Analysis Overview
SHA256
5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3
Threat Level: Shows suspicious behavior
The file 5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 14:22
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 14:22
Reported
2024-05-21 14:24
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe
"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | techie258.lofter.com | udp |
| SG | 8.219.190.98:443 | techie258.lofter.com | tcp |
| US | 8.8.8.8:53 | www.tutule4d.com | udp |
| CN | 101.42.45.7:6678 | www.tutule4d.com | tcp |
| CN | 101.42.45.7:6678 | www.tutule4d.com | tcp |
Files
memory/1072-2-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1072-0-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1072-29-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1072-27-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1072-24-0x0000000000360000-0x0000000000361000-memory.dmp
memory/1072-22-0x0000000000360000-0x0000000000361000-memory.dmp
memory/1072-19-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1072-17-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1072-14-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1072-12-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1072-9-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1072-7-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1072-5-0x0000000000330000-0x0000000000331000-memory.dmp
\Users\Admin\AppData\Local\Temp\HPSocket4C.dll
| MD5 | 707aa56cf742eb934185edf0a69d7289 |
| SHA1 | dab68976c4bd2d420c8adcd268fc1ffdd5e277e0 |
| SHA256 | 3582d7ad93c54c2efddac6df4cf7d9e4b2ef1d8895dc9d12a781faf3cfb8bf12 |
| SHA512 | 8be50ffedd0a250b4519069cec5781a9d0182fe47dce79c1991fc775a9580550c4b512de37e3423dc5d22013dce4cdcb1f178becbf5ef8ccb610c7ccd6d0f54d |
memory/1072-37-0x00000000009BA000-0x0000000000E8C000-memory.dmp
memory/1072-43-0x0000000000400000-0x000000000178B000-memory.dmp
memory/1072-4-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1072-34-0x0000000000380000-0x0000000000381000-memory.dmp
memory/1072-32-0x0000000000380000-0x0000000000381000-memory.dmp
memory/1072-30-0x0000000000380000-0x0000000000381000-memory.dmp
memory/1072-44-0x0000000000400000-0x000000000178B000-memory.dmp
memory/1072-45-0x0000000000400000-0x000000000178B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 14:22
Reported
2024-05-21 14:24
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe
"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | techie258.lofter.com | udp |
| SG | 8.219.190.98:443 | techie258.lofter.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.190.219.8.in-addr.arpa | udp |
| CN | 8.141.58.141:6678 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| CN | 8.141.58.141:6678 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1172-9-0x00000000009BA000-0x0000000000E8C000-memory.dmp
memory/1172-7-0x0000000000400000-0x000000000178B000-memory.dmp
memory/1172-6-0x0000000003680000-0x0000000003681000-memory.dmp
memory/1172-5-0x0000000003670000-0x0000000003671000-memory.dmp
memory/1172-4-0x00000000018E0000-0x00000000018E1000-memory.dmp
memory/1172-3-0x00000000018D0000-0x00000000018D1000-memory.dmp
memory/1172-2-0x00000000018A0000-0x00000000018A1000-memory.dmp
memory/1172-1-0x0000000001880000-0x0000000001881000-memory.dmp
memory/1172-0-0x0000000001870000-0x0000000001871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll
| MD5 | 707aa56cf742eb934185edf0a69d7289 |
| SHA1 | dab68976c4bd2d420c8adcd268fc1ffdd5e277e0 |
| SHA256 | 3582d7ad93c54c2efddac6df4cf7d9e4b2ef1d8895dc9d12a781faf3cfb8bf12 |
| SHA512 | 8be50ffedd0a250b4519069cec5781a9d0182fe47dce79c1991fc775a9580550c4b512de37e3423dc5d22013dce4cdcb1f178becbf5ef8ccb610c7ccd6d0f54d |
memory/1172-16-0x0000000000400000-0x000000000178B000-memory.dmp
memory/1172-17-0x0000000000400000-0x000000000178B000-memory.dmp