Analysis Overview
SHA256
eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1
Threat Level: Likely malicious
The file eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
UPX packed file
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-07 15:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 15:43
Reported
2023-12-07 15:48
Platform
win7-20231025-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp
Network
| Country | Destination | Domain | Proto |
| CN | 121.26.169.78:6673 | 121.26.169.78 | tcp |
Files
\Users\Admin\AppData\Local\Temp\f763ab0.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
memory/2720-9-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2720-11-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2720-14-0x0000000000400000-0x0000000002B9C000-memory.dmp
memory/2720-15-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2720-13-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2720-17-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2720-19-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2720-22-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2720-24-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2720-27-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2720-29-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2720-32-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2720-34-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2720-37-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2720-39-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2720-42-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2720-40-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2720-44-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2720-46-0x0000000077EA0000-0x0000000077EA1000-memory.dmp
memory/2720-49-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-52-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-53-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-55-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-54-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-57-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-59-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-61-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-63-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-66-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-69-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-71-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-73-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-75-0x0000000000400000-0x0000000002B9C000-memory.dmp
memory/2720-77-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-79-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-83-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-86-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-90-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-94-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-97-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-100-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-103-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-106-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-108-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2720-109-0x0000000010000000-0x000000001003E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 15:43
Reported
2023-12-07 15:48
Platform
win10v2004-20231127-en
Max time kernel
155s
Max time network
144s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp |
| PID 2688 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp |
| PID 2688 wrote to memory of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe | C:\Users\Admin\AppData\Local\Temp\e585e28.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe
"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"
C:\Users\Admin\AppData\Local\Temp\e585e28.tmp
C:\Users\Admin\AppData\Local\Temp\e585e28.tmp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CN | 121.26.169.78:6673 | 121.26.169.78 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.26.121.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\e585e28.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
C:\Users\Admin\AppData\Local\Temp\e585e28.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
C:\Users\Admin\AppData\Local\Temp\e585e28.tmp
| MD5 | ab4d9ec45b79e2c85a42ad41903c88a9 |
| SHA1 | 60f9a8d8c7f159b8e1f2df26035190c915777abe |
| SHA256 | f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a |
| SHA512 | c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415 |
memory/4408-7-0x0000000002E70000-0x0000000002E71000-memory.dmp
memory/4408-8-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/4408-9-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
memory/4408-10-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/4408-11-0x0000000002ED0000-0x0000000002ED1000-memory.dmp
memory/4408-12-0x00000000031E0000-0x00000000031E1000-memory.dmp
memory/4408-13-0x0000000000400000-0x0000000002B9C000-memory.dmp
memory/4408-14-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/4408-16-0x0000000000400000-0x0000000002B9C000-memory.dmp
memory/4408-19-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-21-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-22-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-23-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-25-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-27-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-32-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-35-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-37-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-44-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-46-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-48-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-50-0x0000000000400000-0x0000000002B9C000-memory.dmp
memory/4408-52-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-54-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-56-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-58-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-60-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-63-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-65-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-67-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-71-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-69-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4408-72-0x0000000010000000-0x000000001003E000-memory.dmp