Analysis Overview
SHA256
ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe
Threat Level: Shows suspicious behavior
The file cp.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-23 12:58
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-23 12:58
Reported
2023-12-23 13:04
Platform
win7-20231215-en
Max time kernel
287s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cp.exe
"C:\Users\Admin\AppData\Local\Temp\cp.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\ProgramData\pinterests\XRJNZC.exe
"C:\ProgramData\pinterests\XRJNZC.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
C:\Windows\system32\taskeng.exe
taskeng.exe {7B9AB9CA-BA82-4030-B161-979CC6A6EF32} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
Network
Files
memory/2236-0-0x0000000001080000-0x0000000001AF0000-memory.dmp
memory/2236-5-0x0000000001080000-0x0000000001AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat
| MD5 | 5bc242e249b07840b8bcb7a2395dcfea |
| SHA1 | c837caf6ec4dc22d600b0749e422b067069c06d0 |
| SHA256 | 1d19b40faa63bc1a95aec176bfa55dce634d628b5d3f4507608adeb466534ae8 |
| SHA512 | 79dad833e364006237e44c99e0cda2ff336d12661bd3cc39e1525dc436dd5c7a0ab011454e547e21a6a8ad25e3fa2234b01948119cdaadfa0ceaf015fc0cbfb2 |
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 7e1bf4569ac9626d6f57726e10d8cd9d |
| SHA1 | ff01ebe46eab7a1c2cb0074ef7447fe100519041 |
| SHA256 | ebed1cf0c65b9b95ac712a0481d3880fb2cefd1ae7051b890804fe9c8dc2613f |
| SHA512 | 24476642c73344a64618b46f68b87f190dfcb07c38fa2909274270caed01bdc26396d8464d8df784820af82feccffc5667fb7dfb248706ead123987b63e89b75 |
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 49a4de41a330e3067a95d9fcb6e96e49 |
| SHA1 | e7713c0b182f3367312493c28980f7b0977ef1db |
| SHA256 | bc3c4deef83882f08180358805ac152f9f4a9aed85584ffc4d501db399954ad9 |
| SHA512 | 14dbcc99518b65db198c563a8fb59023529945a4c8de22e2392ff64be822a9750f701d6c6e248e4ce114d8313dc5c9e4f3161d670ef46e37b3e3691aaaad74c2 |
\ProgramData\pinterests\XRJNZC.exe
| MD5 | 38a0a78d1c87f907c6df04cc0c374ff8 |
| SHA1 | cf698b88d3f95c0cd2e38f10f2c163f0b8e45ea2 |
| SHA256 | 2affe3896cd7de67999fc4d8a65e4665ae48dbe6b235557fb45da6d2de782b16 |
| SHA512 | 266a03ef3e3131241821fea936c5820674a39845ccc4870587782dee0a7fecdc5992b314e8db7ac8afffbc491d1acd442bce7f9b917eb06a6227ccb8822e43ce |
memory/2840-21-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/2840-26-0x0000000000E30000-0x00000000018A0000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 97fc90ce77f293466189544a4ae08917 |
| SHA1 | 4444a7037e5963ccb517ae00d64849bb13e7480d |
| SHA256 | b410611d0680b3c5668b70660fb28137c67781c59dd8c39a1377a7d2dc0013d6 |
| SHA512 | c33c7502bbd16b87792ac3bc7ea2c81c305a8cbded8a0778f248b6f3da9907bd42463b0c6d03aba553c9a78393809302d68b6351b9d691f8926f76f8fbe30fe2 |
memory/1508-29-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/1508-34-0x0000000000E30000-0x00000000018A0000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | acb2db049a06e628fc42b67b76835542 |
| SHA1 | 466f8c4305ee2ceb5754da506e543f858f58eeee |
| SHA256 | 01164bf77a4b2a865d661970c6955049f7825ba9d9dd041938328ab74b4d7978 |
| SHA512 | 216e94e24a2580979e31725ffe121fc9dcdd41344eb772caec5d99bdcf03a7e269d98d00ab19c57b6f3643ef3d7d26a5a0ebd2563b1eded9238006b94be496d9 |
memory/2188-37-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/2188-42-0x0000000000E30000-0x00000000018A0000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | cc71eb3e2a0256d54e822ffcb1f39424 |
| SHA1 | 527b3670c2e312d5bc2c9790ce558aee99495731 |
| SHA256 | adfff9fa397d97eb9d74afc4cc8c2a40d604427c92ce664692c890a67c766d79 |
| SHA512 | 7ad0b57879a3a386ae144449f97dc165fb38484f77a50528540f180a24104fc80405472e6dae80d54907366f68933d700735bfa9a7050016fd138a89914ce10b |
memory/3008-45-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/3008-50-0x0000000000E30000-0x00000000018A0000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | c6e54e75a8f3964411e08ea6ff7205be |
| SHA1 | fa6e20feb414fbbc1ff99f8051baabe2331144b8 |
| SHA256 | e4ab9dd831e876a7d04cfb2a2040ac5b8da7f37e923caf8ccf0bdc0d880c2899 |
| SHA512 | 2da6c59a0875a25c324eb27813cb684937350dfdb58ff2f4d605e9348dc0303374776db7594a8cc7c0af266c6a463aef67596450a88cd5a0ce8d0ff512e7e27f |
memory/1728-53-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/1728-58-0x0000000000E30000-0x00000000018A0000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 96065bbca72f86a092447d6ef4f397d8 |
| SHA1 | b8e98ce298180164f7e8711d4b8dec6ee976dd39 |
| SHA256 | 9eae9e3eed2d5f550fe22297a2d2352b164229a01b1d15a8cb5fef3f6e32ced1 |
