Analysis Overview
SHA256
36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed
Threat Level: Known bad
The file 36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with VMProtect.
Detects executables packed with VMProtect.
VMProtect packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 20:17
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 20:17
Reported
2024-05-10 20:20
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3592 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe |
| PID 3592 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe |
| PID 3592 wrote to memory of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe
"C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe"
C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe
"C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3592-0-0x0000000000400000-0x0000000000924000-memory.dmp
C:\Program Files (x86)\eftrfx\hdtmufgmueo.exe
| MD5 | 622dc42f385b04aee5becad04919424c |
| SHA1 | fc3a640ec715af6689025c8059f13016674e3821 |
| SHA256 | af7d6b88b0b89039bed6a34dd2dbd7b731800ae1d0ad59c4d40bf7544c2d1b68 |
| SHA512 | 9ccb65f4b1e469911a0b2c5508ffddb3e35d56bc7c98b602bf205b75c47b9b0c27b329ab7215359ce6c830af10b30bc71e271c201571a4716b1338373ee3121c |
memory/3860-6-0x0000000000400000-0x0000000000924000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 20:17
Reported
2024-05-10 20:20
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\efssjvlok\qacoducll.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\efssjvlok\qacoducll.exe | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\efssjvlok\qacoducll.exe |
| PID 2240 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\efssjvlok\qacoducll.exe |
| PID 2240 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\efssjvlok\qacoducll.exe |
| PID 2240 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe | C:\Program Files (x86)\efssjvlok\qacoducll.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe
"C:\Users\Admin\AppData\Local\Temp\36cd6d54435d297941b64140301642573cd16aa2fe2ac7a7ffb28f6693d087ed.exe"
C:\Program Files (x86)\efssjvlok\qacoducll.exe
"C:\Program Files (x86)\efssjvlok\qacoducll.exe"
Network
Files
memory/2240-0-0x0000000000400000-0x0000000000924000-memory.dmp
\Program Files (x86)\efssjvlok\qacoducll.exe
| MD5 | e291d09e9374bc15fb796d6c29d7e0db |
| SHA1 | 34711d68dda87e5896f0982969e4fa3ae1916f00 |
| SHA256 | b35c57ce6bf712d4986757723dd29837f5a2959a5168390eea6aaf51c81b23d4 |
| SHA512 | 4d6c6452a1e3b86cd3c4b02a2b7ca1d975efabe24c4bcd822425c7fe3f501670d98c02bad686e67bf10a29f89bf7b9a2fe5347364f7197b624796619285443c3 |
memory/1136-7-0x0000000000400000-0x0000000000924000-memory.dmp