Analysis Overview
SHA256
f9a0935eac4db119d91f378de9a7950535ef9e769a2e927fe542a039ef1032f6
Threat Level: Known bad
The file Εντολή Αγοράς 4010061141.iso was found to be: Known bad.
Malicious Activity Summary
DarkCloud
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-07-24 17:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-24 17:39
Reported
2023-07-24 17:41
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5096 set thread context of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | C:\Users\Admin\AppData\Local\Temp\__T_____.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\__T_____.exe
"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"
C:\Users\Admin\AppData\Local\Temp\__T_____.exe
"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.162.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/5096-134-0x0000000074850000-0x0000000075000000-memory.dmp
memory/5096-133-0x0000000000FC0000-0x00000000010BA000-memory.dmp
memory/5096-135-0x0000000006160000-0x0000000006704000-memory.dmp
memory/5096-136-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/5096-137-0x0000000005A50000-0x0000000005A60000-memory.dmp
memory/5096-138-0x0000000005B60000-0x0000000005B6A000-memory.dmp
memory/5096-139-0x0000000005E00000-0x0000000005E9C000-memory.dmp
memory/5096-140-0x0000000074850000-0x0000000075000000-memory.dmp
memory/5096-141-0x0000000005A50000-0x0000000005A60000-memory.dmp
memory/1812-142-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1812-145-0x0000000000400000-0x0000000000462000-memory.dmp
memory/5096-147-0x0000000074850000-0x0000000075000000-memory.dmp
memory/1812-149-0x0000000000400000-0x0000000000462000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-24 17:39
Reported
2023-07-24 17:41
Platform
win7-20230712-en
Max time kernel
147s
Max time network
122s
Command Line
Signatures
DarkCloud
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2776 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | C:\Users\Admin\AppData\Local\Temp\__T_____.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\__T_____.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\__T_____.exe
"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"
C:\Users\Admin\AppData\Local\Temp\__T_____.exe
"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"
C:\Users\Admin\AppData\Local\Temp\__T_____.exe
"C:\Users\Admin\AppData\Local\Temp\__T_____.exe"
Network
Files
memory/2776-54-0x00000000013E0000-0x00000000014DA000-memory.dmp
memory/2776-55-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2776-56-0x0000000004EB0000-0x0000000004EF0000-memory.dmp
memory/2776-57-0x00000000004B0000-0x00000000004C4000-memory.dmp
memory/2776-58-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2776-59-0x0000000004EB0000-0x0000000004EF0000-memory.dmp
memory/2776-60-0x0000000000660000-0x000000000066A000-memory.dmp
memory/2776-61-0x0000000008060000-0x0000000008104000-memory.dmp
memory/2944-62-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2944-63-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2944-64-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2944-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2944-68-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2944-70-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2776-72-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2944-74-0x0000000000400000-0x0000000000462000-memory.dmp