Malware Analysis Report

2024-11-30 19:33

Sample ID 240917-qf4dbavdqq
Target Tumiyuvad.exe
SHA256 646b05913cc7364f3bb989f05d35b781838fa493c850ae773d13c22d45952a4a
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

646b05913cc7364f3bb989f05d35b781838fa493c850ae773d13c22d45952a4a

Threat Level: Shows suspicious behavior

The file Tumiyuvad.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-17 13:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 13:13

Reported

2024-09-17 13:14

Platform

win10v2004-20240802-en

Max time kernel

50s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe

"C:\Users\Admin\AppData\Local\Temp\Tumiyuvad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.aptitude.pub udp
US 172.67.70.48:443 www.aptitude.pub tcp
US 8.8.8.8:53 aptitude.pub udp
US 104.26.6.125:443 aptitude.pub tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 48.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 125.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3604-0-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-1-0x00007FFBE4D2D000-0x00007FFBE4D2E000-memory.dmp

memory/3604-2-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-3-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-4-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-5-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-7-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-6-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-8-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-10-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-9-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-11-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-13-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-12-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-19-0x0000000006CF0000-0x0000000006D36000-memory.dmp

memory/3604-14-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-20-0x0000000005A20000-0x0000000005A3A000-memory.dmp

memory/3604-21-0x0000000006D40000-0x0000000006D62000-memory.dmp

memory/3604-22-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-23-0x0000000006D90000-0x0000000006E60000-memory.dmp

memory/3604-28-0x0000000006FA0000-0x0000000006FEA000-memory.dmp

memory/3604-33-0x0000000006CC0000-0x0000000006CE0000-memory.dmp

memory/3604-38-0x0000000006E60000-0x0000000006E7E000-memory.dmp

memory/3604-43-0x0000000006FF0000-0x000000000700C000-memory.dmp

memory/3604-48-0x00000000261F0000-0x000000002624A000-memory.dmp

memory/3604-53-0x0000000026190000-0x00000000261B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evbB9E9.tmp

MD5 05536a8959254cbc8c9c9bad8abbc89a
SHA1 5ac3ba35d844f88b44765c0a45d4440b9722c083
SHA256 1f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8
SHA512 5e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73

memory/3604-58-0x0000000021110000-0x000000002112E000-memory.dmp

memory/3604-67-0x00000000210E0000-0x00000000210E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evbBC02.tmp

MD5 04fb2d6d6813ffe1f14cb875f75bee89
SHA1 b77c9bdac152ff0e36b4f9b2cf1bfcbc8c669f6d
SHA256 f36b32e7d3993a50e78f63d29c14e82782f0b2e460408a2bd1d294f57b658b89
SHA512 6632f25e32d85d4e036655b00d164c6ee586e0bd6c428b1a328914bdec74bfbc00b1a43875defc9da4031cd959490c968095de77a309a767b97a2ef43609d2df

memory/3604-73-0x0000000180000000-0x0000000180137000-memory.dmp

memory/3604-78-0x000000002C3E0000-0x000000002C3EC000-memory.dmp

memory/3604-70-0x0000000180000000-0x0000000180137000-memory.dmp

memory/3604-79-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-80-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-84-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-82-0x0000000005A40000-0x0000000005A48000-memory.dmp

memory/3604-83-0x0000000180000000-0x0000000180137000-memory.dmp

memory/3604-85-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-86-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

memory/3604-87-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-90-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-93-0x0000000000D60000-0x00000000020AE000-memory.dmp

memory/3604-100-0x00000000208A0000-0x0000000020950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evb5682.tmp

MD5 873e89965c183ad9c2bb55eed0622261
SHA1 57380dfdae3d91d49eb8988b3d0a0aad946584db
SHA256 4548fe128bc1ac730a805f7b57922a82b61999b9e3f6a6b0d5e0488015d2671f
SHA512 0ede0724fa3ccb965f769f3caf24f3a463bb444a55f0c04ad549225826436d1eee6112a313227941f50e4591924a904da51bf4461d2a12d62d7cfbe8325a1aa4

memory/3604-105-0x0000000020950000-0x00000000209C6000-memory.dmp