Analysis Overview
SHA256
e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7
Threat Level: Likely malicious
The file e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
VMProtect packed file
Modifies file permissions
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 22:18
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 22:18
Reported
2024-05-21 22:21
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2236 set thread context of 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe
"C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123456666.oss-cn-beijing.aliyuncs.com | udp |
| CN | 39.97.203.75:80 | 123456666.oss-cn-beijing.aliyuncs.com | tcp |
Files
memory/2236-0-0x0000000000400000-0x00000000009EA000-memory.dmp
memory/2236-1-0x0000000000400000-0x00000000009EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISocket.dll
| MD5 | 6db6dcfe126984a341cecfc5be783f48 |
| SHA1 | 98309871ad417694bafd93d44eb71180b79cdd45 |
| SHA256 | 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac |
| SHA512 | d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3 |
memory/2496-8-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2496-28-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-24-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-21-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-18-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-12-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-10-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2496-15-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2236-31-0x0000000000400000-0x00000000009EA000-memory.dmp
memory/2236-32-0x0000000000400000-0x00000000009EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 22:18
Reported
2024-05-21 22:21
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 4080 | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe
"C:\Users\Admin\AppData\Local\Temp\e159aaea28574589bee595db112f498a582a90e41bbe874f43e49ce06eafa3b7.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123456666.oss-cn-beijing.aliyuncs.com | udp |
| CN | 39.97.203.75:80 | 123456666.oss-cn-beijing.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2816-0-0x0000000000400000-0x00000000009EA000-memory.dmp
memory/2816-1-0x0000000000400000-0x00000000009EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISocket.dll
| MD5 | 6db6dcfe126984a341cecfc5be783f48 |
| SHA1 | 98309871ad417694bafd93d44eb71180b79cdd45 |
| SHA256 | 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac |
| SHA512 | d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3 |
memory/4080-10-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4080-13-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4080-11-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4080-9-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4080-14-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4080-8-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2816-17-0x0000000000400000-0x00000000009EA000-memory.dmp
memory/2816-18-0x0000000000400000-0x00000000009EA000-memory.dmp