Analysis Overview
SHA256
5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca
Threat Level: Shows suspicious behavior
The file 5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:32
Reported
2025-01-15 22:34
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp |
| PID 1980 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp |
| PID 1980 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp |
| PID 1980 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe
"C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
C:\Users\Admin\AppData\Local\Temp\eqsDF86.tmp
"C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp | |
| MD | 195.93.218.135:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\eqsDF86.tmp
| MD5 | c13a5c9184c5c8b29b4cb3b01c8a8dc2 |
| SHA1 | 689411251ec06a612ec1e55de289b998e8ab8556 |
| SHA256 | c235a11fcde53089ac5e8f19380078ef9fda48e4241bb1dc526fff6c5e384900 |
| SHA512 | 781e19adbf22bdeae7aef600e1a247cf49fdae2fd2a6ac050a3c5bb658d5fe5dd546b4fb92862a972072aa2e4ec7136c23b40e685c0951206b7182e280a18f44 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | b7a1507ec9a90d349a507e34a97f55e1 |
| SHA1 | d71a05fea04cf8ffded9795890fe866e97af69d7 |
| SHA256 | d0bb2fcc1d77335a56167905f937044eff2be4edb38e3455ff55d441399e5b9c |
| SHA512 | 04b29527a549f5666da803acbdbef1478c0b86582f6a2e32e58cbf62f7c72557bd9f4ec57ebdb2db4beedc38f50bd89fda40dfdfe268f0c7017456939367360c |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | af59f8fcc27461a6c9db6cf1c4080da4 |
| SHA1 | cf69515b95e1cf51f70180dc1c4bec61fb69a6bf |
| SHA256 | 6200d4d7cd8a364738431b0b55c710a8769c8a0d9b95e277633738f9d4435f1d |
| SHA512 | 3baca97fd25ed29ceeb7b9d08e1c26ca3f3d1d44b080c83da032554f52ce26b65f6b9e95abbc692029d88beab99323f2c13770cbe21b501e605a003934c8fc97 |
C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE
| MD5 | 10b2097b668077b2c5a3bcbde969e80a |
| SHA1 | 84758052d41057c888f7835dcba777b1b6b27c9d |
| SHA256 | 13ed3605e87613f5e3c8348a004e1820a80bb48599dfdd58f29b06416e33ea7b |
| SHA512 | 2257dd921d75acd0f1e2df300d2fe10465e8ad3824585eafee2503a0ad6303f52c2c8c7aaed016529f302de744e1774d0d92bc464de6119f39a6fe8e2d58e96c |
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
| MD5 | e7fc2df11aadca90e05a92d8c1952e38 |
| SHA1 | b3801094b0a40f17a3bccac48a8afe20ad39cc52 |
| SHA256 | 52837f524a69be4819a462a2233868dfec4a87fbeb8930b8f35e9e40b4f55f58 |
| SHA512 | 3aec4cdbaab31b0b1c2031674cb952e76c4dfdc033f065a71df4e783f915ee6a21fcbe333317b14a23154d30a4ba4718f8401caf8238fd1bf29a437a0683ef9f |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 29a849ed36b5394c9a11e83fb6aee2a5 |
| SHA1 | f79c4c95720e34c5217f5e8236936709bcce8acb |
| SHA256 | a73febecd4e30003f5fd690290d31586b8ac7e0ceda4be3f50914ceb5cbd8325 |
| SHA512 | 4e332a377088935f2e0c99d19eeea8901a11b6147434708b688bd8397ccaf75ce987ec7fb8f1ed537e1713b7dcf502adc92ad4b4a8d33e812efad10e49e5e02e |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX4248.tmp
| MD5 | e51281f5acbc298a898ebf7cd270fad4 |
| SHA1 | aa54f61b89db033d5d6b39cca971f76730aba054 |
| SHA256 | dca3096afaab558ecf91ef35f9d3427f7ed2cbc17341067203b9e3e103045867 |
