Analysis Overview
SHA256
f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de
Threat Level: Shows suspicious behavior
The file f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 02:23
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 02:23
Reported
2024-06-26 02:25
Platform
win7-20240611-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe
"C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipe.exejm.com | udp |
| CN | 112.192.20.93:5006 | ipe.exejm.com | tcp |
| CN | 112.192.20.93:5007 | ipe.exejm.com | tcp |
| CN | 112.192.20.93:5008 | ipe.exejm.com | tcp |
| CN | 112.192.20.93:5009 | ipe.exejm.com | tcp |
Files
memory/1844-0-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1844-2-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1844-4-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1844-7-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1844-5-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1844-9-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1844-14-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1844-12-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1844-19-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1844-17-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1844-35-0x0000000000400000-0x0000000000C34000-memory.dmp
memory/1844-36-0x00000000006DE000-0x00000000008EB000-memory.dmp
memory/1844-34-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1844-32-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1844-30-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1844-29-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1844-27-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1844-24-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1844-22-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1844-40-0x00000000025E0000-0x000000000271C000-memory.dmp
memory/3284-721-0x0000000002D90000-0x0000000002D91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 02:23
Reported
2024-06-26 02:24
Platform
win10v2004-20240508-en
Max time kernel
47s
Max time network
48s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\2229298842\1183240423.pri | C:\Windows\system32\LogonUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe
"C:\Users\Admin\AppData\Local\Temp\f9f580363bdf065e28af50a6a961c0320d241689c2c557d178e383af83c369de.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3997055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipe.exejm.com | udp |
| US | 8.8.8.8:53 | ipe.exejm.com | udp |
| US | 8.8.8.8:53 | ipe.exejm.com | udp |
Files
memory/1360-0-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1360-1-0x0000000000E10000-0x0000000000E11000-memory.dmp
memory/1360-2-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/1360-4-0x0000000000E60000-0x0000000000E61000-memory.dmp
memory/1360-3-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/1360-7-0x0000000001410000-0x0000000001411000-memory.dmp
memory/1360-6-0x00000000006DE000-0x00000000008EB000-memory.dmp
memory/1360-5-0x0000000001400000-0x0000000001401000-memory.dmp
memory/1360-12-0x0000000000400000-0x0000000000C34000-memory.dmp
memory/1360-13-0x0000000002C10000-0x0000000002D4C000-memory.dmp
memory/1360-14-0x0000000002C10000-0x0000000002D4C000-memory.dmp
memory/1360-1663-0x0000000000400000-0x0000000000C34000-memory.dmp