Analysis Overview
SHA256
6fa520411abb138d517698fbb52b2ac2af01cb424fd0e27a6adbf8c3a2d52535
Threat Level: Likely malicious
The file E.rar was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Manipulates Digital Signatures
VMProtect packed file
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 17:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 17:16
Reported
2024-06-27 17:22
Platform
win10v2004-20240611-en
Max time kernel
244s
Max time network
194s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\E.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 17:16
Reported
2024-06-27 17:22
Platform
win10v2004-20240611-en
Max time kernel
203s
Max time network
203s
Command Line
Signatures
Downloads MZ/PE file
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 836 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\E.exe | N/A |
| PID 4584 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\E.exe | N/A |
| PID 4924 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\E.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E.exe
"C:\Users\Admin\AppData\Local\Temp\E.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5
C:\Windows\SysWOW64\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Users\Admin\AppData\Local\Temp\E.exe
"C:\Users\Admin\AppData\Local\Temp\E.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5
C:\Windows\SysWOW64\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Users\Admin\AppData\Local\Temp\E.exe
"C:\Users\Admin\AppData\Local\Temp\E.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5
C:\Windows\SysWOW64\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pvtauth.site | udp |
| N/A | 127.0.0.1:58422 | tcp | |
| N/A | 127.0.0.1:58424 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.41.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58448 | tcp | |
| N/A | 127.0.0.1:58450 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58453 | tcp | |
| N/A | 127.0.0.1:58455 | tcp | |
| US | 8.8.8.8:53 | efsanetakipci.com | udp |
| TR | 45.84.189.227:443 | efsanetakipci.com | tcp |
| US | 8.8.8.8:53 | 227.189.84.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:58473 | tcp | |
| N/A | 127.0.0.1:58475 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58478 | tcp | |
| N/A | 127.0.0.1:58480 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| TR | 45.84.189.227:443 | efsanetakipci.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:58488 | tcp | |
| N/A | 127.0.0.1:58490 | tcp | |
| N/A | 127.0.0.1:58494 | tcp | |
| N/A | 127.0.0.1:58496 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| N/A | 127.0.0.1:58513 | tcp | |
| N/A | 127.0.0.1:58515 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58520 | tcp | |
| N/A | 127.0.0.1:58522 | tcp | |
| N/A | 127.0.0.1:58525 | tcp | |
| N/A | 127.0.0.1:58527 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58531 | tcp | |
| N/A | 127.0.0.1:58533 | tcp | |
| N/A | 127.0.0.1:58536 | tcp | |
| N/A | 127.0.0.1:58538 | tcp | |
| N/A | 127.0.0.1:58542 | tcp | |
| N/A | 127.0.0.1:58544 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58547 | tcp | |
| N/A | 127.0.0.1:58549 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58553 | tcp | |
| N/A | 127.0.0.1:58555 | tcp | |
| N/A | 127.0.0.1:58558 | tcp | |
| N/A | 127.0.0.1:58560 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58563 | tcp | |
| N/A | 127.0.0.1:58565 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58568 | tcp | |
| N/A | 127.0.0.1:58570 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58573 | tcp | |
| N/A | 127.0.0.1:58575 | tcp | |
| N/A | 127.0.0.1:58578 | tcp | |
| N/A | 127.0.0.1:58580 | tcp | |
| N/A | 127.0.0.1:58583 | tcp | |
| N/A | 127.0.0.1:58585 | tcp | |
| N/A | 127.0.0.1:58588 | tcp | |
| N/A | 127.0.0.1:58590 | tcp | |
| N/A | 127.0.0.1:58593 | tcp | |
| N/A | 127.0.0.1:58595 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:58598 | tcp | |
| N/A | 127.0.0.1:58600 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Helper.dll
| MD5 | de6e61eb81a84df1d6c2b56b920c3c23 |
| SHA1 | efaca46958ffaeb70c4b62f5d096519b0b7e6035 |
| SHA256 | 46b79d79a77a4e390383231c8761b7fd031965aed7e9db7fa9944f3011676bbd |
| SHA512 | 2237ef1cd9bf21c9efd5ab64c1638ea28c3302735dbd1dc5e7a2f4f156adb02947649c4ef29b0ac8436e6a1998e756912a1d8ae4530a40c5e5a7823a7506ede4 |
C:\Users\Admin\AppData\Local\Temp\Mapper.dll
| MD5 | eef2e264d11153b7f999f0f1e311b786 |
| SHA1 | 0a2191637a69f0938f5475c0d09e37d6abbb0270 |
| SHA256 | bda73870dda2ab199fd0928853617f9aefa82abe9b51137d2ea14b0117d909ba |
| SHA512 | 1194f95ceba56e819655c7398771134ece6275ffc22cfc95659c1fbb86a0c36c8e05f4c8f1821c0cbda377c968f534d5b1fcf2c74d643d92e139d21aecc5c59c |
C:\Users\Admin\AppData\Local\Temp\module.dll
| MD5 | dcc3a12c1daea2fff2bd699cba54e5ad |
| SHA1 | af52ae76eb460027768d8c9cef7afac6e31e5d02 |
| SHA256 | 983369074900218fee0bda623bc3eb69c4007b0b5775f4e403fc9880be32fe1d |
| SHA512 | 13852e7ffd731eaa6b7fa25e4721342701898b82f68efd058f79d12cf5c244ce8c2d10b1d54b7559b6b19a82943eeb28f1b28a3f7a1f32fb794156228da73dec |