Analysis Overview
SHA256
fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2
Threat Level: Shows suspicious behavior
The file fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
UPX packed file
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 15:07
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 15:07
Reported
2024-05-22 15:10
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MultiGame.dll | C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe | N/A |
| File created | C:\Windows\Au¶à¿ª.SYS | C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe
"C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 121.62.63.242:6655 | tcp |
Files
memory/2220-4-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2220-2-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2220-0-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2220-5-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2220-7-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2220-9-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2220-12-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2220-14-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2220-29-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2220-27-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2220-24-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2220-22-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2220-19-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2220-17-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2220-30-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-32-0x0000000000798000-0x0000000000B4E000-memory.dmp
memory/2220-34-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-51-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-78-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-65-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-63-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-81-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-82-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-83-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-61-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-84-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-59-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-57-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-55-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-53-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-49-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-47-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-45-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-43-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-41-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-39-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-37-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-36-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-35-0x0000000002890000-0x00000000028CE000-memory.dmp
memory/2220-85-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-86-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-87-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-88-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-89-0x0000000000400000-0x0000000001032000-memory.dmp
memory/2220-90-0x0000000000798000-0x0000000000B4E000-memory.dmp
memory/2220-91-0x0000000000400000-0x0000000001032000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 15:07
Reported
2024-05-22 15:10
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MultiGame.dll | C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe | N/A |
| File created | C:\Windows\Au¶à¿ª.SYS | C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe
"C:\Users\Admin\AppData\Local\Temp\fb2c8ce0d2deee479da1a8bf63ccb5c9e37ef2cd6f2b4f341118b6b81676c0f2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| CN | 121.62.63.242:6655 | tcp | |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4540-2-0x0000000001610000-0x0000000001611000-memory.dmp
memory/4540-0-0x0000000001210000-0x0000000001211000-memory.dmp
memory/4540-6-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-1-0x0000000001220000-0x0000000001221000-memory.dmp
memory/4540-7-0x0000000000798000-0x0000000000B4E000-memory.dmp
memory/4540-5-0x0000000001660000-0x0000000001661000-memory.dmp
memory/4540-4-0x0000000001650000-0x0000000001651000-memory.dmp
memory/4540-3-0x0000000001640000-0x0000000001641000-memory.dmp
memory/4540-28-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-50-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-52-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-48-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-55-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-46-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-44-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-42-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-40-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-39-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-36-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-34-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-32-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-30-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-26-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-24-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-22-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-20-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-18-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-16-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-14-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-11-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-10-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-12-0x00000000031E0000-0x000000000321E000-memory.dmp
memory/4540-56-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-57-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-58-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-59-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-60-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-61-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-62-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-63-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-64-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-65-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-66-0x0000000000400000-0x0000000001032000-memory.dmp
memory/4540-67-0x0000000000798000-0x0000000000B4E000-memory.dmp
memory/4540-68-0x0000000000400000-0x0000000001032000-memory.dmp