Analysis Overview
SHA256
764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617
Threat Level: Known bad
The file 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617 was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with VMProtect.
Detects executables packed with VMProtect.
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 23:44
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 23:44
Reported
2024-06-02 23:46
Platform
win7-20240508-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\61dbdd7c\jusched.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\61dbdd7c\jusched.exe | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
| File created | C:\Program Files (x86)\61dbdd7c\61dbdd7c | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\61dbdd7c\jusched.exe |
| PID 3016 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\61dbdd7c\jusched.exe |
| PID 3016 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\61dbdd7c\jusched.exe |
| PID 3016 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\61dbdd7c\jusched.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
"C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe"
C:\Program Files (x86)\61dbdd7c\jusched.exe
"C:\Program Files (x86)\61dbdd7c\jusched.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 8.8.8.8:53 | ftp.tripod.com | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
Files
memory/3016-0-0x0000000000400000-0x000000000042C000-memory.dmp
\Program Files (x86)\61dbdd7c\jusched.exe
| MD5 | 8d42123f44bb48cb7f5e3a17074cbb60 |
| SHA1 | 6d5de1c5b5395cdec7cad4f184e44e747f258e12 |
| SHA256 | e3c490bc7b8b7fcb9bb6867ee9731f42d8d6801c9e9a71d8d8c218f2ba9442b8 |
| SHA512 | 245b19de4982220e085851d19c20d52957bfccc5c95bba86c3c8c4f3bdc6500c977cf96e4652d821e4237a7dfb914e0a97e6673aad4d410906a6b96ddd5305c4 |
memory/3016-6-0x00000000027F0000-0x000000000281C000-memory.dmp
memory/3016-12-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3016-13-0x00000000027F0000-0x000000000281C000-memory.dmp
memory/2192-14-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Program Files (x86)\61dbdd7c\61dbdd7c
| MD5 | f253efe302d32ab264a76e0ce65be769 |
| SHA1 | 768685ca582abd0af2fbb57ca37752aa98c9372b |
| SHA256 | 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd |
| SHA512 | 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 23:44
Reported
2024-06-02 23:46
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
164s
Command Line
Signatures
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\da742b0c\jusched.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\da742b0c\jusched.exe | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
| File created | C:\Program Files (x86)\da742b0c\da742b0c | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\da742b0c\jusched.exe |
| PID 4444 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\da742b0c\jusched.exe |
| PID 4444 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe | C:\Program Files (x86)\da742b0c\jusched.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
"C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe"
C:\Program Files (x86)\da742b0c\jusched.exe
"C:\Program Files (x86)\da742b0c\jusched.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 8.8.8.8:53 | ftp.tripod.com | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 8.8.8.8:53 | 54.252.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/4444-0-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Program Files (x86)\da742b0c\jusched.exe
| MD5 | 15143b9587945079a54e4c75d5f7e0f7 |
| SHA1 | b258c71cfcbfb625faacfed7452c56a5e3213ebb |
| SHA256 | 40f12bf35f69c1871790a744daf38b124c10aa767dca15d531c9b5272ff879b8 |
| SHA512 | cc4e261055ffd27ae51fe15ec5d18ac1fe622f907a741cd834dc4ae7b024dae7efc4b8cb496b00ef5dcb191e344b6004f3832c8e2f6f5f9f975867868be196fd |
memory/4816-10-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4444-11-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Program Files (x86)\da742b0c\da742b0c
| MD5 | f253efe302d32ab264a76e0ce65be769 |
| SHA1 | 768685ca582abd0af2fbb57ca37752aa98c9372b |
| SHA256 | 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd |
| SHA512 | 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4 |