Analysis Overview
SHA256
2f78e9f4886465f1abd7e6d24781ee927a8691639d51d77388a43d465c5291a3
Threat Level: Shows suspicious behavior
The file Malaka_Executor_V4.2.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Themida packer
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 14:27
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 14:27
Reported
2024-06-15 14:30
Platform
win11-20240508-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe
"C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1444-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp
memory/1444-1-0x000002E128D10000-0x000002E128DAA000-memory.dmp
memory/1444-2-0x000002E129460000-0x000002E12949E000-memory.dmp
memory/1444-3-0x000002E1294A0000-0x000002E1294A6000-memory.dmp
memory/1444-4-0x000002E143640000-0x000002E143802000-memory.dmp
memory/1444-5-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1444-6-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 14:27
Reported
2024-06-15 14:30
Platform
win11-20240508-en
Max time kernel
131s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 4780 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1448 wrote to memory of 4780 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Readme.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Readme.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 14:27
Reported
2024-06-15 14:30
Platform
win11-20240508-en
Max time kernel
98s
Max time network
110s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 4284 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 1208 wrote to memory of 4284 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Malaka_Executor_V4.2.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Malaka_Executor_V4.2.rar"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.16:443 | tcp | |
| GB | 95.101.143.219:443 | tcp | |
| GB | 88.221.135.11:443 | tcp | |
| GB | 88.221.135.27:443 | tcp | |
| GB | 88.221.134.249:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
| MD5 | 7fa148995311365735f6833f7c2ece08 |
| SHA1 | aa5b41b83798245a6cbdf07030baf5a2f6c19786 |
| SHA256 | 494cc65065d6e4e0faf7590319aab632c9920918001da72234203c8249be068b |
| SHA512 | 397a3ddd255bbe14932a0370fc8366dc70ea4376fffc65a8f7339b1b4559347219c0c4e29c4fa31b3ea8d0a17aee1852993054d2e2745b79b6b1f4e823fe65f8 |
memory/4284-24-0x00007FFB84C40000-0x00007FFB84C74000-memory.dmp
memory/4284-23-0x00007FF69FCF0000-0x00007FF69FDE8000-memory.dmp
memory/4284-25-0x00007FFB72D80000-0x00007FFB73036000-memory.dmp
memory/4284-26-0x00007FFB71AA0000-0x00007FFB72B50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 14:27
Reported
2024-06-15 14:30
Platform
win11-20240508-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Malaka Api.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3252-0-0x0000000180000000-0x0000000180C44000-memory.dmp