Analysis Overview
SHA256
2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f
Threat Level: Known bad
The file 2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with VMProtect.
Detects executables packed with VMProtect.
Drops file in Drivers directory
VMProtect packed file
Unsigned PE
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-14 19:45
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 19:45
Reported
2024-05-14 19:47
Platform
win7-20231129-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\nejrfvp.sys | C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\nejrfvp.sys | C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe
"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 19:45
Reported
2024-05-14 19:47
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\adlvssh.sys | C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\adlvssh.sys | C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe
"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\adlvssh.sys
| MD5 | a467aa29895bcc4b2f4d2e46c81d9d4d |
| SHA1 | ccda54aea8bb77c30b32bf33e8808a9f97d52664 |
| SHA256 | 4f64ade810183f1f1508ac008bb6669411d53c1383a48a4fc7309a8f10df302b |
| SHA512 | 581cb1b4322de64acba704fa4ab89bc82b2c608e40a6f26a899c5bdb184e39040e0e396dfe30ce28ee660c3ae1c2c87421998fa1dcbef724c57ebf0707f2c59e |