Malware Analysis Report

2025-04-13 21:39

Sample ID 240825-lkhvysxbqd
Target 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.unknown
SHA256 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce

Threat Level: Likely malicious

The file 6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.unknown was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Executes dropped EXE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

C:\Windows\system32\mmc.exe "C:\Users\Admin\AppData\Local\Temp\6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.msc"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Processes

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe "C:\Users\Admin\AppData\Local\Temp\6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.msc"

Network

N/A

Files

memory/1976-0-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/1976-5-0x00000000028C0000-0x00000000028C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win10v2004-20240802-en

Max time kernel

132s

Max time network

123s

Command Line

C:\Windows\system32\mmc.exe "C:\Users\Admin\AppData\Local\Temp\6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.msc"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Music\musicx.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\system32\mmc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\system32\mmc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Windows\system32\mmc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 2052 N/A C:\Windows\system32\mmc.exe C:\Users\Public\Music\musicx.exe
PID 1444 wrote to memory of 2052 N/A C:\Windows\system32\mmc.exe C:\Users\Public\Music\musicx.exe

Processes

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe "C:\Users\Admin\AppData\Local\Temp\6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce.msc"

C:\Users\Public\Music\musicx.exe

"C:\Users\Public\Music\musicx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 proradead.s3.sa-east-1.amazonaws.com udp
BR 3.5.233.121:443 proradead.s3.sa-east-1.amazonaws.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 143.204.67.183:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 121.233.5.3.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 190.178.204.143.in-addr.arpa udp
US 8.8.8.8:53 113.216.138.108.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.67.204.143.in-addr.arpa udp
SG 152.42.226.161:80 152.42.226.161 tcp
US 8.8.8.8:53 161.226.42.152.in-addr.arpa udp
US 8.8.8.8:53 speedshare.oss-cn-hongkong.aliyuncs.com udp
HK 47.79.64.205:443 speedshare.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 205.64.79.47.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Public\Music\musicx.exe

MD5 3597d9e93852fddb92e0a0cf0452bb61
SHA1 d25c62a57ac3000244741bda129f483f2347efa6
SHA256 6e6cb0729cb902420739148ae23bf1c7959bc8ea2bf6b6277c5c0de45aa77df6
SHA512 5af245a68516698f0bcb63829f1c3abe429a06e94755ab50a29f51914b39e4719a901d2174550b691d5b0fdf1e23ca921714a2c5b2739925ef902766e4ab10d0

C:\Users\Public\Music\musicx.exe.config

MD5 e6227dbf734df3563d5bbd3e23c7c6bc
SHA1 5b73b0559d1f6324dc7e6769d5c1431f69f82278
SHA256 159d13989d0ae44fddb7b1d4c331f1040d187693f16daa138c651f2cc9b7f6d3
SHA512 4b8338d5a8a904dc67775ced0e32b187ea9c9c925e6ffaa9d81f23a78b03e2fc7557d7c0078193f3b61117a93dfda40258f2f722b6f79bd47aff7116e81960ac

memory/2052-31-0x00007FFFB4473000-0x00007FFFB4475000-memory.dmp