Malware Analysis Report

2025-01-06 07:35

Sample ID 240613-fcz7daybkm
Target 287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b
SHA256 287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b

Threat Level: Likely malicious

The file 287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b was found to be: Likely malicious.

Malicious Activity Summary

evasion

Looks for VirtualBox Guest Additions in registry

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:44

Reported

2024-06-13 04:47

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe
PID 2440 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe
PID 2440 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe
PID 2440 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe

Processes

C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe" "C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe

"C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 3.213.1.197:80 httpbin.org tcp
CN 103.88.32.177:55146 tcp
CN 117.24.12.219:34650 tcp
CN 125.77.158.194:11400 tcp
CN 45.117.11.54:52730 tcp
CN 45.248.8.194:27223 tcp
CN 103.219.177.29:47194 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.42.5.82:33603 tcp
CN 110.80.134.146:36820 tcp
CN 125.77.166.105:55091 tcp
CN 27.159.66.78:54021 tcp
CN 27.159.66.207:34001 tcp
CN 110.80.134.106:39070 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp

Files

\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe

MD5 45015ba0317e13a7af2ca159f770b83c
SHA1 9ed2b9cde8adf818b53fe63a32601e2a46fcf21f
SHA256 84ed3b7a0fad98a8d535661842aca916e91539e76da86937a156da2a7cff43b0
SHA512 77853059b0bb1633e8a699d4b8e3473b5d47afc7c0e68eaa0d954abd4590aff980e5aa4931731bb6b3577d9c645f9be04fc1ebee06b36f0064cbe0d652453aa4

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 29a59ce870fd5ae3f4ab0d546faefc0f
SHA1 e90a05724ad5d1dfbd0df206d1973c1e8687296c
SHA256 efa621851a8abbad1eda88381458ea34c6852310dbac8e35da193050652337ee
SHA512 bc814b4924f944691b0eba4b0d3a822db5a39c19166814ca0d0b3cd7d2860791609abaf1d61c8bbbe9d4d2d4552436374b74f5e2d8694f2d6ce5e3c334c0e12a

\Users\Admin\AppData\Local\Temp\新天龙八部.exe

MD5 d162412874265232bd8d6d4ef11749d6
SHA1 1903e216311d1c2537a70737405f0321dfba4df9
SHA256 373a1111260c0c6056ab43f7f9db804a636831ed9a1ce9c608fda177b1739547
SHA512 adfe3fac4e42a29f2d0ba30a90d6b126c54a72f445f4f544d41abf94fd457bed2d45f5a207ecfad011a7d30b6eac696a44e6230301b6185d34a49cf342ed4446

C:\Users\Admin\AppData\Local\Temp\ISocket.dll

MD5 472f1e105681f2e680acfab22d654edd
SHA1 373ae6b5725b6a7981de2475c889955c53785944
SHA256 e89128d259a0fdb91a2331fe39d658350055886014113948698ec36f0cb91b13
SHA512 c4d8351a53114b49679e782529f90318a668c2bf659f1a32fea56b2a42335f15dc40a60d436b27d1b12f3e9858a25f2f2d4434ec693177d283a91588df8f12c0

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 43b6e078ed2dca6e9c24b4ea2f59513a
SHA1 5349733d46c70c696e4ee2505d337c1cff17e385
SHA256 7ebad31f4892bb1917e93075b979f5bf439a928f879902d8af7cb4aed7281137
SHA512 bc9b9cfeb51160585a047a63799ed6687e1dfe8af415e0af035605549a263e2378ee641c35bd470707a2f8487c6e174a0984c0bf8e5a3b558fc1b894930f76be

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 79eb78ceed94638bf3d8969c58d5f87b
SHA1 68bd5b00f9b357f71964e8ba08964f2fe97389ae
SHA256 29997e5fe4180370b53af923e2d0dad025154a352c9d084d0ed7aaf61ca38fcb
SHA512 1fb1e144e39258757ce8475523d20bba679d2ca800a6ca11bf48bfad87540b891154558e0ed2d76ad84db34ce0b43a6e2da1d326a95f26661341a6c21fe9813e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:44

