Analysis Overview
SHA256
d42a6979a45d16942740664f324dc160f3371ef5176d2839722f79dd4ada75fe
Threat Level: Shows suspicious behavior
The file 12x.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Adds Run key to start application
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of UnmapMainImage
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 14:37
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 14:37
Reported
2024-05-20 14:40
Platform
win7-20240221-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe
"C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp |
Files
memory/2168-0-0x000000013FA30000-0x000000013FD25000-memory.dmp
memory/2168-2-0x000000013FA30000-0x000000013FD25000-memory.dmp
memory/1196-4-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/1196-3-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/2168-1-0x000000013FA30000-0x000000013FD25000-memory.dmp
memory/2168-6-0x000000013FA30000-0x000000013FD25000-memory.dmp
memory/2168-5-0x000000013FA39000-0x000000013FAF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 14:37
Reported
2024-05-20 14:40
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe
"C:\Users\Admin\AppData\Local\Temp\setup阅览6056.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| CN | 121.22.5.220:6666 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| CN | 121.22.5.220:6666 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 121.22.5.220:6666 | tcp | |
| CN | 121.22.5.220:6666 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4904-0-0x00007FF632040000-0x00007FF632335000-memory.dmp
memory/4904-1-0x00007FF632040000-0x00007FF632335000-memory.dmp
memory/4904-2-0x00007FF632040000-0x00007FF632335000-memory.dmp
memory/3396-6-0x0000000003020000-0x0000000003021000-memory.dmp
memory/4904-5-0x00007FF632040000-0x00007FF632335000-memory.dmp
memory/4904-4-0x00007FF632049000-0x00007FF632104000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-20 14:37
Reported
2024-05-20 14:40
Platform
win7-20240220-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\snxcsnic\\1716216027.lnk" | C:\Windows\Explorer.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Explorer.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\表格32116.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ | C:\Windows\Explorer.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\表格32116.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\表格32116.exe
"C:\Users\Admin\AppData\Local\Temp\表格32116.exe"
Network
| Country | Destination | Domain | Proto |
| HK | 154.82.92.23:6666 | tcp | |
| HK | 154.82.92.23:6666 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp |
Files
memory/3040-0-0x000000013FCC0000-0x000000013FFC2000-memory.dmp
memory/3040-1-0x000000013FCC0000-0x000000013FFC2000-memory.dmp
memory/3040-7-0x0000000000390000-0x000000000044F000-memory.dmp
memory/3040-6-0x000000013FCCC000-0x000000013FD87000-memory.dmp
memory/3040-5-0x000000013FCC0000-0x000000013FFC2000-memory.dmp
memory/1192-4-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/1192-3-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/3040-2-0x000000013FCC0000-0x000000013FFC2000-memory.dmp
memory/1192-8-0x0000000004C20000-0x0000000004C9E000-memory.dmp
memory/1192-9-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-13-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-12-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-11-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-10-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-15-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-14-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-17-0x0000000180000000-0x000000018008D000-memory.dmp
memory/1192-16-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-25-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-27-0x0000000180000000-0x00000001800BD000-memory.dmp
memory/1192-33-0x00000000052C0000-0x000000000531E000-memory.dmp
memory/1192-34-0x0000000007220000-0x00000000072A9000-memory.dmp
memory/1192-40-0x00000000097A0000-0x0000000009814000-memory.dmp
memory/1192-49-0x00000000052C0000-0x000000000531E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-20 14:37
Reported
2024-05-20 14:40
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\laashmxh\\1716215920.lnk" | C:\Windows\Explorer.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Explorer.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Explorer.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\表格32116.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ | C:\Windows\Explorer.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4508 wrote to memory of 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\表格32116.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\表格32116.exe
"C:\Users\Admin\AppData\Local\Temp\表格32116.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| HK | 154.82.92.23:6666 | tcp | |
| US | 8.8.8.8:53 | 23.92.82.154.in-addr.arpa | udp |
| HK | 154.82.92.23:6666 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| CN | 8.134.187.253:80 | tcp | |
| CN | 8.134.187.253:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| CN | 8.134.187.253:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4508-0-0x00007FF68F280000-0x00007FF68F582000-memory.dmp
memory/4508-1-0x00007FF68F280000-0x00007FF68F582000-memory.dmp
memory/3548-3-0x0000000003280000-0x0000000003281000-memory.dmp
memory/4508-5-0x00007FF68F280000-0x00007FF68F582000-memory.dmp
memory/4508-6-0x00007FF68F280000-0x00007FF68F582000-memory.dmp
memory/4508-4-0x00007FF68F28C000-0x00007FF68F347000-memory.dmp
memory/4508-2-0x00007FF68F280000-0x00007FF68F582000-memory.dmp
memory/4508-7-0x00007FF68F28C000-0x00007FF68F347000-memory.dmp
memory/3548-9-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-10-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-13-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-12-0x0000000009230000-0x00000000092AE000-memory.dmp
memory/3548-11-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-8-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-15-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-14-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-16-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-17-0x0000000180000000-0x000000018008D000-memory.dmp
memory/3548-25-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-28-0x0000000180000000-0x00000001800BD000-memory.dmp
memory/3548-33-0x00000000092B0000-0x000000000930E000-memory.dmp
memory/3548-35-0x000000000B060000-0x000000000B0E9000-memory.dmp
memory/3548-40-0x000000000B0F0000-0x000000000B164000-memory.dmp
memory/3548-49-0x00000000092B0000-0x000000000930E000-memory.dmp