Analysis Overview
SHA256
2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8
Threat Level: Likely malicious
The file 2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Deletes itself
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Views/modifies file attributes
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:58
Reported
2024-11-13 21:00
Platform
win7-20240903-en
Max time kernel
110s
Max time network
98s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\rwmhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
| File opened for modification | C:\Windows\Debug\rwmhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\rwmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\rwmhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\rwmhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe
"C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\Debug\rwmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2AB464~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | b94ptZM6p.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | pl0SN3UJX.nnnn.eu.org | udp |
Files
memory/2692-0-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\Debug\rwmhost.exe
| MD5 | eaf7f8250be27fdeb00dcc294aff34f7 |
| SHA1 | 2b291150522c08f863a6fac75fadfc9163d29ca9 |
| SHA256 | 134146689a72e5d2cbc8ee76740bf2943d44dae2c1a880346d5119faf76378ee |
| SHA512 | 64e133084574cb417a58a82d77545089eb5fa4372ce891a0d6811b74ebf3d87882f0f40be007624d6a577fbc929095868fe5d55686e53c2a725795fba0b90504 |
memory/2716-5-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2692-6-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2716-7-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:58
Reported
2024-11-13 21:00
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
101s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\nkmhost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\nkmhost.exe | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
| File opened for modification | C:\Windows\Debug\nkmhost.exe | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
| File opened for modification | C:\Windows\Debug\nkmhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\nkmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\nkmhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\nkmhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe
"C:\Users\Admin\AppData\Local\Temp\2ab46467d09aba5f79490a86175c0ea43085956e86c22f54f65c18dce2c7fdd8N.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\nkmhost.exe
C:\Windows\Debug\nkmhost.exe
C:\Windows\Debug\nkmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2AB464~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.47.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b94ptZM6p.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | pl0SN3UJX.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
memory/756-0-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\debug\nkmhost.exe
| MD5 | af793af544bec0b7d7025d6f84bb43d2 |
| SHA1 | 97df347fca6d8b6d10fe2e79ddca0501d8c7e98f |
| SHA256 | f9ad276142cbb7cb5ec7579e4622c51aeb3921fe812f3447c44757fd76368c72 |
| SHA512 | 846eacd27b25e0fb80749615661d22409e9fecb9d73379f59d19167dde2b92d28cf7e0ce37262ca904ab5846d536d3ad51dd8e0feab61b21e476aa225174448b |
memory/756-5-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4896-6-0x0000000000400000-0x0000000000410000-memory.dmp