Analysis Overview
SHA256
30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1
Threat Level: Known bad
The file 30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1 was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with VMProtect.
Detects executables packed with VMProtect.
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 20:05
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 20:05
Reported
2024-05-10 20:08
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe |
| PID 1808 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe |
| PID 1808 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe |
| PID 1808 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe
"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"
C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe
"C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe"
Network
Files
\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe
| MD5 | 7f9acb6f47becd9b59fb80e26614f268 |
| SHA1 | 4d799f4fe324db16dccf7cbff78630e63dca4450 |
| SHA256 | 8e296d90c37810c6eb5ad4eac1feaa97ec464a20d5a98368b7dbfe4e1e0142f2 |
| SHA512 | 7ded67dc093891356f8484dd38e0fd733c211bc926f6322c50a85bb786586dd71c43ddd9269a1373f0e609378e0bca879e612b8945d793d411c382cbd3a5817e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 20:05
Reported
2024-05-10 20:08
Platform
win10v2004-20240426-en
Max time kernel
128s
Max time network
100s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\njwlphmtul\huwsn.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\njwlphmtul\huwsn.exe | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\njwlphmtul\huwsn.exe |
| PID 2340 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\njwlphmtul\huwsn.exe |
| PID 2340 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe | C:\Program Files (x86)\njwlphmtul\huwsn.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe
"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"
C:\Program Files (x86)\njwlphmtul\huwsn.exe
"C:\Program Files (x86)\njwlphmtul\huwsn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Program Files (x86)\njwlphmtul\huwsn.exe
| MD5 | d0c7e3b3f70b26ed67a8663ebaf85ff1 |
| SHA1 | b7c21d74f7b949a534ae3afe5e0eaeab9a0a7b69 |
| SHA256 | fdb553f13deee4fee0ad12966c2f4e595c818f16e5faa3216256fc990ec1d380 |
| SHA512 | 9504a018d955c7ddf2589da3fd1b58b411af5c15b47dc657dd793641b9b981ef082406022f25ea8e44b65267a2e0dda5b10eeecd1dae949b91fde57b26606c37 |