Analysis Overview
SHA256
82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05
Threat Level: Shows suspicious behavior
The file 82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 07:45
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 07:45
Reported
2024-06-26 07:48
Platform
win7-20231129-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe
"C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe"
Network
| Country | Destination | Domain | Proto |
| HK | 206.233.129.186:93 | 206.233.129.186 | tcp |
| US | 172.247.35.53:80 | 172.247.35.53 | tcp |
| CN | 183.60.107.153:81 | tcp | |
| CN | 183.60.107.153:81 | tcp |
Files
memory/2988-0-0x000000000146A000-0x0000000001A0C000-memory.dmp
memory/2988-3-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2988-1-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2988-5-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2988-10-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2988-8-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2988-6-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2988-19-0x0000000001360000-0x0000000001D6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\Game_Assist.dll
| MD5 | ccdfb726cc8aebf76c9bc6f1341f5325 |
| SHA1 | 4ad4d1f3c0423ce7757062467ab87a4dc1d48536 |
| SHA256 | fdeefa724abb593832eccdd6beab4b4fc5f51b210dcbc936c642d94e1ae43bc9 |
| SHA512 | 66e53a5bcc6483c4f37d81379430b6e455931ae5c0e9561c16d908347af3021383c4aa2131ccffe9beaaba18599d5865efa3dfa2bbd427027261e27bf0e6a794 |
memory/2988-22-0x0000000001360000-0x0000000001D6C000-memory.dmp
memory/2988-23-0x0000000074200000-0x000000007424D000-memory.dmp
memory/2988-24-0x0000000074250000-0x000000007429D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\默认配置.ini
| MD5 | 94a515b306e6228e8ce1d1795b5faf02 |
| SHA1 | 5f6d4e1f6e98c0608805a6ead5c0a5d37205da86 |
| SHA256 | 65ba2da2aa325358c44b42b1b002ae6717507eefcb42f1fcca4f3c480a9cf182 |
| SHA512 | 8c84db3b0962af7af3a6a6ec842ec02cdaa9345749bfc1d839b6612dcd4b96e4a9ebbeab8afa7f7c24b242e9bfc1eae18b6689afb7ef071a89a22c3690099188 |
C:\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\默认配置.ini
| MD5 | 502640b26b032cb3dfc9c3d27947280c |
| SHA1 | 2f6b99cb033a68411a04c2a6959a7907438a4d46 |
| SHA256 | 549b8c298bac30fed200a6e36a9499744d6231782481718fe28ba4e980c635f4 |
| SHA512 | 21c60a181566fb64306dfbec67d7e00e08d7747e0a5e059cd98966a5053f74a3293cdb7fcb4ad6297f138d6c06a0b4522edf7e038136f0520f8bcb4bf47d7f8d |
memory/2988-152-0x000000000146A000-0x0000000001A0C000-memory.dmp
memory/2988-153-0x0000000001360000-0x0000000001D6C000-memory.dmp
memory/2988-154-0x0000000074250000-0x000000007429D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 07:45
Reported
2024-06-26 07:48
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe
"C:\Users\Admin\AppData\Local\Temp\82dd41aabdd618e71c3220b4973e652f164f51f2ac59e575d8112e699b08cc05.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| HK | 206.233.129.186:93 | 206.233.129.186 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 172.247.35.53:80 | 172.247.35.53 | tcp |
| US | 8.8.8.8:53 | 186.129.233.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.35.247.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| CN | 183.60.107.153:81 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/1160-0-0x000000000107A000-0x000000000161C000-memory.dmp
memory/1160-2-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/1160-1-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/1160-3-0x0000000000F70000-0x000000000197C000-memory.dmp
memory/1160-4-0x0000000000F70000-0x000000000197C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\默认配置.ini
| MD5 | 94a515b306e6228e8ce1d1795b5faf02 |
| SHA1 | 5f6d4e1f6e98c0608805a6ead5c0a5d37205da86 |
| SHA256 | 65ba2da2aa325358c44b42b1b002ae6717507eefcb42f1fcca4f3c480a9cf182 |
| SHA512 | 8c84db3b0962af7af3a6a6ec842ec02cdaa9345749bfc1d839b6612dcd4b96e4a9ebbeab8afa7f7c24b242e9bfc1eae18b6689afb7ef071a89a22c3690099188 |
C:\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\默认配置.ini
| MD5 | 6cc12c0eaf0e01c8352781ca199448fa |
| SHA1 | d56f42a464a51d7b70380d84b78282f71088327d |
| SHA256 | 49114f6420a69ae35f6ad026d37482e4548ba7d0b4e38e54316196cf9e4466f4 |
| SHA512 | f893de3cd2f29d622d8a899fe4485d9ee6160cb09e18e9a61bb6c757640b9d6958ff73f43f85574211050b8a32fa49b58dd9fe7844ef5acb93eded31842d8f6c |
C:\Users\Admin\AppData\Local\Temp\SWM_SETTINGS\默认配置.ini
| MD5 | 502640b26b032cb3dfc9c3d27947280c |
| SHA1 | 2f6b99cb033a68411a04c2a6959a7907438a4d46 |
| SHA256 | 549b8c298bac30fed200a6e36a9499744d6231782481718fe28ba4e980c635f4 |
| SHA512 | 21c60a181566fb64306dfbec67d7e00e08d7747e0a5e059cd98966a5053f74a3293cdb7fcb4ad6297f138d6c06a0b4522edf7e038136f0520f8bcb4bf47d7f8d |
memory/1160-135-0x000000000107A000-0x000000000161C000-memory.dmp
memory/1160-136-0x0000000000F70000-0x000000000197C000-memory.dmp