Malware Analysis Report

2025-08-11 01:35

Sample ID 231208-pf5eyadd9v
Target d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751
SHA256 d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751
Tags
upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751

Threat Level: Shows suspicious behavior

The file d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx vmprotect

UPX packed file

VMProtect packed file

Unexpected DNS network traffic destination

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 12:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 12:17

Reported

2023-12-08 14:00

Platform

win7-20231025-en

Max time kernel

29s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 223.5.5.5 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\err_2988.log C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe

"C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 de108ad81976e232.vbnm34567.xyz udp
US 114.114.114.114:53 down.magiforet.cn udp
CN 122.189.171.115:443 down.magiforet.cn tcp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 114.114.114.114:53 down.zhangyaping.top udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 down.zhangyaping.top udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 yzzcommon.tyui54345.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 118.212.235.109:443 down.nugong.asia tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 42.231.136.87:80 down.nugong.asia tcp
CN 42.231.136.87:80 down.nugong.asia tcp
CN 42.231.136.87:80 down.nugong.asia tcp
CN 118.212.235.109:443 down.nugong.asia tcp
US 8.8.8.8:53 apps.game.qq.com udp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 101.227.134.49:443 apps.game.qq.com tcp
CN 36.143.236.7:80 ocsp.trust-provider.cn tcp
US 104.193.88.77:443 tcp
N/A 234.2.2.2:27878 udp
CN 36.143.236.7:80 ocsp.trust-provider.cn tcp
NL 47.246.48.205:80 tcp
US 104.18.20.226:80 tcp
US 104.18.21.226:80 tcp

Files

memory/2988-0-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3FE5.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00a9d8018637d69a17ee580c888d107c
SHA1 7d956d925e02cb2f3ac34233f0b7d664208f9f39
SHA256 484fcd0457cfb06e2c6cea0fcbe40c3c45c7b3a15222bdef658005eae686221a
SHA512 560a6866c23d35ef4c5a9d86a7b33ca0ba19be2d1441b2df6654ce1cb9dda1356ce20d876b89724ef72974c52b529a73edb919cc7eef505d74df26e02fa06720

memory/2988-155-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

memory/2988-438-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

memory/1208-644-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

memory/1208-648-0x000007FEBE130000-0x000007FEBE140000-memory.dmp

memory/424-653-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/424-651-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/424-650-0x00000000004B0000-0x00000000004B3000-memory.dmp

memory/1208-646-0x00000000049B0000-0x0000000004A61000-memory.dmp

memory/1208-642-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

memory/2988-661-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

memory/2988-680-0x0000000000AB0000-0x0000000000B3C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9318e0f252d58eb6e35483712efcc717
SHA1 cbd9f799877d7a0e2928dd1aabe3bf77dcd76c72
SHA256 6224316c8a1c5c843cd72c105e932dc473b0540a1ec9939fad784072459fd365
SHA512 80c60d5b22f827bee28b18e6f38f193e3ff8cbb8ffe987a443ffc9376276dd649676f26ae60a23bd32e3e09af639acc770a0449184eb9d2f660fa1bdabfbcb01

memory/1208-696-0x00000000049B0000-0x0000000004A61000-memory.dmp

memory/424-706-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-707-0x0000000037C10000-0x0000000037C20000-memory.dmp

memory/1208-709-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-715-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1208-716-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1208-714-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1208-713-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1208-712-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-711-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-710-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-718-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

C:\Windows\Vl6achcxdKN0.sys

MD5 d15f5f23df8036bd5089ce8d151b0e0d
SHA1 4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256 f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512 feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

C:\Windows\UpzR0OcX8BVT.sys

MD5 0812322e8108b35fe46f66bd8d718811
SHA1 ce0ee5df291e5793f6331a5deb83fd9e9c7aeeaf
SHA256 2d8493b42c162f70adae5ad3b4bc90eb170ff4152c381e4264ddac2445fe1a31
SHA512 2cbbae3cc31e77c0f15ebb47b1ddd793297eb23f9f77b2d6b1f11142d4370ba419f43c2af25345aa7a4f2113913867be064805a31893466c4913c7119719d271

C:\Windows\bOraNqRSekTk0o.sys

MD5 64bc1983743c584a9ad09dacf12792e5
SHA1 0f14098f523d21f11129c4df09451413ddff6d61
SHA256 057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA512 9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

C:\Windows\KsoKRA5ohW5.sys

MD5 0f1f19828831d42ecef57452a8f68330
SHA1 af1d89ea4f60d300971900af154758b2f891c04e
SHA256 91077a367038e9e8c06258fcb5f3f0b968491a0b09e7aed80e49ec0cf13d27b9
SHA512 dc8d698d4420e5060677cf1f0dce2238c7e7affeb2e92b01e8764a918e4465074cf578836747fe50415db090832cf12c760198241d695ce84e22c5f2145f66dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 9ba47a279b7950e198b6076171704bd8
SHA1 2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA256 1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512 d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 9f1184044beca878542f59369e358ce1
SHA1 aa665e3c700c5cfed154bf9c6d4fa906d8c8920a
SHA256 c068c49f32f697284c9054355c0529a61533db82b06bce30ec9b69cae3e782bc
SHA512 b2a30bdd01a903ef6c329d4c33cb5d96b719f0c6ea4d1527989de444c0fcb3b8407cb409c7d54676f3ebee420877b2764e8fa8c6d04a7acb54f799212839e8ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b3e886f0a26b67c1234b30c755341758
SHA1 8a881fb559672e95834def740fc5ba017879b0db
SHA256 808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA512 66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 250f18d91164673dbe96fdebcbec1dfb
SHA1 def0663ca96c89f0da5ad38edb9a6a4519c59607
SHA256 cf870106ef5c647b128f819b32ab5c58aab9f2024e7f4df1e26df41ed6e1dde8
SHA512 b9a48a685f4630c2551fb9eebe913acba254fc999c82d0fc041dd788fc24ffb0a3996d52e2e365525878f93963dac1cdaa77bae01034e11b3350ad27562d23ad

memory/1208-835-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

memory/1208-834-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1172-852-0x0000000000160000-0x0000000000163000-memory.dmp

memory/1208-856-0x0000000008EA0000-0x0000000008EA4000-memory.dmp

memory/1172-861-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1172-860-0x0000000002060000-0x000000000210F000-memory.dmp

memory/1208-859-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1208-858-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-857-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1208-855-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/1172-854-0x0000000000160000-0x0000000000163000-memory.dmp

memory/1208-853-0x00000000004C0000-0x00000000004E8000-memory.dmp

memory/1172-848-0x0000000000160000-0x0000000000163000-memory.dmp

memory/1172-842-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1172-840-0x0000000001FB0000-0x000000000205A000-memory.dmp

memory/1208-839-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/1208-862-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

memory/1208-863-0x0000000008DF0000-0x0000000008E9F000-memory.dmp

memory/1172-864-0x0000000002060000-0x000000000210F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 12:17

Reported

2023-12-08 14:00

Platform

win10v2004-20231201-en

Max time kernel

132s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\err_1748.log C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe

"C:\Users\Admin\AppData\Local\Temp\d2d552ab9a59639314515b7f868c311566ffb0c687f56a95365b68d7da363751.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 de108ad81976e232.vbnm34567.xyz udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 114.114.114.114:53 down.magiforet.cn udp
CN 122.189.171.115:443 down.magiforet.cn tcp
US 8.8.8.8:53 114.114.114.114.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 20.114.59.183:443 tcp
CN 122.246.12.168:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 20.114.59.183:443 tcp
US 8.8.8.8:53 down.zhangyaping.top udp
CN 223.5.5.5:443 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 223.5.5.5 tcp
CN 223.5.5.5:80 223.5.5.5 tcp
US 8.8.8.8:53 yzzcommon.tyui54345.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 118.212.235.231:443 down.nugong.asia tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 udp
CN 223.5.5.5:443 tcp
US 8.8.8.8:53 udp
N/A 104.18.20.226:80 tcp
US 8.8.8.8:53 udp
N/A 104.18.20.226:80 tcp
US 114.114.114.114:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 114.114.114.114:53 udp
CN 223.5.5.5:53 udp
CN 223.5.5.5:443 tcp
CN 223.5.5.5:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.178.194:80 tcp
N/A 96.17.178.194:80 tcp
US 8.8.8.8:53 udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 110.249.196.101:443 down.nugong.asia tcp

Files

memory/1748-0-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

memory/1748-3-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

memory/1748-19-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

memory/1748-20-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

memory/1748-24-0x0000000000AE0000-0x0000000000B6C000-memory.dmp

memory/1748-26-0x0000000000AE0000-0x0000000000B6C000-memory.dmp