Malware Analysis Report

2024-09-09 12:25

Sample ID 240525-wkf2gadb28
Target ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979
SHA256 ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979
Tags
oss_ak
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979

Threat Level: Likely malicious

The file ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979 was found to be: Likely malicious.

Malicious Activity Summary

oss_ak

detect oss ak

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe

"C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe"

Network

N/A

Files

memory/2532-0-0x0000000000400000-0x0000000001574000-memory.dmp

memory/2532-3-0x0000000000400000-0x0000000001574000-memory.dmp

memory/2532-2-0x0000000000B90000-0x0000000000EF7000-memory.dmp

memory/2532-4-0x0000000000400000-0x0000000001574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 4f1331dd69faa9292698b3523dbdfa8f
SHA1 726e1162628e92ef557cf626bb6731f75013d163
SHA256 8663acbefbd072a154c61d014322cf31c2777bd88d292acfee7c07f664cadd2a
SHA512 f34b4141d6e1460c08d3457c1d570f98b7f44ab7eab8fdc6a560f808102266ada6a6e89982d050306d834f9ef9a3cb75e9e31b5200a1eee07cac3677640ae470

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 677756e04d6203d1f3981ed7313ba353
SHA1 70e3d62138c81724b3e145d1cd83911f45273e31
SHA256 c65e0a5492380fb1403932e0df0001f56b9ec98fcf445666b0447164634b95d6
SHA512 4ed8d6ab87083e75c2349fbe56fb04c179d5145bb3b05b8902d00fb56ecba734429180dc48e51eb12f3046ab389cc2df7c81d5aba3ca0f5537909c817f98b31a

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 2958b994852c6742641982eb5b4fc9ba
SHA1 2982f11ee2537fe4a4c8d3c030caad044c41f96a
SHA256 ed369bf5c86043802c7e07d888e296f6892de3fd46bf3af8e83b327da5dafed8
SHA512 c6ddc03062253376c9e4dadc324735d8aedcd118ea606795e6a454d68bf624fa83d4e0bfce2f16ba39e8ca47f73fe7dc712ed9e8ce3393d90cc52540db7e54ae

memory/2532-664-0x0000000000400000-0x0000000001574000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 17:58

Reported

2024-05-25 18:01

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe

"C:\Users\Admin\AppData\Local\Temp\ef285ea4242236a8140884a57b2746f61484ab74cc920d664d4b4a3ef38e0979.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

memory/5004-2-0x0000000000B90000-0x0000000000EF7000-memory.dmp

memory/5004-3-0x0000000000400000-0x0000000001574000-memory.dmp

memory/5004-4-0x0000000000400000-0x0000000001574000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Config.ini

MD5 bf68324e6b56889a2fc08aa43622d602
SHA1 0a1a5727938fec84297f3167dd9f69bcda3d1659
SHA256 0bb58fcd1fb04b8a0cbaf9471e71f0ac02dcd8c497b516f8ff4287431f405d3e
SHA512 1dcb05e57a29bc5f0bfeea27391cafd51b1914f35ed8bbe0ece092fbc108b228e3f7cdea69330407891fe500f8052f33d77986229b1503f07b5c03cf3194c307

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 3b09843daea526920edbb5f501aebf9a
SHA1 a0dcb699f28028f52289eca096d89737952e221d
SHA256 fc89650c91d4b0409d3b7f2c0db586975cc70904b57b0d43294e1422c013318c
SHA512 64b223502b343e64a800b01489932c9cde61eb5abd67e525a1b8a4c9126e22d4c24a1f9188b9f2dfe12b2f7f7072059a215b60ebb42a592a1d30fd79326e87ef

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 51f779322d0f3df82c0f76deb6e79dca
SHA1 98abd46a53b95fa00c02fbee76643ce746380814
SHA256 9ecca81bc3a31352ae288ec97e5662ee841ad703faf326c755644ce6d3eeb210
SHA512 8cf0e1e6456980c52d912d1f129cadc839dc5686360a9807fcf8482089da4a343292e0b21dde5a152bf05edff7dd6d38fde76bf237e2117323fbc14bdb233341

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 286a9ac531e118152a08fafc8c0ab29f
SHA1 3c7c306e16508887c0f6ddece2c600db778de4b7
SHA256 c8997ee06f4429de2e8ac09638765e823cffe2a02c973b85c19410811260cc5f
SHA512 fe95f2db1da3da5a0a3ebe6bfa5ce0844a9302553d978748ddffc146685490cb21f2d0d6be545f97fb56c8c218b623f622499dbece4327ba99d6be4be7e17c4c

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 527f54bb800787fa16893124f84c5860
SHA1 cb35a3cc5abc55fb12c058e5d894a77048816317
SHA256 5ff60732213f65d85606cdd9bfcc9e84d9235a89fb00cee5ac884627b7003d02
SHA512 ca570114f94f4e9d72e78bcf677201ab03484a339aa153c5a2cbfb4675d86ecc9f4dc7a33055d72e02f63d253536037ea6dabfc4bd85672f322bb4c16abb2da7

C:\Users\Admin\AppData\Local\Temp\AntiPlugCfg.ini

MD5 444acc43cf34a9f2fc8470a11f3b9113
SHA1 106c0712cdde290c1464a893a990c541e18c25d2
SHA256 c1ff8e32f7530d6aeb12f8d6625fd17138cad1397ba60beaa42ef5aa095ef71a
SHA512 ecf40e08386a44c5f537ccc75a4f07bcaac15de76138ad39c7d0d76c34f9da29941c6f1d12e263ab5a86eac34559ff64c6dd894efcdf1eee5aaff43b3b6f8b5c

memory/5004-664-0x0000000000400000-0x0000000001574000-memory.dmp