Analysis Overview
SHA256
dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125
Threat Level: Shows suspicious behavior
The file dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
UPX packed file
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:30
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:30
Reported
2024-06-26 10:32
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iph.exejm.com | udp |
| US | 8.8.8.8:53 | bbs.125.la | udp |
| US | 8.8.8.8:53 | iph.exejm.com | udp |
| US | 192.6.1.6:80 | tcp | |
| CN | 112.192.19.239:4022 | tcp | |
| US | 192.6.1.6:80 | tcp | |
| CN | 112.192.19.239:4020 | tcp | |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| CN | 112.192.19.239:40203 | tcp | |
| US | 8.8.8.8:53 | www.chinapyg.com | udp |
| US | 8.8.8.8:53 | www.douban.com | udp |
| CN | 112.192.19.239:4021 | tcp |
Files
memory/1872-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1872-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1872-4-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1872-7-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1872-5-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1872-9-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1872-12-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1872-14-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1872-17-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1872-19-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1872-30-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1872-34-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1872-32-0x0000000000370000-0x0000000000371000-memory.dmp
memory/1872-29-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1872-27-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1872-24-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1872-22-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1872-39-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-35-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-38-0x0000000000D2B000-0x0000000001369000-memory.dmp
memory/1872-62-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-44-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-46-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-48-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-50-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-60-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-64-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-58-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-56-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-54-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-52-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1872-83-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-84-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-85-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-86-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-87-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-88-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-89-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-90-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/1872-91-0x0000000000400000-0x0000000001E96000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:30
Reported
2024-06-26 10:32
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
114s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe
"C:\Users\Admin\AppData\Local\Temp\dbcb1dfc861a88f92e6611cf23995bf385b05d29210fecfe846dd6df7ac3d125.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iph.exejm.com | udp |
| US | 8.8.8.8:53 | bbs.125.la | udp |
| CN | 112.192.20.89:40203 | iph.exejm.com | tcp |
| CN | 121.41.121.199:443 | bbs.125.la | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CN | 112.192.20.89:4020 | iph.exejm.com | tcp |
| US | 192.6.1.6:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| CN | 112.192.20.89:4021 | iph.exejm.com | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | www.chinapyg.com | udp |
| HK | 8.210.154.70:80 | www.chinapyg.com | tcp |
| US | 8.8.8.8:53 | 188.47.235.103.in-addr.arpa | udp |
| HK | 8.210.154.70:443 | www.chinapyg.com | tcp |
| US | 8.8.8.8:53 | 70.154.210.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.douban.com | udp |
| CN | 140.143.177.206:443 | www.douban.com | tcp |
| CN | 112.192.20.89:4022 | iph.exejm.com | tcp |
| CN | 120.53.130.158:443 | www.douban.com | tcp |
| CN | 81.70.124.99:443 | www.douban.com | tcp |
Files
memory/368-2-0x0000000002480000-0x0000000002481000-memory.dmp
memory/368-1-0x0000000002470000-0x0000000002471000-memory.dmp
memory/368-0-0x0000000001FF0000-0x0000000001FF1000-memory.dmp
memory/368-7-0x0000000003C90000-0x0000000003C91000-memory.dmp
memory/368-6-0x0000000000D2B000-0x0000000001369000-memory.dmp
memory/368-5-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/368-4-0x0000000003C70000-0x0000000003C71000-memory.dmp
memory/368-3-0x0000000003C60000-0x0000000003C61000-memory.dmp
memory/368-11-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-12-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-54-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-53-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-51-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-55-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-48-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-46-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-45-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-56-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-40-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-38-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-36-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-34-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-28-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-26-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-24-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-22-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-20-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-16-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-14-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-13-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-32-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-18-0x0000000010000000-0x000000001003E000-memory.dmp
memory/368-57-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-58-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-59-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-60-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-61-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-62-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-63-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-64-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-65-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-66-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-67-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-68-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-69-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-70-0x0000000000400000-0x0000000001E96000-memory.dmp
memory/368-74-0x0000000000400000-0x0000000001E96000-memory.dmp