Malware Analysis Report

2025-08-06 00:54

Sample ID 241109-m5dbmsslez
Target Full-SystemRank1Shop.exe
SHA256 ad8c2c9077bafff7613f5830ade88d4f029024e58e84faeea8b79482b2518c6d
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad8c2c9077bafff7613f5830ade88d4f029024e58e84faeea8b79482b2518c6d

Threat Level: Shows suspicious behavior

The file Full-SystemRank1Shop.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:02

Reported

2024-11-09 11:03

Platform

win10ltsc2021-20241023-en

Max time kernel

30s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe

"C:\Users\Admin\AppData\Local\Temp\Full-SystemRank1Shop.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x33c 0x48c

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\aRuntimeV4.5.3.exe.exe

MD5 2d566aba68a782cc07344fbd8311bb92
SHA1 ae8ffe1f92099db46f70fd711749f4c0268aff68
SHA256 34e2c19fa32ead59832dfa9639d9d79a68936a5f35cc6572fbe8f53ecea414be
SHA512 70f0434c3927f8c5e795c779204bfc0b8e83eac00efb602d2d6a8218a9078bd37b32594035b1ef7d88714a28fae1e86c8ab7dc52a1664a3591f99b85af8ce302

memory/5240-31-0x00007FFE50310000-0x00007FFE50508000-memory.dmp

memory/5240-32-0x0000000000A60000-0x0000000000C3A000-memory.dmp

memory/5240-33-0x0000000005AB0000-0x0000000006056000-memory.dmp

memory/5240-34-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/5240-35-0x0000000005580000-0x0000000005592000-memory.dmp

memory/5240-36-0x00000000056B0000-0x00000000056BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Archives(Resource).wav

MD5 abf250bdc2fbc4f31423195650e35868
SHA1 e4276555c486591bbf5859030e8559948cd0917d
SHA256 ad2dfd8cbafd7f77f176d7952907a2dc0b70fd961bf164ac6229e116cf1a935c
SHA512 982ab811def9bf7a71bd172d0f05b8a50216e44ec6361109330552b9f4ec99dc2f1fbd54ee75c3580389a52b329551ed41fab3dd8be12322b43c23e609d0f524

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Error(Resource).wav

MD5 d9bfe1c2dcf71dfb8256132005d831f3
SHA1 ff620c166c2550212a6f910a2faf18adf6df3450
SHA256 1196842942ac28e174f24492f76147758dcaa06c6d330c114ace3197f5407861
SHA512 87af78e26f8e94f1551477a8de21537fc87435f2811014d1efde87a483d74b7b9ebb79b91ab5d85eebb6f272808b8f9838a8ab51496b3cc99ea74ca9ce3d0627

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Siticone.UI.dll

MD5 2474124f9a70301411e5a42caa0225f6
SHA1 23c561479001148931601b14889d0c10c1420e85
SHA256 283346e95883d2c51743b725ecd41f2afd97adbbf86ec9d9735072505d5726b4
SHA512 a4c798779674fefde60b87cb7b57f1b7b723649189ce7f89e6993b1ee84e84c18eb5f97fce4a531fe8f361fa4ecda79e482f57f695b968e9543345cc40e321ff

memory/5240-42-0x0000000005930000-0x0000000005A7E000-memory.dmp

memory/5240-43-0x00000000056E0000-0x00000000056F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll

MD5 195ffb7167db3219b217c4fd439eedd6
SHA1 1e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256 e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA512 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

memory/5240-47-0x0000000009570000-0x0000000009622000-memory.dmp

memory/5240-48-0x0000000009530000-0x0000000009552000-memory.dmp

memory/5240-49-0x0000000009630000-0x0000000009987000-memory.dmp

memory/5240-51-0x0000000009B10000-0x0000000009B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tulpep.NotificationWindow.dll

MD5 6c36530ed3cb415f23b221dd85868f07
SHA1 481a31a1c2dfb8883bcf9dcbe4a6734e60c99782
SHA256 1cdad73cd55de2a724d5f949c6467eb5367e1d026b6a8ea5eb809c19423eab20
SHA512 09c2a69c7b21eda1b56b7b5e2c4d9be57e7e1485cee7d84772329e9d218c8e3f9dade068063375bcaf9cfe65b9c8dcc507578f5573992e5e75f4b4f0fe053062

memory/5240-55-0x0000000009CF0000-0x0000000009CFE000-memory.dmp