Analysis Overview
SHA256
8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096
Threat Level: Likely malicious
The file 8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096 was found to be: Likely malicious.
Malicious Activity Summary
Looks for VirtualBox Guest Additions in registry
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:55
Reported
2024-06-13 04:58
Platform
win7-20240611-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe
"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| CN | 45.117.11.105:9501 | config.yunjiasu.kkidc.com | tcp |
| CN | 45.117.11.105:9501 | config.yunjiasu.kkidc.com | tcp |
| CN | 45.117.11.105:9501 | config.yunjiasu.kkidc.com | tcp |
| CN | 110.80.137.104:9501 | tcp | |
| CN | 110.80.137.104:9501 | tcp | |
| US | 8.8.8.8:53 | httpbin.org | udp |
| US | 3.213.1.197:80 | httpbin.org | tcp |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| CN | 45.117.11.211:31710 | tcp | |
| CN | 110.80.134.123:37610 | tcp | |
| CN | 45.117.11.54:52730 | tcp | |
| CN | 45.117.11.105:9501 | config.yunjiasu.kkidc.com | tcp |
| CN | 45.251.9.148:54274 | tcp | |
| CN | 103.88.32.69:23447 | tcp | |
| CN | 45.248.10.79:50878 | tcp | |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | b3dab564fa8b30d76dac3736c7bd4dd5 |
| SHA1 | e16cd7c511b5957ff98cf11fd25fc1f6b33a19c9 |
| SHA256 | 69d8fbb0862f6b8fd26d3ae4e7cee8870db1c1e77f8e318a055e5230b06664d7 |
| SHA512 | 38f2e0a7f23a2ea7a0db6996371d44349ee223a45390d1ac0670afdd59731236c797ab017d9c0abd7f38d6cb07a5ea0b2a773b1974a90e383c6e15ff864f9f3f |
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | 1e0462f8667ab3d0f419e75ae2ca34de |
| SHA1 | a62cad3c0be15c95cbef9647eb625985b16804fc |
| SHA256 | d03127be49d46407b43b22101c6a44a102f4e6f935f323f4e39829553abc6047 |
| SHA512 | d613e70e79142ca811f1d143f0b77075c1a4939504786bb46b5ba09f262450f4840bc9beaf5d3fc1ae3a4266ec7633ba7d57be8fe879dce29e00ec1d1067d8de |
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | 3b8f03e5b1e4f186ec2864c110396aac |
| SHA1 | a35bd8e145ea93cb8bfd5c11dcda0a75b00ab99d |
| SHA256 | 6fa33b9fa8301c6a67d38c5f28420f01a6d508c5e2f271c24132b181d7d236ff |
| SHA512 | f79e9f883115555f2bc27e2840ceadf85c7bad29008fded804d6d191d98136565c886405c508f10bd432ca0ba044a1c805447b8ca8bb4512907e3e8b2d055f1f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:55
Reported
2024-06-13 04:58
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
58s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe
"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| CN | 110.80.137.104:9501 | tcp | |
| CN | 110.80.137.104:9501 | tcp | |
| CN | 110.80.137.104:9501 | tcp | |
| US | 8.8.8.8:53 | httpbin.org | udp |
| US | 8.8.8.8:53 | config.yunjiasu.kkidc.com | udp |
| CN | 45.117.11.211:31710 | tcp | |
| CN | 110.80.134.123:37610 | tcp | |
| CN | 45.117.11.54:52730 | tcp | |
| CN | 110.80.137.104:9501 | tcp | |
| CN | 110.80.137.104:9501 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | 7b4a80f2db3d4c301dad14a6b44c2d32 |
| SHA1 | 455189432a9448387b837ae452f5d95a9f66e9ab |
| SHA256 | ec953e6134a4f63ac49dc7d42d163c750e4291b42138f7959693620942bbe6eb |
| SHA512 | 85eba3931cfa0b1f5fedfd81f2dba44e8bc1f99dbfe0436a011357d7094ef7233b5f9d5594055180dad68045cef3ed59d3c336c1725d5ef19c10e7c8d375e832 |
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | 009a3169a3ab481bea32561f798c421a |
| SHA1 | 453a56f293548002108b939d5015f86240ca08e5 |
| SHA256 | aa98158015297fd33ace8a4e8f95efbedff28b6bc992406af27c36c4367acaac |
| SHA512 | cc1aa5670e0a2ac5f113edab1aa3d73d502b438f34d25b7a0395c7dabf09179095196b7fba6feb03bed54990f1bfe328e61587c15322f02967c547dc94bf60de |
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
| MD5 | ccd82c3f02ad700de067ef1c400ea014 |
| SHA1 | 36490041e54117a12ef8b3cc84f14772ab5fc9b1 |
| SHA256 | e6f287dd05e0bd672c5068efe8fa0fa743bc94ebb53aa1f44262ec2198bc0d44 |
| SHA512 | e07ea144348f324cf2f45d57aac9ffa6d36c7d45e24e461cb37b502814d0319b8c7b0841d4f8579d396c256949819f783fe56d981a4cb53805f2328afee3bb94 |