6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 01:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe
Size

5.7MB
MD5

9987ad672e790af1c0773b70a2113702
SHA1

fd00ab1cde3f5a120591a3c5225197739db09bb5
SHA256

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79
SHA512

b62571aef3913a959ce95b22a86b3a0606fffef668a6a46b747ee46fd98b8bede5a3422957c72ae9d5f09187778395c6fd99323973585705f1d19c40e672293b
SSDEEP

98304:+dHMC+By0AOzWeGlPCk2IabgwxXQ6lXtGscl5M1QN7pA2q7NOLhkV5idp1:+/SACkCkyhXQ6ldGsTQN7pDdkjir1

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe
2700	6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2700	6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

C:\Users\Admin\AppData\Local\Temp\6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe
"C:\Users\Admin\AppData\Local\Temp\6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700

Network

DNS

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

config.yunjiasu.kkidc.com

IN A

Response

config.yunjiasu.kkidc.com

IN CNAME

config.yunjiasu.youxidun.com

config.yunjiasu.youxidun.com

IN A

45.117.11.105
DNS

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

config.yunjiasu.kkidc.com

IN A

Response

config.yunjiasu.kkidc.com

IN CNAME

config.yunjiasu.youxidun.com

config.yunjiasu.youxidun.com

IN A

45.117.11.105
DNS

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

config.yunjiasu.kkidc.com

IN A

Response

config.yunjiasu.kkidc.com

IN CNAME

config.yunjiasu.youxidun.com

config.yunjiasu.youxidun.com

IN A

45.117.11.105
DNS

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

config.yunjiasu.kkidc.com

IN A

Response

config.yunjiasu.kkidc.com

IN CNAME

config.yunjiasu.youxidun.com

config.yunjiasu.youxidun.com

IN A

45.117.11.105
DNS

httpbin.org

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

httpbin.org

IN A

Response

httpbin.org

IN A

54.160.164.209

httpbin.org

IN A

52.206.26.65

httpbin.org

IN A

34.198.16.126

httpbin.org

IN A

52.204.69.97
GET

http://httpbin.org/ip

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

54.160.164.209:80

Request

GET /ip HTTP/1.1
Connection: Close
Host: httpbin.org

Response

HTTP/1.1 200 OK

Date: Fri, 24 May 2024 01:53:10 GMT
Content-Type: application/json
Content-Length: 33
Connection: close
Server: gunicorn/19.9.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
DNS

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

Remote address:

8.8.8.8:53

Request

config.yunjiasu.kkidc.com

IN A

Response

config.yunjiasu.kkidc.com

IN CNAME

config.yunjiasu.youxidun.com

config.yunjiasu.youxidun.com

IN A

45.117.11.105

45.117.11.105:9501

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
45.117.11.105:9501

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
45.117.11.105:9501

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

104 B
2
110.80.137.104:9501

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

104 B
2
110.80.137.104:9501

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

104 B
2
54.160.164.209:80

http://httpbin.org/ip

http

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

334 B
509 B
6
6

HTTP Request

GET http://httpbin.org/ip

HTTP Response

200
45.117.11.171:20399

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
117.24.15.26:36497

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
45.248.10.79:50878

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
45.117.11.205:16966

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
27.159.92.14:34001

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
110.80.134.106:39070

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
45.117.11.105:9501

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

144 B
3
125.77.158.194:11400

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
110.80.134.106:39070

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
125.77.158.194:11400

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
110.80.134.123:37610

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
117.24.15.30:53170

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
45.117.11.171:20399

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

52 B
1
45.248.10.143:14111

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

152 B
3
110.80.137.104:9501

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

144 B
3
45.117.11.105:9501

config.yunjiasu.kkidc.com

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

144 B
3
110.80.137.104:9501

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

144 B
3

8.8.8.8:53

config.yunjiasu.kkidc.com

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

71 B
126 B
1
1

DNS Request

config.yunjiasu.kkidc.com

DNS Response

45.117.11.105
8.8.8.8:53

config.yunjiasu.kkidc.com

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

71 B
126 B
1
1

DNS Request

config.yunjiasu.kkidc.com

DNS Response

45.117.11.105
8.8.8.8:53

config.yunjiasu.kkidc.com

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

71 B
126 B
1
1

DNS Request

config.yunjiasu.kkidc.com

DNS Response

45.117.11.105
8.8.8.8:53

config.yunjiasu.kkidc.com

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

71 B
126 B
1
1

DNS Request

config.yunjiasu.kkidc.com

DNS Response

45.117.11.105
8.8.8.8:53

httpbin.org

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

57 B
121 B
1
1

DNS Request

httpbin.org

DNS Response

54.160.164.209

52.206.26.65

34.198.16.126

52.204.69.97
8.8.8.8:53

config.yunjiasu.kkidc.com

dns

6b8f190984bfa7f8967223dfba76c65542e15b3af578f36ddec52cfd5b93fc79.exe

71 B
126 B
1
1

DNS Request

config.yunjiasu.kkidc.com

DNS Response

45.117.11.105

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
5KB

MD5
0d62ba3018fe6f0c7ea04391fe09dd74

SHA1
1807a391ed1f8f0630409b88f66f2d43d9a97540

SHA256
de1c54e3de6c7c86a959b7e00858b0ea8da68822d4712b1cb829b30bd7616e14

SHA512
cedb59a04de38cc61a7b8cf5b6d1e57b4d488c03755be7a490c1505e6bbada7271d4ca22f2e4aecb599ccbbe36ed8e5dbf41a4b4ccb17cdd302968725da9e65e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.