Analysis Overview
SHA256
ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61
Threat Level: Likely malicious
The file ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:29
Reported
2024-11-13 18:31
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ErrorReportSent = "C:\\Users\\Admin\\AppData\\Roaming\\livevideo.exe" | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe
"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"
C:\Users\Admin\AppData\Roaming\livevideo.exe
C:\Users\Admin\AppData\Roaming\livevideo.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UNISTA~1.BAT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\livevideo.exe
| MD5 | 422ad7ce96f9d01aae2abc6094fc3ca0 |
| SHA1 | fbcb866a91f550f0b5401a74cccc90e1ae1445b6 |
| SHA256 | d3f00a555dfa2b57f226ce3f22c05b2d7ea768716e110ae98cfec2c9a87eb473 |
| SHA512 | b84742ca2682dbe4962359219c7c7dd6e4858232b30738d1829e2e318e3b6fb0c027634bfda8b166bc5705ca0f012ea1218726af3ec10289f0d4f0dec14f5244 |
C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat
| MD5 | f34869f5ab7d17ef52c916bd8c33598c |
| SHA1 | 98a0ac28be477c3478c7170bf1ef964875fe2aad |
| SHA256 | 8c2be2d52b12d583c8958d6b7feb5a3c2f831c5891c4044a92421ba11df0e038 |
| SHA512 | 5d65d59a217f5e30d88fb595441810465e68c4f544354a6ee771c41d38c333b00bf4290ed4a73a559cf5a6cc00c05a85ae954ec05042b4b403483df6612e14f8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:29
Reported
2024-11-13 18:31
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ErrorReportSent = "C:\\Users\\Admin\\AppData\\Roaming\\livevideo.exe" | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\livevideo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe
"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"
C:\Users\Admin\AppData\Roaming\livevideo.exe
C:\Users\Admin\AppData\Roaming\livevideo.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c UNISTA~1.BAT
Network
Files
\Users\Admin\AppData\Roaming\livevideo.exe
| MD5 | f165cd40f56b2f0a5e2d3c319cf2ae48 |
| SHA1 | bfd9fe52870671eb06e19b748be807273a0ee67d |
| SHA256 | 2a50e0bb47aa824e02fd151467db6e1e08a6e9d6bad220ead601f5cbbc7aa4f6 |
| SHA512 | 55824e1b956acb2a9f106b41cf3a8678bd9a9ad53b89de493abdb0ce793d9f81cc7ae517c6e8e59eccef9ae216d1f321ab2b0733a954a0bcab2393cf465f7fdc |
C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat
| MD5 | f34869f5ab7d17ef52c916bd8c33598c |
| SHA1 | 98a0ac28be477c3478c7170bf1ef964875fe2aad |
| SHA256 | 8c2be2d52b12d583c8958d6b7feb5a3c2f831c5891c4044a92421ba11df0e038 |
| SHA512 | 5d65d59a217f5e30d88fb595441810465e68c4f544354a6ee771c41d38c333b00bf4290ed4a73a559cf5a6cc00c05a85ae954ec05042b4b403483df6612e14f8 |