| SHA512 | 4d9655bb9988d73eb174101c30dcd0047a41b17c4884c54b6cb7a4740d7fb34f6e607cc8f1ef310f30d8f5f4e3900f5016558aa43c21af32e70302bf37b32a03 |
memory/2416-61-0x0000000000E30000-0x00000000018A0000-memory.dmp
memory/2416-66-0x0000000000E30000-0x00000000018A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-23 12:58
Reported
2023-12-23 13:04
Platform
win10v2004-20231215-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
| N/A | N/A | C:\ProgramData\pinterests\XRJNZC.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cp.exe
"C:\Users\Admin\AppData\Local\Temp\cp.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s154.0.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\ProgramData\pinterests\XRJNZC.exe
"C:\ProgramData\pinterests\XRJNZC.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp |
Files
memory/1480-0-0x0000000000200000-0x0000000000C70000-memory.dmp
memory/1480-5-0x0000000000200000-0x0000000000C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s154.0.bat
| MD5 | bdc923a8555ef651fb7cd28c5e1053e2 |
| SHA1 | 7d6bfa04bd3292b0f5bd662132086a06819476a7 |
| SHA256 | 2b525e113980fa7e0584ef86db031fbb09c6c5ea247218f387581b683f8f81fc |
| SHA512 | f01d193edba828e053868674ed485d447246de455ff0b0a539755e8e8b066b5c15aa5e19c1359352b6db05068784bae8452068bf4eb1648139b3ff7d111b5af5 |
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | c00ba6a1c746f197e2577181419087bb |
| SHA1 | acb2e2ae53b0631b09ded197dbd03cdffd375193 |
| SHA256 | a11edb8468f403efc569f669c39bd9490badf9b438b8fa52f17f73731e95df9d |
| SHA512 | adef50a91606b55b88a228eb2bffacfd3128d794a1eaacc0d0921e88d5eed8b98a04fd9b24ba0bcbdf98f9908250afc226f135598c72836ecaf0bddb48da5673 |
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 8027475573cf0d5b669ee82da5ed94a0 |
| SHA1 | 45457aff62bb358698ed73b706e454110992ce92 |
| SHA256 | f7d915166d97430504adc58aad0e98b55817d07601b7ea4fb9a1569e0b25dfe1 |
| SHA512 | bef6838bae06134fe629121aa223a799ba3b837cd270c70e6d85dbae6a3a4b23cb97eb96f7df086026f4bb5e5bef3e6dbf8f5020a5d81a2bb8625c022b08e561 |
memory/2056-16-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/2056-21-0x00000000005B0000-0x0000000001020000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 2ce664a8f0fdc5e69f4f5ad452771b1d |
| SHA1 | 8df505351da5cbbc0430d1726c31736f68581548 |
| SHA256 | 5d746123121dae5bd41d75e56ac14e450b8585cee0540ecd36b9f844ede18453 |
| SHA512 | 70e9340c0b18003c440a30041e01a82fb12207cd00263ac705252d09ee3c4e756a35a9736242f813cb0411f0ec882d4868bc9a9496026b82bf187c3a00e82b29 |
memory/3816-24-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/3816-29-0x00000000005B0000-0x0000000001020000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 1c5d52c406d248c773214bfd814ba8f4 |
| SHA1 | c56d95697ee40a7675da31e9c4cbad9f0101eefa |
| SHA256 | 57e5bebaf5a89443f060601efe9ac8232deba0bda87c11e76712825f3203c508 |
| SHA512 | 93cd96b0c69fcc959acf03453413a2588078152df6a98e4f3ae3494ec649a6b2c9d37910fd38141ba93274b0dcab87c013e1018921e7eabafa6181a3845c1915 |
memory/4540-32-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/4540-37-0x00000000005B0000-0x0000000001020000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | eb604ba588c97d9e67b4e0a1b4671611 |
| SHA1 | d5a9cdd2b63451a760cd4b70ec15f4825d939551 |
| SHA256 | 11dff5b7cc03e15b41884b4a2e496b716945a1191ddfd6a9462c2b1b0ad56256 |
| SHA512 | 9ea717f55c994d2d858ec75bd8d7c867d89a657c95a7cd2afacd817a6da1afc53895b082ea95e794b5e1f79342589c8d9eaa4b5e9e555c8dc50396743467d6fb |
memory/4072-40-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/4072-45-0x00000000005B0000-0x0000000001020000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | ba616edeb8b2459ffb0b6241ef90f210 |
| SHA1 | 2fd17f95b4a3a124842953e5e61c263581d66850 |
| SHA256 | ebd25ddb967dacbb1e69db2a4fb4d4137e759fe6dd3fe6a3ed6507c127680424 |
| SHA512 | 789c96ae2eb44345297585f6e9d990fe2ac61a2d0952ec69448e0de415da619386b761ed4de6d8c3bef6e790093e0b0218a3ee1a7b33a09cf18312114649eb6c |
memory/1832-48-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/1832-53-0x00000000005B0000-0x0000000001020000-memory.dmp
C:\ProgramData\pinterests\XRJNZC.exe
| MD5 | 85f3a7304da8e13d7f496d8825ff7d27 |
| SHA1 | 96633a9db839c03e1d650ef5fbdc493811b767a9 |
| SHA256 | 97e1e68ffa83a51aee5d5726d649b0780b18417d1be87479a08163f1e4f7db8a |
| SHA512 | c4e10289f1e5b6d50a2a63a42ab2ebc10e3fb0ccaeab36dca87c3c5204eaee752159be8d64ffe281d48634d314e4eeaa086c7af2c9af6bdfcdbb3f2e16c4a189 |
memory/3136-56-0x00000000005B0000-0x0000000001020000-memory.dmp
memory/3136-61-0x00000000005B0000-0x0000000001020000-memory.dmp