| SHA512 | bae3e66e0273abc67c174244a6b14468043ac73b013f9d5a3510d615f8de91f5ce76afc3339d4ac7546274cadeb28261ead730791e252bc42623c2d5f218683c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:32
Reported
2025-01-15 22:34
Platform
win10v2004-20241007-en
Max time kernel
105s
Max time network
113s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp |
| PID 2860 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp |
| PID 2860 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe | C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe
"C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp
"C:\Users\Admin\AppData\Local\Temp\5dfb545bfb7906b1808b86209a12b60dfc66b452222024a30612e4b2fa70d4ca.exe"
Network
| Country | Destination | Domain | Proto |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| MD | 195.93.218.135:80 | tcp |
Files
memory/2860-0-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eqs8647.tmp
| MD5 | c13a5c9184c5c8b29b4cb3b01c8a8dc2 |
| SHA1 | 689411251ec06a612ec1e55de289b998e8ab8556 |
| SHA256 | c235a11fcde53089ac5e8f19380078ef9fda48e4241bb1dc526fff6c5e384900 |
| SHA512 | 781e19adbf22bdeae7aef600e1a247cf49fdae2fd2a6ac050a3c5bb658d5fe5dd546b4fb92862a972072aa2e4ec7136c23b40e685c0951206b7182e280a18f44 |
C:\Program Files\7-Zip\7z.exe
| MD5 | ca0d363495c01036bede48311f7009a3 |
| SHA1 | eaf18881d6479345cacfa852c885753f45d3bbd4 |
| SHA256 | 23c53734d021e70fd7d228c8eb5c406a15fe2f01c7053fae0acf0526a3d6b4c6 |
| SHA512 | d202baffaf8b05d5dd9b9fc92f964110ade75dc3665396f38b16a88e88ee8f8c115cda8e253a56d88667eaf0fc81a9a6b2a9b63ac80cca76061fd3e4ae28d214 |
C:\Program Files\7-Zip\RCX2BB2.tmp
| MD5 | 31ca51862b31bcf129556d16f467af09 |
| SHA1 | 5a211b99259a8b98aba5b281f57d2dbd6cf3325f |
| SHA256 | c02959bf05c6802755bda953e649cbdb7cdb03ba0a4f458a84e575dcee0e907c |
| SHA512 | ceb6864b90a5f8eb8192f4de5914a3aca6788dbca27d724be07484f18cb4d8c6cf6c5adeac6956d21ad15f695b959d1d6712a2ca876b50e24f4591e6e8b6f47f |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX3A74.tmp
| MD5 | 8235f9a7dee83ae3d73106b9251955e2 |
| SHA1 | b52abb012d8bf8ce8ad295627d04a6426a78eb8d |
| SHA256 | 9bbe361214bfe67297317b49a7b995cc8849a5ac298bbe7a8782c214d82ed1d6 |
| SHA512 | 544a02f19d6f53930979232ac63ed53b749b70ec606e1ed06bd9a0b02cdd1cd0f24968149c265d8198560c8dcc11480b837a20aa489fddc524f28c8b6c119b5c |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe
| MD5 | fe8556f4cd549ca5a9b2811a955a25b9 |
| SHA1 | ff58dd1cfb676668c99e47c06ca1f3967d2057fa |
| SHA256 | 7eab17620ba806eadb500e21c344f7f4af9725b3fe8c1ffe775364f201c5ec56 |
| SHA512 | 4669ef5198396e77a56ffa92a06291cc0b229eb3b49a696a8776a138354addcd9fbefb24de01c0b25f9e4a4157d563fbe17102633283d7eb73f4c5cace2fa940 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX3B04.tmp
| MD5 | 1f75518e4bdc08ad0e5872e6d6fa0a3b |
| SHA1 | 045c2f37078d5bbbcedc98fb554330eace8bbbe9 |
| SHA256 | ccfa1e9e25c36c6d6a9fa8c80a5e794fee8a2d8934bcf6c4f03e663509aa9a2f |
| SHA512 | 74010c987b997df3908577cb0191400b16035d72cf6c51acb5f17f340ffcb1d5f505c315aaff816a1049444133d869720003a1731e8a5f16de04d8cbb283ffdf |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe
| MD5 | 90ef8b52adf2917ed0bf8abcfd634d42 |
| SHA1 | a3e11a32e6531f5f681e5869878290d90dad93c3 |
