Analysis Overview
SHA256
646b05913cc7364f3bb989f05d35b781838fa493c850ae773d13c22d45952a4a
Threat Level: Shows suspicious behavior
The file Tumiyuvad.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-17 13:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 13:13
Reported
2024-09-17 13:14
Platform
win10v2004-20240802-en
Max time kernel
50s
Max time network
47s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe
"C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aptitude.pub | udp |
| US | 172.67.70.48:443 | www.aptitude.pub | tcp |
| US | 8.8.8.8:53 | aptitude.pub | udp |
| US | 104.26.6.125:443 | aptitude.pub | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.6.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/3604-0-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-1-0x00007FFBE4D2D000-0x00007FFBE4D2E000-memory.dmp
memory/3604-2-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-3-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-4-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-5-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-7-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-6-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-8-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-10-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-9-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-11-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-13-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-12-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-19-0x0000000006CF0000-0x0000000006D36000-memory.dmp
memory/3604-14-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-20-0x0000000005A20000-0x0000000005A3A000-memory.dmp
memory/3604-21-0x0000000006D40000-0x0000000006D62000-memory.dmp
memory/3604-22-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-23-0x0000000006D90000-0x0000000006E60000-memory.dmp
memory/3604-28-0x0000000006FA0000-0x0000000006FEA000-memory.dmp
memory/3604-33-0x0000000006CC0000-0x0000000006CE0000-memory.dmp
memory/3604-38-0x0000000006E60000-0x0000000006E7E000-memory.dmp
memory/3604-43-0x0000000006FF0000-0x000000000700C000-memory.dmp
memory/3604-48-0x00000000261F0000-0x000000002624A000-memory.dmp
memory/3604-53-0x0000000026190000-0x00000000261B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evbB9E9.tmp
| MD5 | 05536a8959254cbc8c9c9bad8abbc89a |
| SHA1 | 5ac3ba35d844f88b44765c0a45d4440b9722c083 |
| SHA256 | 1f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8 |
| SHA512 | 5e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73 |
memory/3604-58-0x0000000021110000-0x000000002112E000-memory.dmp
memory/3604-67-0x00000000210E0000-0x00000000210E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evbBC02.tmp
| MD5 | 04fb2d6d6813ffe1f14cb875f75bee89 |
| SHA1 | b77c9bdac152ff0e36b4f9b2cf1bfcbc8c669f6d |
| SHA256 | f36b32e7d3993a50e78f63d29c14e82782f0b2e460408a2bd1d294f57b658b89 |
| SHA512 | 6632f25e32d85d4e036655b00d164c6ee586e0bd6c428b1a328914bdec74bfbc00b1a43875defc9da4031cd959490c968095de77a309a767b97a2ef43609d2df |
memory/3604-73-0x0000000180000000-0x0000000180137000-memory.dmp
memory/3604-78-0x000000002C3E0000-0x000000002C3EC000-memory.dmp
memory/3604-70-0x0000000180000000-0x0000000180137000-memory.dmp
memory/3604-79-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-80-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-84-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-82-0x0000000005A40000-0x0000000005A48000-memory.dmp
memory/3604-83-0x0000000180000000-0x0000000180137000-memory.dmp
memory/3604-85-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-86-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp
memory/3604-87-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-90-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-93-0x0000000000D60000-0x00000000020AE000-memory.dmp
memory/3604-100-0x00000000208A0000-0x0000000020950000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb5682.tmp
| MD5 | 873e89965c183ad9c2bb55eed0622261 |
| SHA1 | 57380dfdae3d91d49eb8988b3d0a0aad946584db |
| SHA256 | 4548fe128bc1ac730a805f7b57922a82b61999b9e3f6a6b0d5e0488015d2671f |
| SHA512 | 0ede0724fa3ccb965f769f3caf24f3a463bb444a55f0c04ad549225826436d1eee6112a313227941f50e4591924a904da51bf4461d2a12d62d7cfbe8325a1aa4 |
memory/3604-105-0x0000000020950000-0x00000000209C6000-memory.dmp