Analysis Overview
SHA256
82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6
Threat Level: Shows suspicious behavior
The file 82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Indicator Removal: File Deletion
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:14
Reported
2024-11-14 02:16
Platform
win7-20240903-en
Max time kernel
68s
Max time network
37s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe
"C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp
"C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82CDC7~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 20dbf807dc0e5a499a0f9c149941ce8b |
| SHA1 | b5ef8f64df0fdc4c04774416f8b6293ae765046c |
| SHA256 | 6480ddaac6f2b2107dbb6e6a4dc56d4d3a6fa210925ee2e6e3a1e1172d33f43a |
| SHA512 | 5167d7eec74fa19c602aa66dbaeb210395662cf217fe6d044e2bfbbf80e3f64274c2ad296105a4df868c89ea5e8eb8db6567d621f24cffd0bae20f2a0307767a |
C:\Users\Admin\AppData\Local\Temp\eqsF872.tmp
| MD5 | 4598ce58362a03112db69548ee6e89c0 |
| SHA1 | 9fe142d4bc2c814cf3600cc515b7d380d629d972 |
| SHA256 | a5dbc9ba67a78a5897ba88c84e840874a6ea1cd43f9f59575fa21e33e1eb440a |
| SHA512 | 3ee589fc5ba1d2a2cb5a750ce42e5d274709ebed893e6b6976c3d4c44cd9f07fae8852655e4aff9dda4a6c0176cb3cb9c8d3d9e4025c3527dd643fbeb958c8d8 |
C:\Program Files\7-Zip\RCXF9D1.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:14
Reported
2024-11-14 02:16
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
97s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe
"C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp
"C:\Users\Admin\AppData\Local\Temp\82cdc70ac4cab6e7044ac8a170cbee94fff6ff41892e22bb3db127ddbf5cf7f6N.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\82CDC7~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | efbkfqpcdh.com | udp |
| US | 8.8.8.8:53 | cffhqznqzd.com | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4692-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eqs9F1E.tmp
| MD5 | 4598ce58362a03112db69548ee6e89c0 |
| SHA1 | 9fe142d4bc2c814cf3600cc515b7d380d629d972 |
| SHA256 | a5dbc9ba67a78a5897ba88c84e840874a6ea1cd43f9f59575fa21e33e1eb440a |
| SHA512 | 3ee589fc5ba1d2a2cb5a750ce42e5d274709ebed893e6b6976c3d4c44cd9f07fae8852655e4aff9dda4a6c0176cb3cb9c8d3d9e4025c3527dd643fbeb958c8d8 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 1bf497954f9b22947bf856f1c4cf33ed |
| SHA1 | 7a9e1c64e903c5c6aff112474aab04ad33f3986e |
| SHA256 | 904a17390af456be07648b518538f02441eef0c49d13ab73ea2161ef177728ed |
| SHA512 | 0548ea08ac9d314f994f8e6bce9fdc863b1529780c0e10139508ddb5d26be9b74c9d521c50f2d1c16410ab6336de72f4ac05ed79bcf65e74592ed46796905ff1 |
C:\Program Files\7-Zip\RCX9F50.tmp
| MD5 | fc80202a8fc434099a9449b2a14c2d75 |
| SHA1 | 9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555 |
| SHA256 | d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51 |
| SHA512 | 98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4 |
memory/3852-28-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXB3A7.tmp
| MD5 | cfdf29654da360dc586d65d4eb06179d |
| SHA1 | 5464f625f5aebe7fc3169309a9403e25ec09432a |
| SHA256 | ac520da6b4a8e12c081ab9ea659fe5bd5eb076c40b203bd7156cb1ad9f8459d7 |
| SHA512 | 30473bcb9ab74f4913c3a093a0626a915f09bd8067270f473924fcbde533a3eab3c9e5f97c1c56358fec054ceaf7f3ca3d707152d008e45c77f02deb46e18ce1 |
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe
| MD5 | b73b798f76b328a5d063cacfda16baaa |
| SHA1 | eff6a12077159f5ae16ca222c9b15c2d41c6f283 |
| SHA256 | 0c845d2340de1bb8448b21d8dc2b95cf68e823da8b2509a007479f65855da75a |
| SHA512 | ff3db6d52854096b4e13cf8cb1cf2c756a13c1b10c98aaacab1af062ed6564305936147d749283b89f122a27178b79215c5b5a803ad354b75f80e5b58887573d |
C:\Program Files (x86)\Google\Update\RCXC857.tmp
| MD5 | a0db8bdb48baaa4523eceef7349a1567 |
| SHA1 | fbee578b8a5358da84808926a411984f48f362d3 |
| SHA256 | 6bf310f40bd5e380fec75fcf810f675f2f7f180253ea8eee04bf47b13b835d4f |
| SHA512 | ae748e814aadde6bb62f3ea1717b4d419fb5c955981a9eff5c3c18975a9bba16c056c5d8644e9bd206b962151589490d98a0900f0abf49e52efb717755b9d347 |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXCFC4.tmp
| MD5 | 5802188c8db128cc08d0cc233c555673 |
| SHA1 | f7e4a8b406c9842cad07d9ef88a0708b2ff05054 |
| SHA256 | 4f8443a155baba126fb11442b750d1be42f99ca555d9b1495aa9a5fda8b8dfa1 |
| SHA512 | 4d59a416d89992a10d27f2d39fdd3d1570c721c2bd7e52288c3a64aa172bdab316e35ce5d61ee686c56fd771a84415f1c435844c8a9b020198de17a1524eb132 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXD17F.tmp
| MD5 | b4888eb7f3abc796d0589767fb54c734 |
| SHA1 | 21d766acd5fec6697251702f7986a70f86677296 |
| SHA256 | 514179077a0fa1fd9ab8f3b58835334b9b990ddf74232e9ee57de030eb7d7598 |
| SHA512 | 41e910e48f7d99c25e1f2014c3dbbb5bcf38ac9c24bd5188c9e6a8b43db98e4dbe10eafeb0b633858fa807d3b0c9187b533b8553ca226a4cc360ee14579facc0 |