Malware Analysis Report

2025-01-22 12:54

Sample ID 240522-ggnjtadh83
Target 66350d760798fe7436714266c974fb3e_JaffaCakes118
SHA256 a0d9bdc9fb26ade718dae42a4d12e23156c997dc742074de1c1f154071a3f93b
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a0d9bdc9fb26ade718dae42a4d12e23156c997dc742074de1c1f154071a3f93b

Threat Level: Shows suspicious behavior

The file 66350d760798fe7436714266c974fb3e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

UPX packed file

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 05:46

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 05:46

Reported

2024-05-22 05:49

Platform

win7-20240221-en

Max time kernel

136s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601646820bacda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADD0EFD1-17FE-11EF-972F-E61A8C993A67} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5cef119f012f943a6ef0bd1780db1f900000000020000000000106600000001000020000000b089886adbf2f317c9549cd9006f010483546f9716594225f7fa294d8f1acab6000000000e8000000002000020000000a092fcb800eb073cf07f4bc223c8c9c1ec0fd8fa969ce95150c73c1eb980956190000000d1f1046cf0cb8b69d09c7e0774399d8473ca773252eab7f55b7100d27e03d36d0d9e5718c69d632d970b50c25dad4bc649353a08b2db2cca9b93adab4e4ca87892200230ae7a6bc1f1c79a9bc7ded21416a65008a2aabdca287498963ddb73f4b08363e5d9392a4ef7b30c45342c59689879bc5b46b47038ce86130d25f9ff99fbadb0e57704483850abb58c0e8c6e8640000000580713d45d63504a6336cf2c1811b13b48d008d2e5aaf50da1e555e71d90ecd755d3eb2b09190d9ee5fa5a2cb18576f9b5b1e89ac2705a73e89d2ceff5222223 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422518675" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5cef119f012f943a6ef0bd1780db1f9000000000200000000001066000000010000200000008811c2d5783e53f9f045661a1610fa50f5b200ab3fb05ca845919a53d2aa7b8d000000000e8000000002000020000000bc6a8235db1d341ce76524ee9af8796d98b8102cca0da69c4e3563cb604a3365200000003b1b3fcb1ee8f464e8a2253aceea6ea7e1fc82d815e16d869ed4d5d9a5736dde4000000086dc8b06db73c025505ccab4738f577b8a3579403050ca3e1f258ed6738af4f9a6062236f8ec82cabcd16b21a6013526f7f4ded253453e63f814087eedadbcd0 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe

"C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.qingwuwg.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.qingwuwg.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1940-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/1940-1-0x0000000000400000-0x0000000000712000-memory.dmp

memory/1940-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-32-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

MD5 3c12b619f5b9575ba2944b7ca4678929
SHA1 fa6792387198c2d93de2619059efc5206341198d
SHA256 add35880f84004b1422166fe432267249036168ddcf0185481769021980b300a
SHA512 d1e370e03affc9acfa770edc5959bc8009d15d026e4f4cd45314c8e213e371b765828f7a4921169c62c6848dcdbda38311620f4b7af922479b923a6ef12a355d

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

MD5 7c8c531ff6a158742da186b1fad6e00e
SHA1 98d4551e0d6ac034838a17437640f3335edfaa86
SHA256 00ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501
SHA512 1788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805

memory/1940-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-87-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-88-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UA1HZF3D\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Temp\Cab31DD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab32B9.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e94b1cfeb49465845b21f997a291bdb7
SHA1 9240c892b1a0b286deecd2c2b6f7e51b6928afe3
SHA256 63a28a32d0865baa312f7a54462f317ad3053c9cd32a4b073d893deab156958e
SHA512 5525103698221c8e6d2546a0523692b92d17844682d0de5fb32bc9e26c4295391a8bc91cb54a46c0d2b2ef0e7ca6f9a714c91e1e136999e6a17b8e5900f22b23

