Analysis Overview
SHA256
ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc
Threat Level: Shows suspicious behavior
The file ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Unexpected DNS network traffic destination
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:23
Reported
2025-07-02 19:25
Platform
win10v2004-20250619-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\72b4bc7f | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\72b4bc7f | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\72b4bc7f | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\72b4bc7f | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\72b4bc7f | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\72b4bc7f | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\1687c8 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| File opened for modification | C:\Windows\e09e8 | C:\Windows\Syswow64\72b4bc7f | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\72b4bc7f | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\72b4bc7f | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\72b4bc7f | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\72b4bc7f | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\72b4bc7f | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe
"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"
C:\Windows\Syswow64\72b4bc7f
C:\Windows\Syswow64\72b4bc7f
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/1316-0-0x00000000002B0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\72b4bc7f
| MD5 | 9cdcb7a81c6dd143b0d4b02d5775185a |
| SHA1 | b6393d9c5fca4fd34f7d035455f9b3490b69ab06 |
| SHA256 | 926395a47b117aee972442835c2b3fb447d51ce7a0f7659f6f38f98f3da4ca0d |
| SHA512 | 76b46093f2e279c34d71d5985adb1d53e4e0188b1714701c7d54094ab57aa87a3d47a8c9a15c136c2c3e13f8f0687c7420cd5647a4c05be43776c1e754bd19ec |
memory/820-4-0x00000000000A0000-0x0000000000103000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 19:23
Reported
2025-07-02 19:25
Platform
win11-20250610-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\fda805ec | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\fda805ec | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\fda805ec | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\fda805ec | N/A |
| File created | C:\Windows\SysWOW64\fda805ec | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\fda805ec | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\16bc60 | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| File opened for modification | C:\Windows\1c13d0 | C:\Windows\Syswow64\fda805ec | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\fda805ec | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\fda805ec | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\fda805ec | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\fda805ec | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\fda805ec | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\fda805ec | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe
"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"
C:\Windows\Syswow64\fda805ec
C:\Windows\Syswow64\fda805ec
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/1328-0-0x0000000000F80000-0x0000000000FE3000-memory.dmp
C:\Windows\SysWOW64\fda805ec
| MD5 | e60e376ca2282fcde714c066fb6e5ddc |
| SHA1 | 6ee845e09584de80f2bac607ebf3bf52fea5e004 |
| SHA256 | 6c5d507b682811e018c15476f5de916484aa664ffd654ffada0f5aa59d316303 |
| SHA512 | 23ebb57fe2931f7581c0fb0017a8342e67fed901ba54d6866101f40b6d9553ccd349ac71151f316000c9609d9a43155dc969b830987d98ec676594fb50b50454 |
memory/1640-4-0x0000000000410000-0x0000000000473000-memory.dmp