxD7Qa.nnnn.eu.org | udp |
Files
C:\Windows\Debug\rwmhost.exe
| MD5 | 7c473a6a757fb3ffcde134494144cd06 |
| SHA1 | b37348d9ebad3ae6a5cbbfc3601c7a48d8ce9246 |
| SHA256 | 06d372947bbc93675b7b9fe16cce04f105e5f101003798ef66ed5d1c2e3cb2fd |
| SHA512 | 935cefe1bdc781b24c4f9cd971ea455e1e1c49f4d092c82941359739e717061b7e0b8b416946f073ea41c9f2800a199b04bef7bc11c8a2997726c7fa76e28f61 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 05:12
Reported
2024-11-13 05:14
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
96s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\foohost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\foohost.exe | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| File opened for modification | C:\Windows\Debug\foohost.exe | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| File opened for modification | C:\Windows\Debug\foohost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\foohost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\foohost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\foohost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe
"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\foohost.exe
C:\Windows\Debug\foohost.exe
C:\Windows\Debug\foohost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\15A41E~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.46.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rzDzYaq5lC.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | RfuKYJDVQ.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\debug\foohost.exe
| MD5 | 4f45f972a271b31c30141c5455dba894 |
| SHA1 | 67d23364d5350f5461b6db9c77b9f7ee54a54ca5 |
| SHA256 | 2969b182cc0f8a41c621240efaa6318fa9632a16b2899fb2d706f14a143bd741 |
| SHA512 | 94148375d12211416063114c7fb685290b6af3660fcbffe712e878ea7ea475ba0bfba246f84262a1009138b62a8df520cdce54ceedc8a6f45becd37b49959964 |