Analysis Overview
SHA256
d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78
Threat Level: Shows suspicious behavior
The file d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
UPX packed file
Enumerates connected drives
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 01:22
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 01:22
Reported
2024-06-26 01:25
Platform
win7-20240419-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe
"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip.yinliu2.com | udp |
| HK | 8.218.194.237:80 | ip.yinliu2.com | tcp |
| US | 8.8.8.8:53 | pv.sohu.com | udp |
| GB | 43.132.64.25:80 | pv.sohu.com | tcp |
| CN | 222.211.73.252:3001 | tcp | |
| CN | 222.211.73.252:3002 | tcp | |
| CN | 222.211.73.252:3000 | tcp |
Files
memory/2052-29-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2052-27-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2052-24-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2052-22-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2052-19-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2052-17-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2052-14-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2052-12-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2052-9-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2052-7-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2052-5-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2052-4-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2052-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2052-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2052-35-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-38-0x00000000009BB000-0x000000000116E000-memory.dmp
memory/2052-34-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2052-63-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-61-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-59-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-57-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-55-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-53-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-51-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-49-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-84-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-47-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-45-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-43-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-85-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-39-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2052-32-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2052-30-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2052-86-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-87-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-88-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-89-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-90-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-91-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-92-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-93-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/2052-94-0x0000000000400000-0x0000000001DD3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 01:22
Reported
2024-06-26 01:25
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
141s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe
"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip.yinliu2.com | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| HK | 8.218.194.237:80 | ip.yinliu2.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pv.sohu.com | udp |
| GB | 43.132.64.25:80 | pv.sohu.com | tcp |
| CN | 222.211.73.252:3000 | tcp | |
| US | 8.8.8.8:53 | 237.194.218.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.64.132.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| CN | 222.211.73.252:3002 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| CN | 222.211.73.252:3001 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4952-0-0x0000000001F40000-0x0000000001F41000-memory.dmp
memory/4952-2-0x00000000020C0000-0x00000000020C1000-memory.dmp
memory/4952-1-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/4952-7-0x0000000002130000-0x0000000002131000-memory.dmp
memory/4952-6-0x00000000009BB000-0x000000000116E000-memory.dmp
memory/4952-5-0x0000000002110000-0x0000000002111000-memory.dmp
memory/4952-4-0x0000000002100000-0x0000000002101000-memory.dmp
memory/4952-3-0x00000000020F0000-0x00000000020F1000-memory.dmp
memory/4952-8-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-13-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-12-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-53-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-55-0x0000000004080000-0x00000000040A6000-memory.dmp
memory/4952-56-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-54-0x0000000003F40000-0x0000000003F66000-memory.dmp
memory/4952-51-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-57-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-49-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-47-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-43-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-39-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-37-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-35-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-33-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-31-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-29-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-27-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-23-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-21-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-19-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-17-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-15-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-11-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-45-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-25-0x0000000010000000-0x000000001003E000-memory.dmp
memory/4952-58-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-59-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-60-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-61-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-62-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-63-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-64-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-65-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-66-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-67-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-68-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-69-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-70-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-71-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-72-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-73-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-74-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-75-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-76-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-77-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-78-0x0000000000400000-0x0000000001DD3000-memory.dmp
memory/4952-79-0x0000000000400000-0x0000000001DD3000-memory.dmp