Analysis Overview
SHA256
47f342e58849a9b93d440c80055fab232e1f56b5a884e683b4b23886a27e07ab
Threat Level: Shows suspicious behavior
The file 19891767927.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 07:50
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 07:49
Reported
2024-11-14 07:56
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
206s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe
"C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 07:49
Reported
2024-11-14 07:56
Platform
win7-20240903-en
Max time kernel
290s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe | N/A |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
| N/A | N/A | C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe
"C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe"
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe
"C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9629A863C0F0814D711B51207181FC54 C
Network
Files
\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe
| MD5 | 6de87d67c9f9ef771bbdaa5965338ff5 |
| SHA1 | 8957352035000b00a15b2a281f4b10c621b5c5b9 |
| SHA256 | 263978af3bd48ced50846e300e1770db0e77fc86c41648bec341b89eaa2f453d |
| SHA512 | f41773dd11b5f9bd3ceccc541ae06dfb8c0c953b9e790e7ef9ca1b607680e96c0d83a466fc48c38ce4f4fe8e225a3106b40a97169d50031397fd73e0e4e3d2e9 |
memory/1952-247-0x00000000109E0000-0x0000000010EE4000-memory.dmp
memory/1892-249-0x0000000000400000-0x0000000000904000-memory.dmp
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\bin\nipie.exe
| MD5 | 97afaced2dff1b0487363ccf1fb4bfe1 |
| SHA1 | 61f747d8c5147e65b4d9ba8bef83f6a6b3b58af6 |
| SHA256 | 0b0aa8c40d51e2acf41df41af876cf31524a8f104575889fe6f6be8e004a1eb4 |
| SHA512 | 1c8d2dfbbe60c1f2a02c4c7b99e1c313b088f3c5afdfc6ae12860d554df7adaf5e731efd987eb2a2ac3a7e7413fe04ac932bf90ba064343a5d6ffa55949ea3ad |
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\nidist.id
| MD5 | 827fcdd358f6462a79a6c37e1e41e81e |
| SHA1 | 87137a04590291875615a93be67bd60062d3d888 |
| SHA256 | 6765d23f5f954ff107d8dc773ae331090588fc63140aa9354e1c0462d3387ab5 |
| SHA512 | 1b071bc763449291ea0ae2107e477ab98d8e5b90440a8f982fc2f3edabc7707a2970b8e3de336e92aac7992ac544fa699ae73bdbebc1d5bf9150d80b9cf1cd5a |
C:\ProgramData\National Instruments\Installation Logs\InstallationSummaryLog.xml
| MD5 | ab99fb1815b2928ac8e532d9b791eb96 |
| SHA1 | 1148fa5977f6d5e0942ebd9e47e6e88a14917453 |
| SHA256 | 9a2990334e9c4e461611b3a2e6fefe323ad3ecc40e1a3d9c55cacdabae57c8a0 |
| SHA512 | e68bd58025a37b9f6bbe35763dc86f782c73f92800935099dc9c87904426c3f83ffdcf1b1f8f5edc916ab1facb3995ffc47f55682185e2585d6d22ef2476ee9c |
\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\Bin\data0009.dll
| MD5 | 2c1ec8342660c4516737ed7433cd1896 |
| SHA1 | 470205b85a7b38f3d1aba86885ee5a3188ead27e |
| SHA256 | d790183c10d4a5ad277a45a897e7540b2ed9bfbd1de4c0babef08fe612fc6beb |
