Malware Analysis Report

2025-08-05 15:47

Sample ID 240528-y63tgacb22
Target 27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2
SHA256 27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2

Threat Level: Shows suspicious behavior

The file 27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 20:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 20:24

Reported

2024-05-28 20:27

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe

"C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe"

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=1132

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.tool.chinaz.com udp
CN 123.129.219.81:80 ip.tool.chinaz.com tcp
US 8.8.8.8:53 docs.qq.com udp
N/A 127.0.0.1:7022 tcp
HK 203.205.254.103:443 docs.qq.com tcp
US 8.8.8.8:53 down.177ms.com udp
CN 218.92.227.200:86 down.177ms.com tcp

Files

\Users\Admin\AppData\Roaming\datatemp\libcurl.dll

MD5 298f5812023bab65ee23d13ee9489a6e
SHA1 71e9d7f205e5e7af6907c539c77a3aeea971692f
SHA256 fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e
SHA512 217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

MD5 a5c047f169471bd325552c255d6c04af
SHA1 e313cff2f3d668ec5d0e90920bd622b0f38aed9d
SHA256 cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a
SHA512 6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf

MD5 4a1b71ede6ff12456038f6a26e356a42
SHA1 16af6552ebbeb0300d1451715add745e840ff993
SHA256 0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee
SHA512 bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

memory/2688-25-0x0000000000400000-0x00000000008CE000-memory.dmp

memory/2688-26-0x0000000000400000-0x00000000008CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 20:24

Reported

2024-05-28 20:27

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe

"C:\Users\Admin\AppData\Local\Temp\27a9eefe08a7b7263e696dfca4ccc21abe98ec80800a8dffa71fb7722b0066c2.exe"

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=2696

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ip.tool.chinaz.com udp
CN 123.129.219.81:80 ip.tool.chinaz.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 docs.qq.com udp
N/A 127.0.0.1:7022 tcp
HK 203.205.254.103:443 docs.qq.com tcp
US 8.8.8.8:53 down.177ms.com udp
US 8.8.8.8:53 103.254.205.203.in-addr.arpa udp
CN 218.92.227.200:86 down.177ms.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\datatemp\libcurl.dll

MD5 298f5812023bab65ee23d13ee9489a6e
SHA1 71e9d7f205e5e7af6907c539c77a3aeea971692f
SHA256 fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e
SHA512 217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe

MD5 a5c047f169471bd325552c255d6c04af
SHA1 e313cff2f3d668ec5d0e90920bd622b0f38aed9d
SHA256 cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a
SHA512 6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf

MD5 4a1b71ede6ff12456038f6a26e356a42
SHA1 16af6552ebbeb0300d1451715add745e840ff993
SHA256 0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee
SHA512 bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

memory/3152-28-0x0000000000400000-0x00000000008CE000-memory.dmp

memory/3152-29-0x0000000000400000-0x00000000008CE000-memory.dmp