C:\Users\Admin\AppData\Local\Temp\Tar32CE.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c22437bcf6d00ac85276714b074bfbe
SHA1 17b554a7d7eeba97e47bfa2a65633b27ad942185
SHA256 9f108f71f71040158e5a4ba7f1c75b99861b004d4325f0bab5d4c440be702e9b
SHA512 dee56a182a4827bd8bd7365ba6aeda374c00971213001837e69e8aa6e408e420473d1d6768f499e214db6277abeb7bd4b80162864e4740223b661f882ee1b71c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1941cdf2fc44451401e18978a8cafc2e
SHA1 15e477d17d21bc69d3d0404a41e46e39fba9f563
SHA256 305695dbb3d031b0266a6c94323ec01a3767b0f3c1d2b7dec39964bac6a680bd
SHA512 4af37bc959663c3a88fb49bf565131ea04e0e48792718e3badc62b5eb688898f8fd1754118e3415e5e4d0893dc2c555503abadd7d01efb41a5e06a1dc0e86b95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7905f04a49684ee162bee9e078cd7bf6
SHA1 f44e53207b0f6a3811666b771466b98f522a7d80
SHA256 e3cc5bf9d15a1e88b66a369000813e85ac9a613581de11659d8977576861e777
SHA512 009da0534ad2769956ca25cf22b70c5101b7ee76fd9e06e9e56a9d8eba3875ec11b802a3675a1d95bcc9ddfd711725a4101ee209f8c09ef0bc524c29287529e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91dbc6bcdc0d4b2ae5146ea57d161bc3
SHA1 ee54a886c4957f0418b9d3a9930f5470c5059ac1
SHA256 0ea126199118000aa40f83090e5c2f1463a2a847294c4a4fd4b275fb532ef817
SHA512 7bb6c9267c8ad871910acfc673c93965b2349405f22e2caccea4e484d7e7dc8232e4b76df0cf0721604630494e0762f2493271c6f2515246d53c06717d48e07a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f73a12fabf2506cc43260fb80cb219c
SHA1 3b2346e09e9fb32e80dc847398794c028a202ef9
SHA256 61df752dad041d36d43e01020d7878003b7604a513de0900799ab8b45dad871e
SHA512 1f5cf9caf385d487d45a8386e3aad0d135dec927b938f3fb83de583731ffb49224e1141d6ec1bf4917bbdd863e4f3fb9dcc42514312176fc9719a420d45ab32f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dac86b99740129b25d8bc825358ebf1d
SHA1 19ec7b00cdc53667cbaafb97f6487888a316210e
SHA256 2a54b784fdc69e9447639ef57c710dc7fe6095540ca5d0052801519b8f7df06d
SHA512 955c8b4f3675548f0f2e7a4068fafc1ee9a064e1d81f588ae0ebc405b0ff07a5d878cb2e8b565eac187bb5f6163ac15eb6ea1de1708e89788f99c88255222c12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73906b0f08c656b3c1643b5432a15c49
SHA1 28976ecd2337c05890f19c6707b9448272155e96
SHA256 72cba6b748d9bc060eb64e5d5176c0ba70f1f28fe181e9798217c2f759355928
SHA512 b77e3bc2b5e15801b39beb55549c151bac60b333b599db2f13e51a345303336641239012c0e5d37d063be2f54dfe0094cb2c1d0ffff3f9b4766ae36e97a082a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c71ba88fe2277abd9581b4c11e3bffee
SHA1 9ca54cd9266e51a77b2512e2b14345e06413e16a
SHA256 cede9493a4970bcf283f2350b91aaede8d3e1cd9cf55d0abbf68207cf4fb4107
SHA512 854f3f43b56e84d2950039d8aa456d3ea1ce4caf65c1711e47dbe507d56e934822d1f983eaeeca53446fc3f5df886b2d7029771cd86d9b8860616ba11de24fbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8eef15341c39bdb24375ff3b984fb684
SHA1 cce28b5f5f17ba13b700d5123ae7189db5415c88
SHA256 93768f8baa8da6f2d1719667dfc84c9eab444fece5167b5df225758b69850b1f
SHA512 12995b7197927ef8692c6d5a174dc56cee457378ef2bf704b036700e852d0bb47c02176d66866673d78b0bb0d58a5744d99a5488c258c2d8551225b08484347d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0353df59bd9f90ce32365b3939fa47be
SHA1 ec8be2b42546d2d46cc98a7a825a809ab0ab5c2b
SHA256 5bf9f06941d89fdfe92676b55772836cc4a434a28058b64f739054d6c1c92835
SHA512 a35596daf710cc09498d5460927a3c991adf96ef98e2436ee1e23a7b4b090f967b6fc1eb64337b378397c9f294d61f33cd0af64c9d8c797097a51d2c6ec76ad9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 befaec9871ef577f58aec1d00ab1f9a2
SHA1 379a0ce2d877fdf1fea0e5445cd0528dabf2637c
SHA256 5eb9401826a65398ca88784528e1fb1bdceffc239dabb89be71c5103c09e01c2
SHA512 0db538cbc619a5ecd64a12c70f667e1a98b7078d4a8a65110ffb7e2105f239d519e0b17f8d018f47242224288e893617b7f62b3ea7062fbb4f6d3dadf14ae695

