Malware Analysis Report

2025-01-06 07:35

Sample ID 240613-fkd9wavejf
Target 8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096
SHA256 8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096

Threat Level: Likely malicious

The file 8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096 was found to be: Likely malicious.

Malicious Activity Summary

evasion

Looks for VirtualBox Guest Additions in registry

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:55

Reported

2024-06-13 04:58

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe

"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 3.213.1.197:80 httpbin.org tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.211:31710 tcp
CN 110.80.134.123:37610 tcp
CN 45.117.11.54:52730 tcp
CN 45.117.11.105:9501 config.yunjiasu.kkidc.com tcp
CN 45.251.9.148:54274 tcp
CN 103.88.32.69:23447 tcp
CN 45.248.10.79:50878 tcp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp

Files

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 b3dab564fa8b30d76dac3736c7bd4dd5
SHA1 e16cd7c511b5957ff98cf11fd25fc1f6b33a19c9
SHA256 69d8fbb0862f6b8fd26d3ae4e7cee8870db1c1e77f8e318a055e5230b06664d7
SHA512 38f2e0a7f23a2ea7a0db6996371d44349ee223a45390d1ac0670afdd59731236c797ab017d9c0abd7f38d6cb07a5ea0b2a773b1974a90e383c6e15ff864f9f3f

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 1e0462f8667ab3d0f419e75ae2ca34de
SHA1 a62cad3c0be15c95cbef9647eb625985b16804fc
SHA256 d03127be49d46407b43b22101c6a44a102f4e6f935f323f4e39829553abc6047
SHA512 d613e70e79142ca811f1d143f0b77075c1a4939504786bb46b5ba09f262450f4840bc9beaf5d3fc1ae3a4266ec7633ba7d57be8fe879dce29e00ec1d1067d8de

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 3b8f03e5b1e4f186ec2864c110396aac
SHA1 a35bd8e145ea93cb8bfd5c11dcda0a75b00ab99d
SHA256 6fa33b9fa8301c6a67d38c5f28420f01a6d508c5e2f271c24132b181d7d236ff
SHA512 f79e9f883115555f2bc27e2840ceadf85c7bad29008fded804d6d191d98136565c886405c508f10bd432ca0ba044a1c805447b8ca8bb4512907e3e8b2d055f1f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:55

Reported

2024-06-13 04:58

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe

"C:\Users\Admin\AppData\Local\Temp\8471996102a039a0e3f9ade991b175cf92147f35c9e417224e557424b5b65096.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp
US 8.8.8.8:53 httpbin.org udp
US 8.8.8.8:53 config.yunjiasu.kkidc.com udp
CN 45.117.11.211:31710 tcp
CN 110.80.134.123:37610 tcp
CN 45.117.11.54:52730 tcp
CN 110.80.137.104:9501 tcp
CN 110.80.137.104:9501 tcp

Files

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 7b4a80f2db3d4c301dad14a6b44c2d32
SHA1 455189432a9448387b837ae452f5d95a9f66e9ab
SHA256 ec953e6134a4f63ac49dc7d42d163c750e4291b42138f7959693620942bbe6eb
SHA512 85eba3931cfa0b1f5fedfd81f2dba44e8bc1f99dbfe0436a011357d7094ef7233b5f9d5594055180dad68045cef3ed59d3c336c1725d5ef19c10e7c8d375e832

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 009a3169a3ab481bea32561f798c421a
SHA1 453a56f293548002108b939d5015f86240ca08e5
SHA256 aa98158015297fd33ace8a4e8f95efbedff28b6bc992406af27c36c4367acaac
SHA512 cc1aa5670e0a2ac5f113edab1aa3d73d502b438f34d25b7a0395c7dabf09179095196b7fba6feb03bed54990f1bfe328e61587c15322f02967c547dc94bf60de

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

MD5 ccd82c3f02ad700de067ef1c400ea014
SHA1 36490041e54117a12ef8b3cc84f14772ab5fc9b1
SHA256 e6f287dd05e0bd672c5068efe8fa0fa743bc94ebb53aa1f44262ec2198bc0d44
SHA512 e07ea144348f324cf2f45d57aac9ffa6d36c7d45e24e461cb37b502814d0319b8c7b0841d4f8579d396c256949819f783fe56d981a4cb53805f2328afee3bb94