Analysis Overview
SHA256
15e754f88922421d4f8b12b2061459d822ba3fe00575fbac53d4707b80a1d211
Threat Level: Shows suspicious behavior
The file OPAutoClickerMac.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 00:44
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 00:44
Reported
2023-12-22 00:47
Platform
win10-20231220-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 96 wrote to memory of 3668 | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE |
| PID 96 wrote to memory of 3668 | N/A | C:\Users\Admin\AppData\Local\Temp\FantaUD.exe | C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\FantaUD.exe
"C:\Users\Admin\AppData\Local\Temp\FantaUD.exe"
C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE
"C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 96 -s 1096
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/96-0-0x0000000000320000-0x0000000000D82000-memory.dmp
memory/96-2-0x00000000012F0000-0x00000000012F1000-memory.dmp
memory/96-1-0x00000000012E0000-0x00000000012E1000-memory.dmp
memory/96-3-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/96-7-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
memory/96-6-0x0000000002EE0000-0x0000000002EE1000-memory.dmp
memory/96-5-0x0000000000320000-0x0000000000D82000-memory.dmp
memory/96-9-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/96-8-0x0000000002F00000-0x0000000002F01000-memory.dmp
memory/96-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SOLUTION.EXE
| MD5 | e226e3451f34e5c86837bc08f3733a35 |
| SHA1 | a745bba5ff6bb093056954ed720289dc257a57f9 |
| SHA256 | 8fb2681dc379493786be8d2191c7d9b06c50995d81de0f6d80767a239e003edb |
| SHA512 | fa57d8541c6856eee8faaf475ab54adb969013d88515705668e4567df6d2182fdffa45dbc5212c11b52e13b74d4aaaddf3c7605378d3cc959589cca51dec7738 |
memory/96-17-0x0000000000320000-0x0000000000D82000-memory.dmp