Analysis Overview
SHA256
b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793
Threat Level: Known bad
The file b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Blocklisted process makes network request
VMProtect packed file
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-09 03:45
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-09 03:45
Reported
2023-08-09 03:50
Platform
win7-20230712-en
Max time kernel
120s
Max time network
256s
Command Line
Signatures
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793.dll,#1
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.67:4298 | tcp |
Files
memory/2572-54-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2572-57-0x000007FEF4560000-0x000007FEF4FE4000-memory.dmp
memory/2572-56-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2572-59-0x0000000076EF0000-0x0000000076EF2000-memory.dmp
memory/2572-60-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2572-62-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2572-64-0x0000000076F00000-0x0000000076F02000-memory.dmp
memory/2572-65-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2572-67-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2572-69-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/2572-70-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2572-72-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2572-74-0x0000000076F20000-0x0000000076F22000-memory.dmp
memory/2572-77-0x000007FEFCD90000-0x000007FEFCD92000-memory.dmp
memory/2572-79-0x000007FEFCD90000-0x000007FEFCD92000-memory.dmp
memory/2572-82-0x000007FEFCDA0000-0x000007FEFCDA2000-memory.dmp
memory/2572-84-0x000007FEFCDA0000-0x000007FEFCDA2000-memory.dmp
memory/2572-85-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2572-87-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2572-90-0x0000000076D40000-0x0000000076EE9000-memory.dmp
memory/2572-89-0x0000000076F30000-0x0000000076F32000-memory.dmp
memory/2572-91-0x000007FEF4560000-0x000007FEF4FE4000-memory.dmp
memory/2572-92-0x0000000076D40000-0x0000000076EE9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-09 03:45
Reported
2023-08-09 03:50
Platform
win10-20230703-en
Max time kernel
290s
Max time network
259s
Command Line
Signatures
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b82c1977c17aec7ba0074f56c0d61100e616a0ce72dab748ec4269db6c0793.dll,#1
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.67:4298 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | localhost.exchange | udp |
Files
memory/4800-121-0x00007FFEBD1F0000-0x00007FFEBD1F2000-memory.dmp
memory/4800-122-0x00007FFEA11C0000-0x00007FFEA1C44000-memory.dmp
memory/4800-123-0x00007FFEBD200000-0x00007FFEBD202000-memory.dmp
memory/4800-124-0x00007FFEBCC60000-0x00007FFEBCC62000-memory.dmp
memory/4800-126-0x00007FFEBA520000-0x00007FFEBA522000-memory.dmp
memory/4800-125-0x00007FFEBCC70000-0x00007FFEBCC72000-memory.dmp
memory/4800-127-0x00007FFEBA530000-0x00007FFEBA532000-memory.dmp
memory/4800-129-0x00007FFEBD210000-0x00007FFEBD212000-memory.dmp
memory/4800-130-0x00007FFEA11C0000-0x00007FFEA1C44000-memory.dmp
memory/4800-131-0x00000185D7200000-0x00000185D72BF000-memory.dmp