| SHA256 | 5accb1ac4f3b653192f3e792bbe48cd309e2bd3bab69575219710fc78bd535db |
| SHA512 | 04263c4e70a96e1327d8984708510e71609a82d2f746d9edddcb39a0740c054e1eebee081a4650224860cd414aa389c20f56a963f831abac47094fa29cf21e00 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX3B75.tmp
| MD5 | 53889c85c32108f93022352ea52f0ddd |
| SHA1 | a0f6da80f0a2a2b700a2670e89c3e58a27ea956f |
| SHA256 | b19c6539228d8c64bbec068c8101792ee86e8c38d9488a787aa4cb922e2fc647 |
| SHA512 | 5dfaa70902305b71e2425168850bba293a24bc2bc76f08991e1e2c8fe6f780b2287cb0e312c636bbef578734846f881c94479c151684e55415c4c8529dd8085e |
C:\Program Files (x86)\Google\Update\1.3.36.371\RCX46DD.tmp
| MD5 | c016ef1a86325eaa8e3c7c1d0cbe6a9c |
| SHA1 | 1c0e466ceaae36cc5d24d59e03430a0ca07b6db7 |
| SHA256 | 703e854417e666a42cbf8137637070148dd9c9421b492e5afbcf25405a2a3dd3 |
| SHA512 | 93bdd300a5faaa2e14024719851a08dc341e273b497ec5ac01ab710f422fdb21d6dce0cd9027b3c78d03a80f81db42cca676a6dafd580f264c3940873e026fa7 |
C:\Program Files (x86)\Google\Update\RCX46ED.tmp
| MD5 | 24bd9543a93a1ae90854cd838044cb1a |
| SHA1 | 3fc631dfe58a660159607a13f22697e61004cd29 |
| SHA256 | 71040e6ab05bc9a3ad564a3ce408e16d2099cfa3eda03c20070ff0fc5cd08bda |
| SHA512 | 58802d2d66dd2107af8cc2bcfd2ab1478fb9b4c626bcd3cb34ef9e8e7884ab92921b74f00774b6b3a5d0fa7df0f66eb292de790e1a616a3b7f29b13b330f23dc |
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX4D41.tmp
| MD5 | 2ee82bf31f8f29f17aa432e16e8a9192 |
| SHA1 | 2b9c59b13c5544f818b34536511aa0e89d7df435 |
| SHA256 | fd3f8155e1151ab0e0d91b9455166d05ee026c6914a66ec259202b4ebac86334 |
| SHA512 | c9dfbdbdcdc6a4b3433f8dcb3415d7d7ec22b2098879ba774e1fca720d609ce78203a7ffd54c047fcfadbfda0a115611f3db7461e00b8173f64e186440baca33 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 146e2ea79c72a7a3ed817683dd4caec2 |
| SHA1 | 65e6c8acda0e37d6f5ebb23ed8ebdd7f4036df88 |
| SHA256 | 85c934133aa31419574443fea5d6fb9040eb7c626e68f4c28e2d3b912c9327ac |
| SHA512 | 204ecb8fe5f756a334be1a8bb1fc744e6f0099a9387787dfe8b2bce136573d0c735d1d16eda820cd66935e09a1b40182fe4e7f801dbe06047ebf23c447386cbc |
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\RCX4EB0.tmp
| MD5 | d48c649441d44c9f485725404fc8a8bb |
| SHA1 | 0d0706f71a7f0c65eb55e2a9fee4dab3521701c6 |
| SHA256 | 8f4841a90c2b445d149f69afe3721909a0ed75f01293ba4bb8801275971bc90a |
| SHA512 | 41e325d14bd20bbea9e35641058486ad6eccc08161528bcdbd3967224316da236773cded8fdc925efff9d4b9a177176bd2e9350adf9f874c9eca85cad0d0a519 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCX4F6F.tmp
| MD5 | 7cf4cb0b4265b22096287e98414b449c |
| SHA1 | 23707d9f3dc80b9b75d6a36768ba3b32d1672466 |
| SHA256 | 20948aaa8787075fbadfc7cb7e59f125f2c78199b490fc46a115278731ef5a31 |
| SHA512 | d307d92c79d77e6839c92d563e020c43da5fdafe7b755ec50c7941dee2f2c97252210b983b3495fef415fa70e4252bad9e74bbf373b6b6ba7ff27634ee6f77cb |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
| MD5 | c09c92686ec523d4e00c3f0a52525bed |
| SHA1 | 729e895352024107f5db3db47c6635b364e00588 |
| SHA256 | 621431277f2ac805291e21385691401f21c2c8fb7858275bcbd8824f76dd18e4 |
| SHA512 | 931184011a40aa82beb887215b09054c0e6ea38918a253cdbd85c6740067be529473638e361104315e04ef9b5c9072822e7a85c8e5fe4a2e9f8c2b90601f8d34 |