Analysis Overview
SHA256
391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d
Threat Level: Known bad
The file 391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with ASPack
Detects executables containing base64 encoded User Agent
Detects executables packed with ASPack
ASPack v2.12-2.42
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 05:25
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 05:25
Reported
2024-02-29 05:29
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe
"C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ad.qqfarmer.com.cn | udp |
| US | 8.8.8.8:53 | bakad.qqfarmer.com.cn | udp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | images.qqfarmer.com.cn | udp |
| US | 8.8.8.8:53 | down.qqfarmer.com.cn | udp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| CN | 122.228.223.240:80 | down.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | dl.qqfarmer.com.cn | udp |
| CN | 116.255.160.63:80 | dl.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| CN | 122.228.223.240:80 | down.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| CN | 116.255.160.63:80 | dl.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | images.qqfarmer.com.cn | udp |
| CN | 122.228.223.239:80 | images.qqfarmer.com.cn | tcp |
Files
memory/1412-0-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-1-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-2-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
| MD5 | 00940ce8647b7a15a268e8906357ca95 |
| SHA1 | f727ced79c297afdfe06f2246e5de4903efb4e42 |
| SHA256 | f3217f4610602d9092916b945759283f2dd1178465a33a8d6c687022ea5eadc8 |
| SHA512 | 1e23c0f0f9b8cf5f00fac38cb6b0151b5a8a3956fdb4b127529b052be18e1e732f7964e2bcfa8c43c4eab86f43f1063c0a5fbc2fa2631ed6d1a1328cff7f51ea |
memory/1412-14-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/1412-15-0x0000000005540000-0x0000000005541000-memory.dmp
memory/1412-16-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/1412-18-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-19-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-20-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1412-21-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-22-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/1412-23-0x0000000005540000-0x0000000005541000-memory.dmp
memory/1412-24-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/1412-25-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-26-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-27-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-28-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-29-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-30-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-31-0x0000000000400000-0x0000000000972000-memory.dmp
memory/1412-33-0x0000000000400000-0x0000000000972000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 05:25
Reported
2024-02-29 05:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe
"C:\Users\Admin\AppData\Local\Temp\391d0faf57a230b6e47debe38a9d2ba2a794b29713468e1a8c9917d79b8b636d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ad.qqfarmer.com.cn | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bakad.qqfarmer.com.cn | udp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | 3.224.210.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| HK | 8.210.224.3:80 | ad.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | images.qqfarmer.com.cn | udp |
| US | 8.8.8.8:53 | down.qqfarmer.com.cn | udp |
| CN | 122.228.223.240:80 | down.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | dl.qqfarmer.com.cn | udp |
| CN | 116.255.160.63:80 | dl.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| CN | 122.228.223.240:80 | down.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | down.qqfarmer.com.cn | tcp |
| CN | 116.255.160.63:80 | dl.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | images.qqfarmer.com.cn | udp |
| CN | 122.228.223.239:80 | images.qqfarmer.com.cn | tcp |
| CN | 122.228.223.239:80 | images.qqfarmer.com.cn | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/4520-0-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-1-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-2-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-6-0x0000000002720000-0x0000000002721000-memory.dmp
memory/4520-5-0x0000000000400000-0x0000000000972000-memory.dmp
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
| MD5 | 75b56e4254ef0eea585a2e9e620f5848 |
| SHA1 | 0e63061b0246a14abdc42a5a5c39f25d6e9d7a4c |
| SHA256 | 0e92c131522318241a8fa3dd0ec709e93d2a8a2f9eecb10a741487f9161aa03b |
| SHA512 | 52d3b121d1100f84cf2392050b28f091f385e7f564f18c874135350681fd1560f832dcf11a0ea2d5d93a9736f2ec216df94e4e1313058fda6a4e8727eb1de4aa |
memory/4520-18-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/4520-19-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/4520-20-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/4520-22-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-23-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-24-0x0000000002720000-0x0000000002721000-memory.dmp
memory/4520-25-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-26-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/4520-27-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/4520-28-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/4520-29-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-30-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-31-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-32-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-33-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-34-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-36-0x0000000000400000-0x0000000000972000-memory.dmp
memory/4520-37-0x0000000000400000-0x0000000000972000-memory.dmp