Analysis Overview
SHA256
a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24
Threat Level: Known bad
The file a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Blocklisted process makes network request
VMProtect packed file
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-13 10:16
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-13 10:16
Reported
2023-08-13 10:18
Platform
win7-20230712-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.67:4298 | tcp |
Files
memory/2812-54-0x0000000077710000-0x0000000077712000-memory.dmp
memory/2812-56-0x000007FEF4FA0000-0x000007FEF5996000-memory.dmp
memory/2812-57-0x0000000077710000-0x0000000077712000-memory.dmp
memory/2812-59-0x0000000077710000-0x0000000077712000-memory.dmp
memory/2812-60-0x0000000077720000-0x0000000077722000-memory.dmp
memory/2812-62-0x0000000077720000-0x0000000077722000-memory.dmp
memory/2812-64-0x0000000077720000-0x0000000077722000-memory.dmp
memory/2812-65-0x0000000077730000-0x0000000077732000-memory.dmp
memory/2812-67-0x0000000077730000-0x0000000077732000-memory.dmp
memory/2812-69-0x0000000077730000-0x0000000077732000-memory.dmp
memory/2812-70-0x0000000077740000-0x0000000077742000-memory.dmp
memory/2812-72-0x0000000077740000-0x0000000077742000-memory.dmp
memory/2812-74-0x0000000077740000-0x0000000077742000-memory.dmp
memory/2812-77-0x000007FEFD650000-0x000007FEFD652000-memory.dmp
memory/2812-79-0x000007FEFD650000-0x000007FEFD652000-memory.dmp
memory/2812-82-0x000007FEFD660000-0x000007FEFD662000-memory.dmp
memory/2812-84-0x000007FEFD660000-0x000007FEFD662000-memory.dmp
memory/2812-85-0x0000000077750000-0x0000000077752000-memory.dmp
memory/2812-87-0x0000000077750000-0x0000000077752000-memory.dmp
memory/2812-89-0x0000000077750000-0x0000000077752000-memory.dmp
memory/2812-91-0x0000000077560000-0x0000000077709000-memory.dmp
memory/2812-90-0x000007FEF4FA0000-0x000007FEF5996000-memory.dmp
memory/2812-92-0x0000000077560000-0x0000000077709000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-13 10:16
Reported
2023-08-13 10:18
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
158s
Command Line
Signatures
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 5.42.65.67:4298 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.131.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/2436-133-0x00007FFAB8E90000-0x00007FFAB8E92000-memory.dmp
memory/2436-135-0x00007FFAB8EA0000-0x00007FFAB8EA2000-memory.dmp
memory/2436-134-0x00007FFA9B470000-0x00007FFA9BE66000-memory.dmp
memory/2436-136-0x00007FFAB8190000-0x00007FFAB8192000-memory.dmp
memory/2436-137-0x00007FFAB81A0000-0x00007FFAB81A2000-memory.dmp
memory/2436-138-0x00007FFAB6960000-0x00007FFAB6962000-memory.dmp
memory/2436-139-0x00007FFAB6970000-0x00007FFAB6972000-memory.dmp
memory/2436-141-0x00007FFAB8EB0000-0x00007FFAB8EB2000-memory.dmp
memory/2436-142-0x00007FFA9B470000-0x00007FFA9BE66000-memory.dmp