Analysis Overview
SHA256
a9db58e1f44a7fb8dbd4551d33befb2296cbe0d4fd1e4686b0384d4adabc5cf8
Threat Level: Shows suspicious behavior
The file 90b756764ad408cdd3ac6cafb7c1bfb8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-22 12:53
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 12:52
Reported
2023-12-23 16:03
Platform
win7-20231215-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe |
| PID 3016 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe |
| PID 3016 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe |
| PID 3016 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe
"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | os.ieycc.com | udp |
Files
memory/3016-0-0x0000000000400000-0x0000000001567000-memory.dmp
memory/3016-1-0x0000000000400000-0x0000000001567000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
| MD5 | 2d3f65b69bf57e23f27cb3cf549f7e3f |
| SHA1 | 54bffeb759310d5fa08c4054ef02e07ab76cb426 |
| SHA256 | c09160b7f4cc97f76cf159c680364cd6874e799c1a68168a532234c07d8cb868 |
| SHA512 | 510b6145cafa11deea7428b6f30134785825862cc3d620183ebc370a1c679f6f7cb93a3d47c102980e14f8ec9d5775739d812b4790287532ba244b387499e2d3 |
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
| MD5 | 44982bcbd3a2451db80c6281c210b8cd |
| SHA1 | 1a0f4f39f033e2d344a99fbc70c64c0b9ccf4005 |
| SHA256 | 151a693bdc7be9d953c138a3fa3ca831a52435086cf38ba1545d4a5295e3903b |
| SHA512 | 6b1140b1ea4ac58f724771d7016641cdf02d6a22269fc6cc54b1589feb873840233648d1e254e32b818d048f3c4b7c088df34e22b36e0f2e26e9b6cbd4fff03b |
\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
| MD5 | bc066787d7b5c455304233759bd2fb2b |
| SHA1 | 734c31a1b9948c110326bbd41023f74bc0373561 |
| SHA256 | 59f0b9086bb60c3298e115a34b1686bfe4cf046e7d0661e8c6d85ef5a1e59287 |
| SHA512 | cc88084303b78bf309f4de569da0e19058a91f7b4c4d54bb120984b91211df35439c73ea511b0c6b4dcce64a65bb8785dc7f0e79ab3e37d379a7aad27361f30a |
memory/3016-13-0x0000000006D60000-0x0000000007EC7000-memory.dmp
\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
| MD5 | 4d44c43792556837c7b08e4ceee83cb6 |
| SHA1 | 46e635f2439ca2bdad3bf49e525f1a462f16bc65 |
| SHA256 | 5c2bc92ec2efcb73d5fdc580d84704dd97ecaa5f2d617c85b2708bf43aa31683 |
| SHA512 | 7bc7ef88779d16311275a1eb5fd2010fdb20ba1560146935136f14a4e18f9b774163c52dcf49fced07f3ce3e01025892c292a55b2842538620c99eede9a579fc |
memory/2776-14-0x0000000000400000-0x0000000001567000-memory.dmp
memory/3016-15-0x0000000006D60000-0x0000000007EC7000-memory.dmp
memory/2776-16-0x0000000000400000-0x0000000001567000-memory.dmp
memory/3016-19-0x0000000000400000-0x0000000001567000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe
| MD5 | 7359109ead98380983e77bac5fb4eb5a |
| SHA1 | 2157a844342aeb4c46fb1ec89d34cd8160ea9205 |
| SHA256 | 583b2c7cda8898ea5b664810c91b86ba1b012e098e97b4226db6d8d05825bb33 |
| SHA512 | 0cefd67cc64bbeb97b797bab2d087d28a1d1804aa860bef34fbd00b8540a326c64505d7f429d8f7a1c9011a106495bd0648039bce73fcafeec8354e70d6bfe92 |
\Users\Admin\AppData\Roaming\testing.dat
| MD5 | ef65c95d77b45554b88292633dfe011c |
| SHA1 | 1ed63a17fc2752d2b2c9bec1b5bbad95886916d9 |
| SHA256 | a8b8abfa22fd6785a37e866a416a5d498ffbf16c179fb2face23270ad9d79cbf |
| SHA512 | 2d86826a4f0412b384e354f6dec02f20fc9fc19b63589bd7748bf16eb785233808e7be902161e38beee54b02773434f367acc33293fa3ec9f0afe04547d836fb |
memory/2776-26-0x0000000074860000-0x0000000074B8D000-memory.dmp
memory/2776-31-0x0000000000400000-0x0000000001567000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 12:52
Reported
2023-12-23 16:03
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1476 wrote to memory of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe |
| PID 1476 wrote to memory of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe |
| PID 1476 wrote to memory of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe
"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"
C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe
C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | os.ieycc.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| PH | 23.37.1.217:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| PH | 23.37.1.217:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 217.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp |
Files
memory/1476-0-0x0000000000400000-0x0000000001567000-memory.dmp
memory/1476-1-0x0000000000400000-0x0000000001567000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe
| MD5 | 4174fbfce638df328e2dab0359587ffd |
| SHA1 | 401451b22f6cbba8c8cde28d62b14ab6109631be |
| SHA256 | 66a2d18f1e413d8a05d03a5faec2401001793ae5076fa43366afe1bb8fcd068b |
| SHA512 | 80ea0fd7180202d2bb8855e4953a3b02d4dca33f900e1da33806d98717898ad427a773d3896901b920d370339ad8660c1c3aa362990fd0456d2d8c957c61e1a7 |
C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe
| MD5 | 23dc4d75bd4f4f1e1942742cc70de311 |
| SHA1 | e5118a424792ebd533ffad846d221f9f1a272254 |
| SHA256 | 1283568f754be312fb00929a0ab89b5090a4bcbf45406074c8267f061ba99eb7 |
| SHA512 | c1832b523e353bd9d2969600649027683d2ce9f1b5c237d3402f1e9f3f53b7178f8a58d765a10c8aa91676f957df8a186b056ed13d61019d568faaa22b0f1a80 |
memory/1076-9-0x0000000000400000-0x0000000001567000-memory.dmp
memory/1076-10-0x0000000000400000-0x0000000001567000-memory.dmp
memory/1476-13-0x0000000000400000-0x0000000001567000-memory.dmp
C:\Users\Admin\AppData\Roaming\testing.dat
| MD5 | 6533d39141dc1398e19c1fbc1a36b5d1 |
| SHA1 | 3a2c56f97303f9ab5bb0f7b9adb71bdd468c340e |
| SHA256 | 810e007bfce6c33b979068b5c7af5f8ea67e900f2d484d46c31e3cd290aec475 |
| SHA512 | 56e5affef615f7b256c7e9285bf406772337222c33e79802c05df1fbd44e130b51571b3ddc5b3d95010f93f706874ce4464a53738babfec30d96612b76ded38e |
memory/1076-20-0x0000000072FB0000-0x00000000732DD000-memory.dmp
memory/1076-25-0x0000000000400000-0x0000000001567000-memory.dmp