Analysis Overview
SHA256
165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6
Threat Level: Shows suspicious behavior
The file 165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
VMProtect packed file
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 20:46
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 20:46
Reported
2024-05-23 20:49
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe
"C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe"
Network
Files
memory/2012-0-0x0000000000400000-0x0000000000BC0000-memory.dmp
memory/2012-7-0x0000000074F40000-0x0000000074F41000-memory.dmp
memory/2012-3-0x0000000077500000-0x0000000077501000-memory.dmp
memory/2012-9-0x0000000000400000-0x0000000000BC0000-memory.dmp
memory/2012-1-0x0000000077500000-0x0000000077501000-memory.dmp
memory/2012-11-0x0000000074F40000-0x0000000074F41000-memory.dmp
memory/2012-12-0x0000000077500000-0x0000000077501000-memory.dmp
\Users\Admin\AppData\Local\Temp\HS.dll
| MD5 | 7f3bb03aa6087da1c1a5a3402fae8b61 |
| SHA1 | 799463936b40bf0684d6475825f8e9c5a043bb76 |
| SHA256 | 91b9f410dbb0155a39a9a23ad19b893e41250856091f8403f9cdcd3c1a0f101c |
| SHA512 | 557bdcfda6d9f6b4d06b862ef2ad7101e07dfbe20d6d5ea3956e357f105441d00cfda8a2532210f679ae4ce7a96f7a9788456871d4ccc084d908c38acc35e8db |
memory/2012-16-0x0000000002B60000-0x0000000002D75000-memory.dmp
memory/2012-20-0x0000000000400000-0x0000000000BC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 20:46
Reported
2024-05-23 20:49
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
102s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe
"C:\Users\Admin\AppData\Local\Temp\165bd939f99c53383671acc7f20167416833b514ce79f082462c81b17a2fbbe6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2712-0-0x0000000000400000-0x0000000000BC0000-memory.dmp
memory/2712-1-0x0000000000400000-0x0000000000BC0000-memory.dmp
memory/2712-3-0x00000000766D0000-0x00000000766D1000-memory.dmp
memory/2712-5-0x0000000077A90000-0x0000000077A91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HS.dll
| MD5 | 7f3bb03aa6087da1c1a5a3402fae8b61 |
| SHA1 | 799463936b40bf0684d6475825f8e9c5a043bb76 |
| SHA256 | 91b9f410dbb0155a39a9a23ad19b893e41250856091f8403f9cdcd3c1a0f101c |
| SHA512 | 557bdcfda6d9f6b4d06b862ef2ad7101e07dfbe20d6d5ea3956e357f105441d00cfda8a2532210f679ae4ce7a96f7a9788456871d4ccc084d908c38acc35e8db |
memory/2712-10-0x0000000003150000-0x0000000003365000-memory.dmp
memory/2712-13-0x0000000002A40000-0x0000000002B13000-memory.dmp
memory/2712-14-0x0000000000400000-0x0000000000BC0000-memory.dmp