Malware Analysis Report

2025-08-05 15:57

Sample ID 240612-fjr5ca1fjc
Target ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a
SHA256 ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a

Threat Level: Shows suspicious behavior

The file ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:54

Reported

2024-06-12 04:57

Platform

win7-20240508-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

"C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe"

C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 huazicdn.dou3.cn udp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
US 8.8.8.8:53 huazicdn.dou3.cn udp
US 8.8.8.8:53 huazicdn.dou3.cn udp
US 8.8.8.8:53 huazicdn.dou3.cn udp

Files

memory/2980-1-0x0000000000020000-0x0000000000023000-memory.dmp

memory/2980-0-0x0000000000400000-0x0000000000948000-memory.dmp

memory/2980-4-0x00000000004F9000-0x00000000004FA000-memory.dmp

memory/2980-5-0x0000000000400000-0x0000000000948000-memory.dmp

\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

MD5 105a2ba8b5d9979c2c9a899e689af728
SHA1 866877c474881caba02cd309db1af1846028f702
SHA256 ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a
SHA512 d6e97e7cf7fb68c7ac5a0e27a14effc7af4ed0279723b9f4d1eaee086e7526774f7915ae887d687bd5a36eef3884ee5bff2756dc6b40562c2afb3b2f0a95cffd

memory/2980-19-0x0000000005600000-0x0000000005B48000-memory.dmp

memory/1932-18-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-17-0x0000000000400000-0x0000000000948000-memory.dmp

memory/2980-16-0x0000000005600000-0x0000000005B48000-memory.dmp

memory/1932-22-0x0000000000400000-0x0000000000948000-memory.dmp

memory/2980-24-0x0000000000020000-0x0000000000023000-memory.dmp

memory/2980-25-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-26-0x0000000000400000-0x0000000000948000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f9100498b1e6c535f67d605e12c9515a.txt

MD5 6837724c314d40567b48f77e84c4a1fe
SHA1 fe40871082304b3876ee4aee6b3a6b67d9ad7e13
SHA256 8feeb29152b7a1ff207f5db2e48a383f118faed4f5e4cf3f7105122f14b3093f
SHA512 69009beb3b26a43f4c5d87497b7910bec5124fcaef5933b32290cd2139527dc4a892f85082ce2f5f5cb4f03ccc7048746f9b67034c66986bde0746fc740a9a81

memory/1932-31-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-32-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-33-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-34-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1932-35-0x0000000000400000-0x0000000000948000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:54

Reported

2024-06-12 04:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

"C:\Users\Admin\AppData\Local\Temp\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe"

C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 huazicdn.dou3.cn udp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
N/A 127.0.0.1:8088 tcp
US 8.8.8.8:53 huazicdn.dou3.cn udp
US 8.8.8.8:53 huazicdn.dou3.cn udp
US 52.111.227.11:443 tcp

Files

memory/1316-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

memory/1316-0-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1316-4-0x00000000004F9000-0x00000000004FA000-memory.dmp

memory/1316-5-0x0000000000400000-0x0000000000948000-memory.dmp

C:\ÈÈѪ´«Ææ\ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a.exe

MD5 105a2ba8b5d9979c2c9a899e689af728
SHA1 866877c474881caba02cd309db1af1846028f702
SHA256 ee0230b62df2e4b6ec5e3528620b7ceee6735fed15387d21c5f8feaad122835a
SHA512 d6e97e7cf7fb68c7ac5a0e27a14effc7af4ed0279723b9f4d1eaee086e7526774f7915ae887d687bd5a36eef3884ee5bff2756dc6b40562c2afb3b2f0a95cffd

memory/3980-13-0x0000000000400000-0x0000000000948000-memory.dmp

memory/3980-12-0x0000000000400000-0x0000000000948000-memory.dmp

memory/3980-16-0x0000000000400000-0x0000000000948000-memory.dmp

memory/3980-17-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1316-18-0x0000000000400000-0x0000000000948000-memory.dmp

memory/1316-20-0x00000000001C0000-0x00000000001C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f9100498b1e6c535f67d605e12c9515a.txt

MD5 6837724c314d40567b48f77e84c4a1fe
SHA1 fe40871082304b3876ee4aee6b3a6b67d9ad7e13
SHA256 8feeb29152b7a1ff207f5db2e48a383f118faed4f5e4cf3f7105122f14b3093f
SHA512 69009beb3b26a43f4c5d87497b7910bec5124fcaef5933b32290cd2139527dc4a892f85082ce2f5f5cb4f03ccc7048746f9b67034c66986bde0746fc740a9a81

memory/3980-24-0x0000000000400000-0x0000000000948000-memory.dmp

memory/3980-25-0x0000000000400000-0x0000000000948000-memory.dmp

memory/3980-27-0x0000000000400000-0x0000000000948000-memory.dmp