Analysis Overview
SHA256
b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050
Threat Level: Known bad
The file b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 08:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 08:39
Reported
2024-11-17 08:42
Platform
win7-20240903-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Admin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
| PID 2420 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
| PID 2420 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
| PID 2420 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe
"C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns1.theimageparlour.net | tcp |
Files
memory/2420-0-0x0000000000400000-0x0000000000412000-memory.dmp
\Users\Admin\Admin.exe
| MD5 | 7912283efce30f8bf2ae6d95167eae76 |
| SHA1 | 5239be07e82389e3c9186753dcb3e7d033099122 |
| SHA256 | 4f81ddbe19ed822c77c63aee4dd699d53ab0f377e9aa0c8884b15fe39ddee586 |
| SHA512 | 7435537de31ee01174ee092fa66f3eb66ca6ca196be3ed10c2e33c293de82bb85161f1d067a98eaa8137e79153c79e0326eaca3bf8fa3628dc095759daac5451 |
memory/2420-8-0x0000000003800000-0x0000000003812000-memory.dmp
memory/2420-13-0x0000000003800000-0x0000000003812000-memory.dmp
memory/2420-18-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2420-19-0x0000000003800000-0x0000000003812000-memory.dmp
memory/2388-20-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 08:39
Reported
2024-11-17 08:42
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Admin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" | C:\Users\Admin\Admin.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Admin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | N/A |
| N/A | N/A | C:\Users\Admin\Admin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
| PID 2264 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
| PID 2264 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe | C:\Users\Admin\Admin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe
"C:\Users\Admin\AppData\Local\Temp\b7807053f4b63f34fa3dcc2512c4e91e9b9f0be6af2ebdd4beb3ba395582f050.exe"
C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2264-0-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\Admin.exe
| MD5 | 1da9b5e536f9ca1c3f70da1fd1a5e040 |
| SHA1 | 76a505e91d70abc5a00045ac77ca4cf7ccb95974 |
| SHA256 | 19e504f913103a00edd223e832d76aa921a7bd24a3717c4653bf895a59b4144a |
| SHA512 | a5a9975035ea363ca8938390456a4f99b927d9bb3f80bd2357fd03c46381976f6052a1fcbecfef0ce00cd7553cc59707634ac46c8b9b24c493a1d079a040a790 |
memory/2280-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2264-36-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2280-37-0x0000000000400000-0x0000000000412000-memory.dmp