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 521563f291219a15d8593e876e546e5a
SHA1 588d7a9e0835c2c29aa7eed1d8bc447c61f1b0f1
SHA256 64a0e4c8ed2cc5f231e3b4c99699fff222bcca271e5f49f20a81f3275a9b9bfe
SHA512 874aa17ba4fb332bba544d727cdf776674208ce31e2018dba1f577b87ac0120cc695a25c7d62428e0d899a6277cfc8d89b942fdf8e930ad2801ac394ab9df52d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ca5ba42b9123ed315cf382370b80d74
SHA1 3ee8a64602bf610432425c74706239bf24395c60
SHA256 a21f6e54c9268f3ae9c04cd61fe9f786b3a16d8b5ca78d400dbb5ecd126985eb
SHA512 a6bd73c539f3e3c453a5d756093dc8a18514e798cebbdb3eb8fa9d85c6f186c0420f2d0b9de2a6693461a11e039625b4c306a65ff19384635c14771b76ebdc45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96a24a0a4a59ed9accb2b3570e3903da
SHA1 8c66cdb5d771534fbeef3a1a735586d1bcbf5e15
SHA256 9067ad34f0ca34ab9e9836c410e1fec51d8b2181c231ddb08fad303274797328
SHA512 d5fbfeae3371e16a6a35bd8d522a02751721503017167c1c1f5c76f1f5382a011f7d377fa9c2d365fff67a30d739dceac00c5f1dcf5d2cd83dabda106e6fae71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba6a2b2016ad41d0fc3ff90bf82bc9fb
SHA1 27d86df18f78c0589b27d67af0cbddb64ddb64a8
SHA256 9b6c82f0eaa0a2784aea0515e4e9362d4b3db20797df2788c73d8da3d8dc1452
SHA512 84104bb6f950ce599df15663c5466cdbaa4b2a735c139d52617848bd2058fe749d4ff016b29d9c1f8c62a9bb4830c3d1e556a7e8b3a28bf94064fe52e6c5a00a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9ea2c719e4b49ac0b9397387e313a1c
SHA1 6df5c792338a3edeec1df0c41d11f47307f9927d
SHA256 e3052c5e611d22047870e8736e5ebe60d26735008f736269e9cda7ae6a3a2a0e
SHA512 45e84257d9e49abf5f381df262cee5b09214ca2ed1bf911eccf73e2a8591834b4fe353e9799b4f15a69dd05932cd919912a55a7f8e00a1a103c27d337bc2517c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9399d1ff3d8240cbf3d772a927a8796
SHA1 94d7281a586be163a2062138a9297499e7aae447
SHA256 b1ce5f3e845266ffd9d7692de4d5174b79f09dc1b4ad6ae1079a5fa73e2226be
SHA512 549f5f8a84e7857fb136689450ca9404b97364dac5a6c0a02232746b41d245b589e0dac4ee69f176c4ab521eba64ff204161dceef421888a5ba4e201a192fc6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d146445194d85d9e028da600abd51deb
SHA1 fdb86ee47e178161c695bee4de1b3bf957d43cfe
SHA256 5f86f495540b5e9e60acf009b01c04814fb67c2bd91426e84fb6146ddf36366b
SHA512 7610d814a87f0c09e78e4f855f119042e0be8978005a7ab5f7489c84d4a8301d89dac96544ed391b2b1ab131fb87164cf43182fc7721a0f6894c02a2e1a35657

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 05:46

Reported

2024-05-22 05:49

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe

"C:\Users\Admin\AppData\Local\Temp\洛克迷顺辅助V1.0版.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.qingwuwg.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4000-1-0x000000000061D000-0x000000000061F000-memory.dmp

memory/4000-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-2-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-48-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-49-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

MD5 514d1b59ae8925c5edea3c446ce588dd
SHA1 60dd675b65c7ffaac6ca731dba265a6f316a6f75
SHA256 6bbfe9e113e075b646ae49400657b8bb20cbab06854b38bf007ac6e15cd7b773
SHA512 5bf3d0f1715b445852ad184907d2161967d51cb8fe9673330438d8705502bc63e263222c43839140c613a427b0b58b297e522b3953c2543453625e01b8017253

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

MD5 f9fc3e4f710ea6068eccca29ed784970
SHA1 eb6f961e7102e3aef227b204ff4dd9563f745812
SHA256 1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb
SHA512 b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed

memory/4000-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-65-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4000-69-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-68-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-79-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4000-91-0x0000000000400000-0x0000000000712000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 05:46

Reported

2024-05-22 05:49

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\绿软基地.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\绿软基地.url

Network

N/A

Files

memory/2180-0-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 05:46

Reported

2024-05-22 05:49

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\绿软基地.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\绿软基地.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A