Analysis Overview
SHA256
dd28aadece5caef4540595c8502ab9ed1a7c48062fc744c3b69e5c2e7804b08d
Threat Level: Known bad
The file ab69d6548ccd94133e98d0969a8e50af.bin was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-05-05 18:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-05 18:55
Reported
2023-05-05 19:46
Platform
win10v2004-20230220-en
Max time kernel
181s
Max time network
189s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4484 set thread context of 4176 | N/A | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe
"C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe"
C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe
"C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| NL | 84.53.175.11:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 133.17.126.40.in-addr.arpa | udp |
| US | 52.242.97.97:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4484-133-0x0000000000620000-0x000000000070A000-memory.dmp
memory/4484-134-0x0000000005770000-0x0000000005D14000-memory.dmp
memory/4484-135-0x0000000004FC0000-0x0000000005052000-memory.dmp
memory/4484-136-0x0000000005310000-0x0000000005320000-memory.dmp
memory/4484-137-0x0000000002B30000-0x0000000002B3A000-memory.dmp
memory/4484-138-0x0000000005310000-0x0000000005320000-memory.dmp
memory/4484-139-0x000000000A370000-0x000000000A40C000-memory.dmp
memory/4176-140-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4176-142-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4176-146-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4176-147-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-05 18:55
Reported
2023-05-05 19:46
Platform
win7-20230220-en
Max time kernel
106s
Max time network
33s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1076 set thread context of 528 | N/A | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe
"C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe"
C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe
"C:\Users\Admin\AppData\Local\Temp\e8494ad45492e71aa36941a772d0697db87bda82a91f16e69916ad9a4642042d.exe"
Network
Files
memory/1076-54-0x0000000000B50000-0x0000000000C3A000-memory.dmp
memory/1076-55-0x0000000000530000-0x0000000000570000-memory.dmp
memory/1076-56-0x0000000000350000-0x0000000000366000-memory.dmp
memory/1076-57-0x0000000000530000-0x0000000000570000-memory.dmp
memory/1076-58-0x0000000000370000-0x000000000037C000-memory.dmp
memory/1076-59-0x0000000006010000-0x00000000060C2000-memory.dmp
memory/1076-60-0x0000000000480000-0x0000000000500000-memory.dmp
memory/528-61-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-62-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/528-66-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-68-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-71-0x0000000000400000-0x0000000000478000-memory.dmp
memory/528-72-0x0000000000400000-0x0000000000478000-memory.dmp