Malware Analysis Report

2024-09-09 12:20

Sample ID 240625-3v9j4atflp
Target 59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6
SHA256 59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6
Tags
oss_ak upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6

Threat Level: Likely malicious

The file 59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6 was found to be: Likely malicious.

Malicious Activity Summary

oss_ak upx

detect oss ak

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:51

Reported

2024-06-25 23:53

Platform

win7-20240611-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe

"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.leyi.la udp
HK 101.32.10.154:443 www.leyi.la tcp
HK 101.32.10.154:443 www.leyi.la tcp
US 8.8.8.8:53 www.leyi.la udp
HK 101.32.10.154:443 www.leyi.la tcp

Files

memory/1176-0-0x0000000000AFB000-0x0000000000F54000-memory.dmp

memory/1176-43-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/1176-40-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1176-49-0x0000000000400000-0x00000000018E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\libmySQL.dll

MD5 3f28377bfd63d619fda60a7603815045
SHA1 371a0d14786d58e0fa0da6828dbba74f8ae3fe01
SHA256 ac370863f8028f5ea32f51441f20f3c5b6f67ec338c7ff2ed4709e3939dad3fb
SHA512 f2a24659871013173645f475a6e650cfc6c48a06af9fdefd5b5733996b6eba31f2151957b3f193183b3a07b811a61ed2ea6bc8f55cba40e0ed05013a56d24dd0

memory/1176-44-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1176-38-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1176-35-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1176-33-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1176-30-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1176-28-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1176-25-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1176-23-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1176-20-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1176-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1176-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1176-50-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/1176-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1176-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1176-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1176-10-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1176-8-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1176-6-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1176-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1176-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1176-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1176-51-0x0000000001C20000-0x0000000001C2B000-memory.dmp

memory/1176-52-0x0000000000400000-0x00000000018E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\libcurl.dll

MD5 cc73654317d0e52553f1f9e1bdbbc2f0
SHA1 8fe1fc72da9599a59392ea784fc89101a8057468
SHA256 3baf364955a64581f8984c9c76ca68a9a104f6747ee00fd2d2033a29edc84cbb
SHA512 35fa5c4ff9386c71403f74a4f6517bf6b31da264f56472ff58666e4617b75a86f0cd523e9460c3bafca7b04c6345d887982bec2b630ad214b79227a209f941d5

memory/1176-56-0x0000000073F60000-0x00000000741FB000-memory.dmp

memory/1176-59-0x0000000073F60000-0x00000000741FB000-memory.dmp

memory/1176-60-0x0000000000AFB000-0x0000000000F54000-memory.dmp

memory/1176-61-0x0000000000400000-0x00000000018E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:51

Reported

2024-06-25 23:53

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe

"C:\Users\Admin\AppData\Local\Temp\59c882714ebbe3113113ea323aae6fc0460d0af2af046972a6383597c0e4aef6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.leyi.la udp
HK 101.32.10.154:443 www.leyi.la tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.10.32.101.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.leyi.la udp
HK 101.32.10.154:443 www.leyi.la tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3220-0-0x0000000000AFB000-0x0000000000F54000-memory.dmp

memory/3220-3-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/3220-8-0x00000000037E0000-0x00000000037E1000-memory.dmp

memory/3220-7-0x00000000037D0000-0x00000000037D1000-memory.dmp

memory/3220-6-0x00000000037C0000-0x00000000037C1000-memory.dmp

memory/3220-5-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/3220-4-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/3220-2-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

memory/3220-1-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/3220-10-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/3220-12-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/3220-14-0x0000000010000000-0x000000001001E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\libmySQL.dll

MD5 3f28377bfd63d619fda60a7603815045
SHA1 371a0d14786d58e0fa0da6828dbba74f8ae3fe01
SHA256 ac370863f8028f5ea32f51441f20f3c5b6f67ec338c7ff2ed4709e3939dad3fb
SHA512 f2a24659871013173645f475a6e650cfc6c48a06af9fdefd5b5733996b6eba31f2151957b3f193183b3a07b811a61ed2ea6bc8f55cba40e0ed05013a56d24dd0

memory/3220-13-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/3220-20-0x00000000038C0000-0x00000000038CB000-memory.dmp

memory/3220-21-0x0000000000400000-0x00000000018E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\libcurl.dll

MD5 cc73654317d0e52553f1f9e1bdbbc2f0
SHA1 8fe1fc72da9599a59392ea784fc89101a8057468
SHA256 3baf364955a64581f8984c9c76ca68a9a104f6747ee00fd2d2033a29edc84cbb
SHA512 35fa5c4ff9386c71403f74a4f6517bf6b31da264f56472ff58666e4617b75a86f0cd523e9460c3bafca7b04c6345d887982bec2b630ad214b79227a209f941d5

memory/3220-27-0x00000000740C0000-0x000000007435B000-memory.dmp

memory/3220-29-0x00000000740C0000-0x000000007435B000-memory.dmp

memory/3220-30-0x0000000000400000-0x00000000018E0000-memory.dmp

memory/3220-31-0x0000000000AFB000-0x0000000000F54000-memory.dmp