Malware Analysis Report

2025-05-06 00:41

Sample ID 241109-1elrzssgpl
Target d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5
SHA256 d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5
Tags
discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5

Threat Level: Likely malicious

The file d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5 was found to be: Likely malicious.

Malicious Activity Summary

discovery

Downloads MZ/PE file

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:33

Reported

2024-11-09 21:36

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe"

Signatures

Downloads MZ/PE file

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe

"C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.browser.yandex.net udp
US 8.8.8.8:53 api.browser.yandex.ru udp
US 8.8.8.8:53 download.cdn.yandex.net udp
RU 5.45.205.241:443 download.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
US 8.8.8.8:53 cachev2-ams22.cdn.yandex.net udp
NL 5.45.247.27:443 cachev2-ams22.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 bea152bc5ef863b38e16b2f842720500
SHA1 1fd57a3dcde9354423bc733d684f0d062d591e3d
SHA256 2f2f6370da17d7d17314d7d2ba7220809e34d892dfd538605b18325bbae70727
SHA512 f1d427dd662f9cfa21a7bb46f361bc0653106861d5c7607f9c1dfdace497797b2d8417f749774f28bc818a080f2cb191870761272fe62048019c3259f770eebe

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 ca62c199f2fb3ae24d4cfead0a59eed1
SHA1 ff7586935d53093c2a551085dc169e987b5c65e9
SHA256 067febf5d57e210f5768891f9ffd4c1e094e49513758064b7c91c4a991a1e2c3
SHA512 5d16ae4a374b0853772bd3844a790d5e2f94fc0d88eca0b55dbcf22139ae27262e57e4fa3e780b1462093f58c7fc3830dc7c045726575a097cef4f0a50ec29c3

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 791a4c7fe4c6b24fa4dd09e666a3613d
SHA1 f80341eeb46b30e83ff03b5becb08aaa5973c2ea
SHA256 d12b61176177e5ab2ba7192cf06013a09614bf126a9af8d22646b68e99a0ac81
SHA512 783eeef5a75575de300caf2d6db3a02f6caed66343abcd5d65df2b8cd494f2d9b13c989db9f4469794da0e29726919d659213558a95a326628b5eeb388f12a9f

C:\Users\Admin\AppData\Local\Temp\CabF3C2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:33

Reported

2024-11-09 21:36

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe"

Signatures

Downloads MZ/PE file

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe

"C:\Users\Admin\AppData\Local\Temp\d00ac190ccc748349589e55b40ecca2fb9c69f6a79a654fb7288cc9f844abde5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 api.browser.yandex.ru udp
US 8.8.8.8:53 api.browser.yandex.net udp
RU 5.45.205.245:443 download.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
US 8.8.8.8:53 245.205.45.5.in-addr.arpa udp
US 8.8.8.8:53 234.193.180.213.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
RU 213.180.193.234:443 api.browser.yandex.net tcp
US 8.8.8.8:53 cachev2-kiv-03.cdn.yandex.net udp
FI 5.45.192.141:443 cachev2-kiv-03.cdn.yandex.net tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 141.192.45.5.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 c2ba89b9e06bb15cbf0c229239128770
SHA1 a9b0a4cd53446a5a2962dc7b10e42ee5246d921f
SHA256 abd1e662fed4ff94531b459a30c8793c78211bb3f2307eb20d1bbc4627c1db99
SHA512 3a1a0f9b0daa4f07573978dc3bd1e73d0abce3ff3e16fd865ae8e3b44f36c0c88632f84866cb4d7aad807e5c863c4d7df3d0cb2e834829510b93b31cf54f8113

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 3245baa669ae426f418780582e180534
SHA1 09bc344b8368d4ddf1c1cdab41025da28ec57e9a
SHA256 5f3ece22c48d18d7f1d42c3c339e4bcd6ec27c522bae9627597bf04208e92a3d
SHA512 b6f22b884abc3ae51be82a90ce7da5b638877e4139f41941961ce8ae3e7976cfcf6e3681a9b818c18184ac318b39b1f5d9db2d4a3c3f7542165b1ca0ddf4d318

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 a82c05d8219310fc1ebfce349ee66a61
SHA1 92b7df0e7044eb74163c1484e4cd7fb1dfe00257
SHA256 544a1da597dfc8e4d32553a2f0d36a6bc43fd644c830baaccdb1cd9b2ce04e4c
SHA512 81e508d7429291f50ff6b9be4f4bb4a3ce1ee888baf49b1c6e939bd0859ca5dd2b0347ed0a1022c1efbf74288a114e0ada999780edb333c0e3f34649081fd56a