Analysis Overview
SHA256
05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511
Threat Level: Shows suspicious behavior
The file 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 08:17
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 08:17
Reported
2024-06-26 08:20
Platform
win10v2004-20240508-en
Max time kernel
40s
Max time network
49s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4764 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe |
| PID 4764 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe |
| PID 4764 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"
C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe
C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | os.ljq520.top | udp |
| US | 8.8.8.8:53 | os.ieycc.com | udp |
| US | 8.8.8.8:53 | os.ieycc.com | udp |
Files
memory/4764-1-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/4764-0-0x0000000002170000-0x0000000002171000-memory.dmp
memory/4764-8-0x0000000000EC4000-0x0000000001461000-memory.dmp
memory/4764-6-0x0000000002760000-0x0000000002761000-memory.dmp
memory/4764-5-0x0000000002750000-0x0000000002751000-memory.dmp
memory/4764-4-0x0000000002740000-0x0000000002741000-memory.dmp
memory/4764-3-0x0000000002730000-0x0000000002731000-memory.dmp
memory/4764-2-0x0000000002720000-0x0000000002721000-memory.dmp
memory/4764-11-0x0000000000400000-0x0000000002111000-memory.dmp
memory/4764-12-0x0000000000400000-0x0000000002111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe
| MD5 | 7d4c68203073898e59c1f60d3506bee0 |
| SHA1 | d59ebbc985a569f92f79d9496f7bddb1d35f6885 |
| SHA256 | 6fd5db61455d99800b2eccd8b1176fa9809207c3c50d1f42da5146806909b4fd |
| SHA512 | ee931d036fa644ae2918acf8186feab3698eac49f0f44059cc2b4f987113a2f1ccd1a51189d2ba6ddead7059ad673225fdd8d665317c1d85a861b42261f576d0 |
memory/4744-19-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/4744-18-0x0000000002290000-0x0000000002291000-memory.dmp
memory/4744-24-0x0000000002630000-0x0000000002631000-memory.dmp
memory/4744-23-0x0000000002620000-0x0000000002621000-memory.dmp
memory/4744-22-0x0000000002600000-0x0000000002601000-memory.dmp
memory/4744-21-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/4744-20-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/4744-28-0x0000000000400000-0x0000000002111000-memory.dmp
memory/4764-29-0x0000000000EC4000-0x0000000001461000-memory.dmp
memory/4764-30-0x0000000000400000-0x0000000002111000-memory.dmp
C:\Users\Admin\AppData\Roaming\testing.dat
| MD5 | 22ec14d2b15f50d872a9befc5fdf4ad4 |
| SHA1 | f4347c8222b62b152608baeebe54776ad9cde997 |
| SHA256 | b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590 |
| SHA512 | 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240 |
memory/4744-37-0x0000000073B00000-0x0000000073E2D000-memory.dmp
memory/4744-41-0x0000000000400000-0x0000000002111000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 08:17
Reported
2024-06-26 08:20
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2928 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe |
| PID 2928 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe |
| PID 2928 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe |
| PID 2928 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe | C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe
"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"
C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe
C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | os.ljq520.top | udp |
| CN | 120.27.243.153:32520 | os.ljq520.top | tcp |
| CN | 120.27.243.153:32520 | os.ljq520.top | tcp |
| CN | 120.27.243.153:32520 | os.ljq520.top | tcp |
| US | 8.8.8.8:53 | os.ieycc.com | udp |
Files
memory/2928-4-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2928-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2928-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2928-34-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2928-38-0x0000000000EC4000-0x0000000001461000-memory.dmp
memory/2928-32-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2928-30-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2928-29-0x0000000002130000-0x0000000002131000-memory.dmp
memory/2928-27-0x0000000002130000-0x0000000002131000-memory.dmp
memory/2928-24-0x0000000002120000-0x0000000002121000-memory.dmp
memory/2928-22-0x0000000002120000-0x0000000002121000-memory.dmp
memory/2928-19-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2928-17-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2928-14-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2928-12-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2928-9-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2928-7-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2928-5-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2928-35-0x0000000000400000-0x0000000002111000-memory.dmp
memory/2928-39-0x0000000000400000-0x0000000002111000-memory.dmp
memory/2928-40-0x0000000000400000-0x0000000002111000-memory.dmp
\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe
| MD5 | d1e2e748ba78e4c436446cbf36076c8b |
| SHA1 | 6d263a24bd30f46fb1a97e1ea312359b3c364cc3 |
| SHA256 | 4b2b52e82a6415c8c6a22cf67ed26b37a07c0934386a8d712397b6e5b699773a |
| SHA512 | fafdfaabec86cad43c76234baa76ea8ebd3cd9d588a28d0ab7b598af8b4089ec488a4e3f111139c8327080023c4f2f537f4261e014dd96b2331e0b3bfb7abc6b |
memory/2460-71-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2460-69-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2460-66-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2460-64-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2460-61-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2460-59-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2928-85-0x0000000000EC4000-0x0000000001461000-memory.dmp
memory/2928-86-0x0000000000400000-0x0000000002111000-memory.dmp
\Users\Admin\AppData\Roaming\testing.dat
| MD5 | 22ec14d2b15f50d872a9befc5fdf4ad4 |
| SHA1 | f4347c8222b62b152608baeebe54776ad9cde997 |
| SHA256 | b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590 |
| SHA512 | 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240 |