Analysis Overview
SHA256
caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d
Threat Level: Shows suspicious behavior
The file caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
VMProtect packed file
Unsigned PE
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 02:55
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 02:55
Reported
2024-06-26 02:57
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe
"C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe"
Network
Files
memory/1752-0-0x0000000000400000-0x0000000000942000-memory.dmp
memory/1752-1-0x0000000000400000-0x0000000000942000-memory.dmp
\Users\Admin\AppData\Local\Temp\WebView2Plus.dll
| MD5 | 337bf675156972d0a411f98b89c4e6d4 |
| SHA1 | af8970a8371a654eb050f7137e09290c821a343c |
| SHA256 | f5f64770796dd00684cc5cf0dc7543e856bad94539eaedc4e78308bedf8161e6 |
| SHA512 | e6f16bcff528ae1f733c1b4117b291baa83dfba1e9c50bf893bdf5aef6898ce68a2ceb71815e8a1c7cf09b9a5ea28d7e54bb41f1a8a0e49abfac221a4338aea6 |
memory/1752-6-0x0000000010000000-0x000000001034E000-memory.dmp
\Users\Admin\AppData\Local\Temp\ee\Plugins\rdjson.dll
| MD5 | 2244857ed4d33e3ab8b32c1a09eaff39 |
| SHA1 | 9af9d5bc1be9c202471075b5222500c409428fd0 |
| SHA256 | e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d |
| SHA512 | c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590 |
\Users\Admin\AppData\Local\Temp\hps4c.dll
| MD5 | 6637599f87ab11b6238f2f24c55797fc |
| SHA1 | a84090bed39c91503300ab3bd78883001bf71aac |
| SHA256 | 65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac |
| SHA512 | 8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828 |
memory/1752-16-0x0000000074100000-0x0000000074338000-memory.dmp
\Users\Admin\AppData\Local\Temp\WebView2.dll
| MD5 | 13a4b646059bc118c66f81f1db2e1f9a |
| SHA1 | d4a3115e1138642b92f4820c90e664130c9dbf14 |
| SHA256 | b3dcc68d2cd416de319174efba31b261a7c434ae42b215c4f5349a1f65ca9501 |
| SHA512 | 4ebf92d46bdf44309e95415b008edfa3fcbbcdf3470087701357e9cf2ccdf84a4a8a1ff123fd4979c69eeb19b8792ddf790888b84b9794e382f2f133ed569b0d |
memory/1752-21-0x0000000073F40000-0x000000007406D000-memory.dmp
memory/1752-25-0x0000000073E10000-0x0000000073F3D000-memory.dmp
memory/1752-30-0x0000000073F40000-0x000000007406D000-memory.dmp
memory/1752-34-0x0000000073E10000-0x0000000073F3D000-memory.dmp
memory/1752-38-0x0000000073F40000-0x000000007406D000-memory.dmp
memory/1752-39-0x0000000000400000-0x0000000000942000-memory.dmp
memory/1752-40-0x0000000010000000-0x000000001034E000-memory.dmp
memory/1752-41-0x0000000074100000-0x0000000074338000-memory.dmp
memory/1752-42-0x0000000073F40000-0x000000007406D000-memory.dmp
memory/1752-43-0x0000000073E10000-0x0000000073F3D000-memory.dmp
memory/1752-44-0x0000000073F40000-0x000000007406D000-memory.dmp
memory/1752-45-0x0000000010000000-0x000000001034E000-memory.dmp
memory/1752-47-0x0000000074100000-0x0000000074338000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 02:55
Reported
2024-06-26 02:57
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
98s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe
"C:\Users\Admin\AppData\Local\Temp\caafa5718b0480fad2d28e9824e16388117cf54124cc784057fced4a944ad94d.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netstat -ano | find ":41200 "
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\find.exe
find ":41200 "
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netstat -ano | find ":41300 "
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\find.exe
find ":41300 "
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netstat -ano | find ":41101 "
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\find.exe
find ":41101 "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:41101 | tcp | |
| N/A | 127.0.0.1:41101 | tcp | |
| N/A | 127.0.0.1:41101 | tcp | |
| N/A | 127.0.0.1:41101 | tcp | |
| N/A | 127.0.0.1:41101 | tcp | |
| N/A | 127.0.0.1:41101 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2724-0-0x0000000000400000-0x0000000000942000-memory.dmp
memory/2724-1-0x0000000000400000-0x0000000000942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WebView2Plus.dll
| MD5 | 337bf675156972d0a411f98b89c4e6d4 |
| SHA1 | af8970a8371a654eb050f7137e09290c821a343c |
| SHA256 | f5f64770796dd00684cc5cf0dc7543e856bad94539eaedc4e78308bedf8161e6 |
| SHA512 | e6f16bcff528ae1f733c1b4117b291baa83dfba1e9c50bf893bdf5aef6898ce68a2ceb71815e8a1c7cf09b9a5ea28d7e54bb41f1a8a0e49abfac221a4338aea6 |
memory/2724-7-0x0000000010000000-0x000000001034E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ee\Plugins\rdjson.dll
| MD5 | 2244857ed4d33e3ab8b32c1a09eaff39 |
| SHA1 | 9af9d5bc1be9c202471075b5222500c409428fd0 |
| SHA256 | e345f88529b2337bb2719550985a049c61a6bca84c113c7b07f7ec5313446f7d |
| SHA512 | c88af689b603c22dac0be5cdb0922d0bb58325ee57d736b6fa090e967704edb5fa535100149fd5d02ac764ab32b0ccea99310dd28101ffc907a58414e8867590 |
C:\Users\Admin\AppData\Local\Temp\hps4c.dll
| MD5 | 6637599f87ab11b6238f2f24c55797fc |
| SHA1 | a84090bed39c91503300ab3bd78883001bf71aac |
| SHA256 | 65e65ccfe5b7fc075e06a5cf58507253a92dd9b7ab7a1a2b9e6b31fe7810e6ac |
| SHA512 | 8edecfb2ac6865bd3886f5ff77c78ccd44a4362d2305b69397526a1e463207430bd838d390979cbdc498040a2fbca21ccdab679df506efec07be400f6b42d828 |
memory/2724-19-0x00000000750A0000-0x00000000752D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WebView2.dll
| MD5 | 13a4b646059bc118c66f81f1db2e1f9a |
| SHA1 | d4a3115e1138642b92f4820c90e664130c9dbf14 |
| SHA256 | b3dcc68d2cd416de319174efba31b261a7c434ae42b215c4f5349a1f65ca9501 |
| SHA512 | 4ebf92d46bdf44309e95415b008edfa3fcbbcdf3470087701357e9cf2ccdf84a4a8a1ff123fd4979c69eeb19b8792ddf790888b84b9794e382f2f133ed569b0d |
memory/2724-25-0x0000000074E90000-0x0000000074FBD000-memory.dmp
memory/2724-28-0x0000000010000000-0x000000001034E000-memory.dmp
memory/2724-30-0x0000000074E90000-0x0000000074FBD000-memory.dmp
memory/2724-29-0x00000000750A0000-0x00000000752D8000-memory.dmp
memory/2724-31-0x0000000000400000-0x0000000000942000-memory.dmp
memory/2724-32-0x0000000010000000-0x000000001034E000-memory.dmp
memory/2724-34-0x0000000074E90000-0x0000000074FBD000-memory.dmp
memory/2724-33-0x00000000750A0000-0x00000000752D8000-memory.dmp
memory/2724-36-0x00000000750A0000-0x00000000752D8000-memory.dmp
memory/2724-37-0x0000000074E90000-0x0000000074FBD000-memory.dmp
memory/2724-69-0x00000000750A0000-0x00000000752D8000-memory.dmp
memory/2724-70-0x0000000074E90000-0x0000000074FBD000-memory.dmp