Analysis Overview
SHA256
61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
Threat Level: Likely benign
The file DLL Injector_51084141.exe was found to be: Likely benign.
Malicious Activity Summary
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:19
Reported
2024-11-13 15:24
Platform
win7-20240903-en
Max time kernel
122s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1872 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1872 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1872 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 1872 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe
"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dlsft.com | udp |
| US | 35.190.60.70:443 | www.dlsft.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | dlsft.com | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | filedm.com | udp |
| US | 104.21.60.113:443 | filedm.com | tcp |
| US | 8.8.8.8:53 | dpd.securestudies.com | udp |
| FR | 52.222.201.92:443 | dpd.securestudies.com | tcp |
| FR | 52.222.201.92:443 | dpd.securestudies.com | tcp |
| FR | 52.222.201.92:443 | dpd.securestudies.com | tcp |
| FR | 52.222.201.92:443 | dpd.securestudies.com | tcp |
| US | 8.8.8.8:53 | post.securestudies.com | udp |
| US | 165.193.78.234:80 | post.securestudies.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\link.txt
| MD5 | 3b226ac559aa75462620d15924c4b03e |
| SHA1 | 970ee2661dfe67df8c78312f381199b2abd2be7e |
| SHA256 | 2d08379362058d38979d3a0854a13c4250ddf691e453a04a12d1debaf395f58c |
| SHA512 | 4836a84c59b97f67bb408fbca6534307422fd1707aebfb9db9a0e5d7f114ccdbad3dabb5221adca7653c51b57336775c006319187aed10c25b7231cea97d3a3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:19
Reported
2024-11-13 15:22
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe
"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dlsft.com | udp |
| US | 35.190.60.70:443 | www.dlsft.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.60.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | dlsft.com | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 8.8.8.8:53 | filedm.com | udp |
| US | 172.67.195.231:443 | filedm.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |