Analysis Overview
SHA256
5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2
Threat Level: Likely malicious
The file 5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
VMProtect packed file
Loads dropped DLL
Modifies file permissions
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 04:51
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 04:51
Reported
2024-06-26 04:54
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 852 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe
"C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\apppatch\svchost.sdb /grant everyone:(F,GA) SYSTEM:(F,GA) administrators:(F,GA) users:(F,GA) /q /c
C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\AppPatch\svchost.sdb -r -s -h
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mmmmm999.oss-cn-hangzhou.aliyuncs.com | udp |
| CN | 118.31.232.17:80 | mmmmm999.oss-cn-hangzhou.aliyuncs.com | tcp |
| N/A | 127.0.59.227:9999 | tcp | |
| US | 8.8.8.8:53 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | udp |
| CN | 118.31.232.13:443 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | tcp |
| CN | 118.31.232.13:443 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | tcp |
Files
memory/852-0-0x0000000000400000-0x0000000001052000-memory.dmp
memory/852-7-0x00000000772B0000-0x00000000772B1000-memory.dmp
memory/852-3-0x00000000778C0000-0x00000000778C1000-memory.dmp
memory/852-1-0x00000000778C0000-0x00000000778C1000-memory.dmp
memory/852-9-0x0000000000400000-0x0000000001052000-memory.dmp
memory/852-11-0x00000000772B0000-0x00000000772B1000-memory.dmp
memory/852-15-0x00000000778C0000-0x00000000778C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISocket.dll
| MD5 | 6db6dcfe126984a341cecfc5be783f48 |
| SHA1 | 98309871ad417694bafd93d44eb71180b79cdd45 |
| SHA256 | 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac |
| SHA512 | d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3 |
memory/2400-18-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-31-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2400-34-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-28-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-25-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-22-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-21-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2400-38-0x0000000000400000-0x000000000043B000-memory.dmp
memory/852-40-0x0000000000400000-0x0000000001052000-memory.dmp
memory/852-44-0x0000000000400000-0x0000000001052000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 04:51
Reported
2024-06-26 04:54
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3040 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3040 wrote to memory of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe
"C:\Users\Admin\AppData\Local\Temp\5942accde84039e47a47827e46ece7b15986d1887833279d1ecaa31071b579c2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.59.227:9999 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | udp |
| CN | 118.31.232.13:443 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| CN | 118.31.232.13:443 | nnntttbbb.oss-cn-hangzhou.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/3040-0-0x0000000000400000-0x0000000001052000-memory.dmp
memory/3040-1-0x0000000000400000-0x0000000001052000-memory.dmp
memory/3040-3-0x0000000076FE0000-0x0000000076FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ISocket.dll
| MD5 | 6db6dcfe126984a341cecfc5be783f48 |
| SHA1 | 98309871ad417694bafd93d44eb71180b79cdd45 |
| SHA256 | 8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac |
| SHA512 | d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3 |
memory/3040-9-0x0000000077950000-0x0000000077951000-memory.dmp
memory/3040-14-0x0000000000400000-0x0000000001052000-memory.dmp
memory/3040-15-0x0000000000400000-0x0000000001052000-memory.dmp