Analysis Overview
SHA256
a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73
Threat Level: Shows suspicious behavior
The file a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-14 14:19
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 14:19
Reported
2024-05-14 14:22
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMMAWV.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | N/A |
| N/A | N/A | C:\LMMAWV.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | N/A |
| N/A | N/A | C:\LMMAWV.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\LMMAWV.exe |
| PID 2296 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\LMMAWV.exe |
| PID 2296 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\LMMAWV.exe |
| PID 2296 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\LMMAWV.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe
"C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe"
C:\LMMAWV.exe
C:\LMMAWV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ysjhfsdhrsdgsjw.cn | udp |
| HK | 121.54.173.3:80 | ysjhfsdhrsdgsjw.cn | tcp |
Files
memory/2296-0-0x0000000000BF0000-0x0000000000E41000-memory.dmp
memory/2296-3-0x00000000771F0000-0x00000000771F1000-memory.dmp
memory/2296-1-0x00000000771F0000-0x00000000771F1000-memory.dmp
memory/2296-9-0x0000000000BF1000-0x0000000000C13000-memory.dmp
memory/2296-7-0x00000000751E0000-0x00000000751E1000-memory.dmp
memory/2296-10-0x0000000000BF0000-0x0000000000E41000-memory.dmp
C:\LMMAWV.exe
| MD5 | 8f4f6d1aa9bf713d1519d4a41e06f8cc |
| SHA1 | 8e50b6a4ffbbd6c8f82596daa4d3425d27278b5d |
| SHA256 | a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73 |
| SHA512 | d33d57b1e7791b9ed8171c043bb8c1b20e0fc4a8604e53973983a5afeb95040dc194f960d527bfaed179c10400876ca97dc409bfa00c11f992bf97f7f0ea00b2 |
memory/1956-17-0x0000000000920000-0x0000000000B71000-memory.dmp
memory/1956-26-0x0000000000920000-0x0000000000B71000-memory.dmp
memory/1956-28-0x0000000000921000-0x0000000000943000-memory.dmp
memory/1956-30-0x0000000000920000-0x0000000000B71000-memory.dmp
memory/2296-29-0x0000000000BF0000-0x0000000000E41000-memory.dmp
memory/1956-31-0x0000000000920000-0x0000000000B71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 14:19
Reported
2024-05-14 14:22
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\RVlJck.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | N/A |
| N/A | N/A | C:\RVlJck.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | N/A |
| N/A | N/A | C:\RVlJck.exe | N/A |
| N/A | N/A | C:\RVlJck.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\RVlJck.exe |
| PID 1932 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\RVlJck.exe |
| PID 1932 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe | C:\RVlJck.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe
"C:\Users\Admin\AppData\Local\Temp\a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73.exe"
C:\RVlJck.exe
C:\RVlJck.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ysjhfsdhrsdgsjw.cn | udp |
| HK | 121.54.173.3:80 | ysjhfsdhrsdgsjw.cn | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/1932-0-0x0000000000250000-0x00000000004A1000-memory.dmp
memory/1932-3-0x0000000000251000-0x0000000000273000-memory.dmp
memory/1932-1-0x0000000000250000-0x00000000004A1000-memory.dmp
C:\RVlJck.exe
| MD5 | 8f4f6d1aa9bf713d1519d4a41e06f8cc |
| SHA1 | 8e50b6a4ffbbd6c8f82596daa4d3425d27278b5d |
| SHA256 | a7a6c8ce8650705a2dec218cd5713bc7b52954ce73d10330842ba9c1c3e66f73 |
| SHA512 | d33d57b1e7791b9ed8171c043bb8c1b20e0fc4a8604e53973983a5afeb95040dc194f960d527bfaed179c10400876ca97dc409bfa00c11f992bf97f7f0ea00b2 |
memory/3532-8-0x00000000004B0000-0x0000000000701000-memory.dmp
memory/3532-9-0x00000000004B1000-0x00000000004D3000-memory.dmp
memory/3532-10-0x00000000004B0000-0x0000000000701000-memory.dmp
memory/3532-12-0x00000000004B0000-0x0000000000701000-memory.dmp
memory/1932-13-0x0000000000250000-0x00000000004A1000-memory.dmp
memory/3532-14-0x00000000004B0000-0x0000000000701000-memory.dmp