Analysis Overview
SHA256
b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2
Threat Level: Shows suspicious behavior
The file b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in System32 directory
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 08:23
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 08:23
Reported
2024-11-13 08:25
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" | C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe | N/A |
Drops file in System32 directory
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe
"C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1112-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Windows\SysWOW64\macromd\babe celebrating new years naked and spreading cunt.mpg.pif
| MD5 | e047a74483968d5ace5797a4dc02684a |
| SHA1 | 478029ba9dc1ce5da00360241882235cf87021ba |
| SHA256 | c2ba8bcec18ec15f0abbdd92f70d48f421774635f55133609873f31a53c6257c |
| SHA512 | b8ac145e56e0394cf0ae75dec40f18e4641dae64a289a9e02143996d9c07011e0fc7010ab5707ec58bae4a9419bdd9892d090a1c2e43fec2c4a1cbaa3f84f6b9 |
memory/1112-34-0x0000000000400000-0x0000000000467000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 08:23
Reported
2024-11-13 08:25
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" | C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe | N/A |
Drops file in System32 directory
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe
"C:\Users\Admin\AppData\Local\Temp\b904ae346e3e732e2907322b35fdc731d617ee4d12f9696ec77154ae730e71f2.exe"
Network
Files
memory/2104-0-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Windows\SysWOW64\macromd\Website Hacker.exe
| MD5 | e65e75648394962dbdfde3edfecc6298 |
| SHA1 | 34473455fc4e322dd1bcee04fac40bb6e1beaa87 |
| SHA256 | 11196c4273438575750cfadd524314428c006d0632c10f91190b4b5bfde73fed |
| SHA512 | 69f3abda9b9fc0de65987685c7fd89a4ad5e3a65d32bafe7c296832e6ecc1195e511ac187b793d6b31198c7e86e122cdc8bfe419a06a24e635db2e4740939e84 |
memory/2104-34-0x0000000000400000-0x0000000000467000-memory.dmp