Analysis Overview
SHA256
59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6
Threat Level: Likely malicious
The file 59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6 was found to be: Likely malicious.
Malicious Activity Summary
detect oss ak
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-25 23:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 23:51
Reported
2024-06-25 23:53
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
detect oss ak
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe
"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.leyi.la | udp |
| HK | 101.32.10.154:443 | www.leyi.la | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.10.32.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.leyi.la | udp |
| HK | 101.32.10.154:443 | www.leyi.la | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3220-0-0x0000000000AFB000-0x0000000000F54000-memory.dmp
memory/3220-3-0x0000000001BC0000-0x0000000001BC1000-memory.dmp
memory/3220-8-0x00000000037E0000-0x00000000037E1000-memory.dmp
memory/3220-7-0x00000000037D0000-0x00000000037D1000-memory.dmp
memory/3220-6-0x00000000037C0000-0x00000000037C1000-memory.dmp
memory/3220-5-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/3220-4-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/3220-2-0x0000000001BB0000-0x0000000001BB1000-memory.dmp
memory/3220-1-0x0000000001A00000-0x0000000001A01000-memory.dmp
memory/3220-10-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/3220-12-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/3220-14-0x0000000010000000-0x000000001001E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\libmySQL.dll
| MD5 | 3f28377bfd63d619fda60a7603815045 |
| SHA1 | 371a0d14786d58e0fa0da6828dbba74f8ae3fe01 |
| SHA256 | ac370863f8028f5ea32f51441f20f3c5b6f67ec338c7ff2ed4709e3939dad3fb |
| SHA512 | f2a24659871013173645f475a6e650cfc6c48a06af9fdefd5b5733996b6eba31f2151957b3f193183b3a07b811a61ed2ea6bc8f55cba40e0ed05013a56d24dd0 |
memory/3220-13-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/3220-20-0x00000000038C0000-0x00000000038CB000-memory.dmp
memory/3220-21-0x0000000000400000-0x00000000018E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\libcurl.dll
| MD5 | cc73654317d0e52553f1f9e1bdbbc2f0 |
| SHA1 | 8fe1fc72da9599a59392ea784fc89101a8057468 |
| SHA256 | 3baf364955a64581f8984c9c76ca68a9a104f6747ee00fd2d2033a29edc84cbb |
| SHA512 | 35fa5c4ff9386c71403f74a4f6517bf6b31da264f56472ff58666e4617b75a86f0cd523e9460c3bafca7b04c6345d887982bec2b630ad214b79227a209f941d5 |
memory/3220-27-0x00000000740C0000-0x000000007435B000-memory.dmp
memory/3220-29-0x00000000740C0000-0x000000007435B000-memory.dmp
memory/3220-30-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/3220-31-0x0000000000AFB000-0x0000000000F54000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 23:51
Reported
2024-06-25 23:53
Platform
win7-20240611-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
detect oss ak
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe
"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.leyi.la | udp |
| HK | 101.32.10.154:443 | www.leyi.la | tcp |
| HK | 101.32.10.154:443 | www.leyi.la | tcp |
| US | 8.8.8.8:53 | www.leyi.la | udp |
| HK | 101.32.10.154:443 | www.leyi.la | tcp |
Files
memory/1176-0-0x0000000000AFB000-0x0000000000F54000-memory.dmp
memory/1176-43-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/1176-40-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1176-49-0x0000000000400000-0x00000000018E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\libmySQL.dll
| MD5 | 3f28377bfd63d619fda60a7603815045 |
| SHA1 | 371a0d14786d58e0fa0da6828dbba74f8ae3fe01 |
| SHA256 | ac370863f8028f5ea32f51441f20f3c5b6f67ec338c7ff2ed4709e3939dad3fb |
| SHA512 | f2a24659871013173645f475a6e650cfc6c48a06af9fdefd5b5733996b6eba31f2151957b3f193183b3a07b811a61ed2ea6bc8f55cba40e0ed05013a56d24dd0 |
memory/1176-44-0x0000000010000000-0x000000001001E000-memory.dmp
memory/1176-38-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1176-35-0x0000000000360000-0x0000000000361000-memory.dmp
memory/1176-33-0x0000000000360000-0x0000000000361000-memory.dmp
memory/1176-30-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1176-28-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1176-25-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/1176-23-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/1176-20-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1176-18-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1176-16-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1176-50-0x0000000000400000-0x00000000018E0000-memory.dmp
memory/1176-15-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1176-13-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1176-11-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1176-10-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1176-8-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1176-6-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1176-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1176-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1176-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1176-51-0x0000000001C20000-0x0000000001C2B000-memory.dmp
memory/1176-52-0x0000000000400000-0x00000000018E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\libcurl.dll
| MD5 | cc73654317d0e52553f1f9e1bdbbc2f0 |
| SHA1 | 8fe1fc72da9599a59392ea784fc89101a8057468 |
| SHA256 | 3baf364955a64581f8984c9c76ca68a9a104f6747ee00fd2d2033a29edc84cbb |
| SHA512 | 35fa5c4ff9386c71403f74a4f6517bf6b31da264f56472ff58666e4617b75a86f0cd523e9460c3bafca7b04c6345d887982bec2b630ad214b79227a209f941d5 |
memory/1176-56-0x0000000073F60000-0x00000000741FB000-memory.dmp
memory/1176-59-0x0000000073F60000-0x00000000741FB000-memory.dmp
memory/1176-60-0x0000000000AFB000-0x0000000000F54000-memory.dmp
memory/1176-61-0x0000000000400000-0x00000000018E0000-memory.dmp