Analysis Overview
SHA256
2dd34422bc7e9bb3d35d492e97d38c043db7e115c3bf85deacb99163d8faf63c
Threat Level: Likely benign
The file google.exe was found to be: Likely benign.
Malicious Activity Summary
Hide Artifacts: Hidden Files and Directories
Unsigned PE
System Location Discovery: System Language Discovery
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:04
Reported
2024-11-13 20:32
Platform
win11-20241023-es
Max time kernel
423s
Max time network
443s
Command Line
Signatures
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mode.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\google.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\google.exe
"C:\Users\Admin\AppData\Local\Temp\google.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
C:\Windows\SysWOW64\mode.com
mode con:cols=0120 lines=0030
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title Window Title
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\i6.bat
| MD5 | 0f8f70e88009593eefaa155a8e31b1d6 |
| SHA1 | eabcc3f2135e0919e9456da0a4b1084f3382d4b6 |
| SHA256 | 941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b |
| SHA512 | 94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750 |
C:\Users\Admin\AppData\Local\Temp\i6.t
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |