Analysis Overview
SHA256
b3cbb74a4236bd44bb4bdc9d3ce5515a52abb470804de9949818d5d4989cacc5
Threat Level: Likely malicious
The file cOOla_unban.exe was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
VMProtect packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-21 23:24
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 23:24
Reported
2023-12-21 23:27
Platform
win10v2004-20231215-en
Max time kernel
139s
Max time network
164s
Command Line
Signatures
Stops running service(s)
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe
"C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:62731 | tcp | |
| N/A | 127.0.0.1:62733 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:62746 | tcp | |
| N/A | 127.0.0.1:62748 | tcp | |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:62754 | tcp | |
| N/A | 127.0.0.1:62756 | tcp | |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| US | 92.123.128.161:443 | www.bing.com | tcp |
| GB | 2.20.38.10:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.38.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/3752-0-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp
memory/3752-2-0x00007FF9E30F0000-0x00007FF9E30F2000-memory.dmp
memory/3752-3-0x00007FF9E3100000-0x00007FF9E3102000-memory.dmp
memory/3752-4-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp
memory/3752-8-0x00007FF668E20000-0x00007FF6697C9000-memory.dmp
memory/2688-9-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-10-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-11-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-15-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-16-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-17-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-18-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-19-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-20-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp
memory/2688-21-0x0000017E49CC0000-0x0000017E49CC1000-memory.dmp