Xcitium Cloud Verdict

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: UPX1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0018ce00, virtual_size: 0x0018d000

The executable is compressed using UPX Show sources

packer_section

name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x005b4000

Information Discovery

Expresses interest in specific running processes Show sources

api_process_name

dinotify.exe

Repeatedly searches for a not-found process, may want to run with startbrowser=1 option

Networking

Attempts to connect to a dead IP:Port (2 unique times) Show sources

network_host_ip	185.10.68.220:443 (Germany)
network_host_ip	109.71.252.45:443 (United Kingdom)

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

54bcf774774d5a64bb0f7641325f381443a5dfca.exe tried to sleep 273 seconds, actually delayed analysis time by 0 seconds

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

File Name: java.exe

File Type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows

SHA1: 54bcf774774d5a64bb0f7641325f381443a5dfca

MD5: c7ace8d52dbc590cb25b467528eb72b7