Analysis Overview
SHA256
2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6
Threat Level: Known bad
The file 2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:37
Reported
2024-11-13 18:39
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\.exe" | C:\Users\Admin\.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe
"C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe"
C:\Users\Admin\.exe
"C:\Users\Admin\.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns2.thepicturehut.net | udp |
Files
\Users\Admin\.exe
| MD5 | 7e63bfc11e72324cd783d80bc98057cb |
| SHA1 | 60723fc9fa8bd0d557662715764277891ff8be04 |
| SHA256 | 7c863af83267c4a969d9d3fc98d36f0ada0b17b191cb76630d8594446b75104c |
| SHA512 | 57f1189868cbb94745bad5e4f895fdb51f03cfc0695c32f78b42de91f3c7edccba5d2163028cc4e32866efc6b5c0f3a961143c938d25d6b1c8c034588e017bb0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:37
Reported
2024-11-13 18:39
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\.exe" | C:\Users\Admin\.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe
"C:\Users\Admin\AppData\Local\Temp\2df394ecf433b6717762785b8354cfa291c0ad44324d5fc8b58e2fe9849790a6N.exe"
C:\Users\Admin\.exe
"C:\Users\Admin\.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns3.thepicturehut.net | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\.exe
| MD5 | b27a518e8edc9f358e3315c26da04b25 |
| SHA1 | 288d2560a4a866e9c560c5ebec3d57c355e0b849 |
| SHA256 | bf1de535398c886b4341473b0152f96484b2eb6fd8e4e3b457a06e00e3c041b0 |
| SHA512 | 95c0c24e7c727e1fb9ee07d2278e1464d037bcc5e54030fe8b970ccb2600e93f8bbe1981daa906473a3eaf653fac1382eac836fab15ef92b2ae27bc4e45a4744 |