| SHA512 | a8bdabfaed3bf6dbb578688988827343ce240ff9435d36502c2ebef0405581c23ea39675991b59e66a6386ec401d0e39c600d01c5da0c1afe9b3af124dc8e91d |
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.ini
| MD5 | aea7cf8eeca111976ff8cb44209dbb8f |
| SHA1 | 94a8d39b2f4b14a338cf190d8327b723431ade6e |
| SHA256 | ed4c7e6ae15a8b93af2761309a645f24bc5cbc1d4f02134fc056ddde0c7f3dae |
| SHA512 | c85f57173d4196c32668470d4f165b118f7424f88b95a7efd01a9c4fbac435bed426a7f779f5ad68a664d6e4629b5564e0f0ef5fda5d9434c6b9a81bbbcdfb66 |
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\Bin\merged.cab
| MD5 | c5ff3a28e9fbb505ad7087246ce975eb |
| SHA1 | 945d82d257d2de5349b5e553602ac34e282d4c22 |
| SHA256 | 97b1c44a59b9cd60513c61b55d977e0391fdde2c5cc21b9ff9ed75f8c390f749 |
| SHA512 | 39c8cbd9b6ed3a192f36279c2791c6b0bd3556eeca3c5c7ebfb5b2f7da7a87cc5667691d59b4a8aae323c1abb136442979cab791ef3d00e1329cb5d6dea8d23e |
C:\Users\Admin\AppData\Local\Temp\nii8386\merged.bin
| MD5 | 1bbc24e1d2b489ea8bc89dd022d267f3 |
| SHA1 | 10e8e374d1b7474286a469d3dc145e48e62d9219 |
| SHA256 | 93a57b53e469bb8763d799fdeddd8524dd7f38e91c6d894d41d6f17d45c9d076 |
| SHA512 | d8ee0f23907d5b4e3f0d1d7bea7f0417fe3dd0e42ab1517d8ae3886e78e3941d0e4bdd957cc5e9d329ee5a280f5764844a42744d2165165211c2c655773f5869 |
C:\Users\Admin\AppData\Local\Temp\MSIEB0A.tmp
| MD5 | 9094fea68e41f237d278e4b3e1132981 |
| SHA1 | 5a79ff5c25f1b7e8fbf213eb9a8cbd2c59feb264 |
| SHA256 | 11c4e79b10270ecfb63c66f77db9475b1280c7e0e22758e03870dd5448bf69af |
| SHA512 | ebdc71f0acbb349beed86d0b37c6c17b1db6ab2a9f53d2a318f8e4bc93de3ceba8674a96ea2648baac6e1f3cbc2036ff74d0c10318b77ded464cf2b0668c7e94 |
memory/1892-282-0x00000000041F0000-0x000000000426F000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSIED6C.tmp
| MD5 | 1794273d68c05960f9f63c1d3161ff46 |
| SHA1 | 93a30b99c20c9c5d3098af33a9d1e39a3a7d2632 |
| SHA256 | 0e98183cb6b3e86f856cee579304cd71121a37b184386bed89e73157cbaa9aa9 |
| SHA512 | ed1cc815d8dd4b4d16e2b6aa65385c51853aea3ac6212f096abbc5461571693d4158db49ef20c5d5c3e18aff54e70812cd35d195d0e41517f421a1e1853d14bb |
C:\Users\Admin\AppData\Local\Temp\MSIEE67.tmp
| MD5 | d1f4520539c80392ea62588ac7ae9cd9 |
| SHA1 | 5ab039ead6a8b58099d970f002ea7e47342958bd |
| SHA256 | 178cad1dc2cae7272c8b4157dda657c1e6cf5880a964a28846de0ed7a428d1df |
| SHA512 | cba04e16e3a00b7e9ca208f5599bcced93d43f46461bd85d96cc02abd7d0429fb1a0d5f41c4f3577a425956867922f455792fa0b50818e84619b523dc582df8c |
C:\Users\Admin\AppData\Local\Temp\MSIEEE5.tmp
| MD5 | d28312bfe5f05b1bae9d23c942c5cd74 |
| SHA1 | d7598ad7dd48a298cd362420e06da01a19f1ef83 |
| SHA256 | 4f3e5eefb71f9bd951147dd9c73a0aaa731b35b9a76e79aa76e990dcb7e99e72 |
| SHA512 | d30ad99f36d57070410dfca2a1c807fc09450940db28f80101f8e0f53d6c475653f82c7c40c08f05f1a39fc669945960b20ad4e9129283da93e73bdee81b24ae |
memory/1892-307-0x0000000000400000-0x0000000000904000-memory.dmp
memory/1892-318-0x0000000000400000-0x0000000000904000-memory.dmp