Reported

2024-06-13 04:47

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe

"C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe" "C:\Users\Admin\AppData\Local\Temp\287ebaf6b90bb87a9e68d2939281990a72df1acdac2237bbb752e32f8dceb57b.exe"

C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe

"C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 g.bing.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 3.213.1.197:80 httpbin.org tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 103.88.32.177:55146 tcp
CN 117.24.12.219:34650 tcp
CN 125.77.158.194:11400 tcp
CN 45.117.11.54:52730 tcp
CN 45.248.8.194:27223 tcp
CN 103.219.177.29:47194 tcp
US 8.8.8.8:53 197.1.213.3.in-addr.arpa udp
CN 110.42.5.82:33603 tcp
CN 110.80.134.146:36820 tcp
CN 125.77.166.105:55091 tcp
CN 27.159.66.78:54021 tcp
CN 27.159.66.207:34001 tcp
CN 110.80.134.106:39070 tcp
CN 45.117.11.205:16966 tcp
CN 45.248.10.143:14111 tcp
CN 110.42.5.82:33603 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ytool\4wONfxXjswzdv0H.exe

MD5 45015ba0317e13a7af2ca159f770b83c
SHA1 9ed2b9cde8adf818b53fe63a32601e2a46fcf21f
SHA256 84ed3b7a0fad98a8d535661842aca916e91539e76da86937a156da2a7cff43b0
SHA512 77853059b0bb1633e8a699d4b8e3473b5d47afc7c0e68eaa0d954abd4590aff980e5aa4931731bb6b3577d9c645f9be04fc1ebee06b36f0064cbe0d652453aa4

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 8e2af3f027f2e6c01e9f275e115adbc4
SHA1 cfdd707c6650fd47deec49eeccdf9a663e1960ef
SHA256 1109e2da1cd4ea684c38fbdbfbabd37f2fb408e2d1867a89b8d607cb7d5ac862
SHA512 516b3de3100b21153447efc26c697ed00412eeef613a90db38125f4ddca97ebc575515c64b8a8e617f7f3ec3c4d5b4aeb8236e6d8ade0225d4b10336078a95b8

C:\Users\Admin\AppData\Local\Temp\新天龙八部.exe

MD5 d162412874265232bd8d6d4ef11749d6
SHA1 1903e216311d1c2537a70737405f0321dfba4df9
SHA256 373a1111260c0c6056ab43f7f9db804a636831ed9a1ce9c608fda177b1739547
SHA512 adfe3fac4e42a29f2d0ba30a90d6b126c54a72f445f4f544d41abf94fd457bed2d45f5a207ecfad011a7d30b6eac696a44e6230301b6185d34a49cf342ed4446

C:\Users\Admin\AppData\Local\Temp\ISocket.dll

MD5 472f1e105681f2e680acfab22d654edd
SHA1 373ae6b5725b6a7981de2475c889955c53785944
SHA256 e89128d259a0fdb91a2331fe39d658350055886014113948698ec36f0cb91b13
SHA512 c4d8351a53114b49679e782529f90318a668c2bf659f1a32fea56b2a42335f15dc40a60d436b27d1b12f3e9858a25f2f2d4434ec693177d283a91588df8f12c0

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 c74a76b93abf7e62ba51673e93c52b26
SHA1 7c64fae748cbb10b8aefd0ad265ce52639c5583f
SHA256 ead3c8d69a77cfce75aa86b80f30983bff0092e77940959c2a08b0304f514c7a
SHA512 7108e687af277df450a429b57f2078a5a44bb3863929c5f78fe22529b58b586043d5af0ebe70d9d6ff2339d0c997bbf416bfc19279431905771da5c621b9343a

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 3d77a5bbca0562a00421f92ffca27239
SHA1 52a511a675fa60e14144f8b7dccacff9de57419f
SHA256 267652770c25cf78398ff13ebe44cf0a336d3b606dc4985a54565feb0124b858
SHA512 a1c4b8c38424610c7341a6f294933959421ee4c4efdd99618ee5b5c10715f26554ee6b847f5b7fdb0ad7131efd3f81486c9963f23d983eafbb8fcec8fe7ecb97