Malware Analysis Report

2025-08-05 15:44

Sample ID 240525-bjb1xahb7z
Target 3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe
SHA256 3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e

Threat Level: Likely malicious

The file 3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 01:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 01:10

Reported

2024-05-25 01:12

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe
PID 2148 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe"

C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe" 56-30-53-2a-f2-ee AltRemoKey 2.2.0.0 3220000

Network

Country Destination Domain Proto
US 8.8.8.8:53 xsblog.haoshuaji.com udp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
US 8.8.8.8:53 downloadcdn.altremokey.com udp
FR 52.84.45.109:80 downloadcdn.altremokey.com tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
N/A 127.0.0.1:49208 tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
N/A 127.0.0.1:49211 tcp
N/A 127.0.0.1:49214 tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp

Files

\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe

MD5 8280a8dd4c353d402fb44fb02f76b679
SHA1 d7aaa8f25f06a64d4d72b7cfee7725c4aa2bb153
SHA256 4dc74e75e88c068fa0d16da2207779e7ab77829b3c6c71525a5c3bdc65ea70cc
SHA512 4738707d537149072f1f9da6035e0f63861bf7f06f9139dbf5c3c88ae06e9655c6b3822bf7296a27473aa8253855dd8e9eda1dbf4154066ec55a6573cdcc072e

memory/848-15-0x0000000000100000-0x000000000010A000-memory.dmp

memory/848-14-0x0000000000100000-0x000000000010A000-memory.dmp

memory/848-17-0x0000000000100000-0x000000000010A000-memory.dmp

memory/848-16-0x0000000000100000-0x000000000010A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 01:10

Reported

2024-05-25 01:12

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe

"C:\Users\Admin\AppData\Local\Temp\3983dcc9deffe431d983cca61121ecd53e5e138da17c47f270a1e07fc174dd2e.exe"

C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe" ce-94-54-92-b8-df AltRemoKey 2.2.0.0 3220000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 xsblog.haoshuaji.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
US 8.8.8.8:53 139.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
US 8.8.8.8:53 downloadcdn.altremokey.com udp
FR 52.84.45.109:80 downloadcdn.altremokey.com tcp
US 8.8.8.8:53 109.45.84.52.in-addr.arpa udp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
US 13.107.246.64:443 tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
N/A 127.0.0.1:49860 tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
N/A 127.0.0.1:49863 tcp
CN 121.37.227.182:80 xsblog.haoshuaji.com tcp
N/A 127.0.0.1:49868 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TempAltRemoveKeyPath\Setup.exe

MD5 8280a8dd4c353d402fb44fb02f76b679
SHA1 d7aaa8f25f06a64d4d72b7cfee7725c4aa2bb153
SHA256 4dc74e75e88c068fa0d16da2207779e7ab77829b3c6c71525a5c3bdc65ea70cc
SHA512 4738707d537149072f1f9da6035e0f63861bf7f06f9139dbf5c3c88ae06e9655c6b3822bf7296a27473aa8253855dd8e9eda1dbf4154066ec55a6573cdcc072e