Analysis Overview
SHA256
298b54366fe0f86bf2e7713ebb6dd3ee9c4fff260c59768f8a913687aeffcdc7
Threat Level: Likely benign
The file LosKsu.zip was found to be: Likely benign.
Malicious Activity Summary
Checks CPU configuration
Enumerates physical storage devices
Reads runtime system information
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 16:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:04
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
153s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/snapshotupdater_static | N/A |
Processes
/tmp/tools/snapshotupdater_static
[/tmp/tools/snapshotupdater_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-13 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:04
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
167s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/stat | /tmp/tools/busybox | N/A |
Processes
/tmp/tools/busybox
[/tmp/tools/busybox]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-7 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-7 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-7 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-7 | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240418-en
Max time kernel
0s
Max time network
162s
Command Line
Signatures
Processes
/tmp/tools/magiskboot
[/tmp/tools/magiskboot]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
11s
Command Line
Signatures
Processes
/tmp/tools/magiskpolicy
[/tmp/tools/magiskpolicy]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian9-mipsel-20240729-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh\ = "sh_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2748 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2748 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2748 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2764 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | bff61c3b699a92a66688a255e97b56b9 |
| SHA1 | 58d1f3f49e58cfe16f9f39bbd9d6fd946d7da1d7 |
| SHA256 | 0a69f44203496ec0cec9f9a29b0c3f47114fc191782ab24b63e323d1a0710b8c |
| SHA512 | 1ff9f92938d4c325f2679eb84b765712631f243f0dc3a7f33d568617691522af7577ac7ceba8babfc674141c390f8e3d709df1a4cd4c57252194aa12b3ce699c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian9-mipsbe-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win7-20240704-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh\ = "sh_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 2984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2268 wrote to memory of 2984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2268 wrote to memory of 2984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2984 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2984 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2984 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2984 wrote to memory of 2808 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 566c3f84361ecb41f89fb51b5ba2f782 |
| SHA1 | d51958265a40096b16f797907afa25c60429faf4 |
| SHA256 | b4f71fe2a309266979debe1e78ee68a68dcc99cc27051e3a5a32353e9576e723 |
| SHA512 | cf9f72064993fd26290aedfb93fd6d1323bf6b7b5f7a8bce54136bd38bf0aebeec5c4f97ef97be1d579b17932a56d25964f822fb7e7b51e7ca27d75cba81238f |
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:02
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
34s
Command Line
Signatures
Processes
/tmp/tools/fec
[/tmp/tools/fec]
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:04
Platform
debian12-armhf-20240221-en
Max time kernel
1s
Max time network
182s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/httools_static | N/A |
Processes
/tmp/tools/httools_static
[/tmp/tools/httools_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240729-en
Max time kernel
0s
Max time network
155s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/lptools_static | N/A |
Processes
/tmp/tools/lptools_static
[/tmp/tools/lptools_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-13 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240729-en-13 | udp |