Analysis Overview
SHA256
f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5
Threat Level: Shows suspicious behavior
The file f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:23
Reported
2025-07-02 19:25
Platform
win10v2004-20250619-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\bab0b0d4 | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\bab0b0d4 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\bab0b0d4 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\bab0b0d4 | N/A |
| File created | C:\Windows\SysWOW64\bab0b0d4 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\bab0b0d4 | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\539da8 | C:\Windows\Syswow64\bab0b0d4 | N/A |
| File opened for modification | C:\Windows\5d68a0 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\bab0b0d4 | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\bab0b0d4 | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\bab0b0d4 | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\bab0b0d4 | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe
"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"
C:\Windows\Syswow64\bab0b0d4
C:\Windows\Syswow64\bab0b0d4
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/5456-0-0x0000000000E60000-0x0000000000EC3000-memory.dmp
C:\Windows\SysWOW64\bab0b0d4
| MD5 | ab402dc3a7115f1c44ec2eb5bf2e1650 |
| SHA1 | d56db8ae790137c06201da068d9cf8b4dc988539 |
| SHA256 | 772e1ae9c8487841c1b5d0d7266dc6ac04da5790d18cce1e575bbd6bd8d1c7af |
| SHA512 | c6ec818c378edefaa92278cd91d7560e28795312d79e9a0d328587436028b4eac53fcd70f157cb7dd70396a19b3a2fcce8b68ae180eb0e6cf86bbe8bf363a7f7 |
memory/4884-4-0x0000000000910000-0x0000000000973000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 19:23
Reported
2025-07-02 19:25
Platform
win11-20250610-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\15e769f0 | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\15e769f0 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\15e769f0 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\15e769f0 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\15e769f0 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\15e769f0 | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\4b3150 | C:\Windows\Syswow64\15e769f0 | N/A |
| File opened for modification | C:\Windows\44c160 | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\15e769f0 | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\15e769f0 | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\15e769f0 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\15e769f0 | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\15e769f0 | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\15e769f0 | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe
"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"
C:\Windows\Syswow64\15e769f0
C:\Windows\Syswow64\15e769f0
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/4016-0-0x0000000000FE0000-0x0000000001043000-memory.dmp
C:\Windows\SysWOW64\15e769f0
| MD5 | 9673d08a05bac3675be1834efdbfeebb |
| SHA1 | 912472a8d76ed230dad269ed8fd5a9c0bd519413 |
| SHA256 | 83512d3984c065be8dda5d40302972ce491bea302d44524d62fa2b76fae8ace3 |
| SHA512 | 2d52278e95faea46085374fe6b3c908b8d9b42ecceed67c27ca26607becd73843cc684b2997186f490a745ac37f59e7edc28c4d1bfbe3f043f87c3c436555d18 |
memory/4392-4-0x0000000000890000-0x00000000008F3000-memory.dmp