Malware Analysis Report

2024-11-30 23:27

Sample ID 230811-d456laaf25
Target 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c
SHA256 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c
Tags
vmprotect systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c

Threat Level: Known bad

The file 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c was found to be: Known bad.

Malicious Activity Summary

vmprotect systembc trojan

SystemBC

Blocklisted process makes network request

VMProtect packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-11 03:34

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 03:34

Reported

2023-08-11 03:39

Platform

win7-20230712-en

Max time kernel

202s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Network

Country Destination Domain Proto
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 localhost.exchange udp

Files

memory/2640-91-0x0000000077250000-0x00000000773F9000-memory.dmp

memory/2640-90-0x000007FEF4740000-0x000007FEF5111000-memory.dmp

memory/2640-89-0x0000000077440000-0x0000000077442000-memory.dmp

memory/2640-87-0x0000000077440000-0x0000000077442000-memory.dmp

memory/2640-85-0x0000000077440000-0x0000000077442000-memory.dmp

memory/2640-84-0x000007FEFD420000-0x000007FEFD422000-memory.dmp

memory/2640-82-0x000007FEFD420000-0x000007FEFD422000-memory.dmp

memory/2640-79-0x000007FEFD410000-0x000007FEFD412000-memory.dmp

memory/2640-77-0x000007FEFD410000-0x000007FEFD412000-memory.dmp

memory/2640-74-0x0000000077430000-0x0000000077432000-memory.dmp

memory/2640-72-0x0000000077430000-0x0000000077432000-memory.dmp

memory/2640-70-0x0000000077430000-0x0000000077432000-memory.dmp

memory/2640-69-0x0000000077420000-0x0000000077422000-memory.dmp

memory/2640-67-0x0000000077420000-0x0000000077422000-memory.dmp

memory/2640-65-0x0000000077420000-0x0000000077422000-memory.dmp

memory/2640-64-0x0000000077410000-0x0000000077412000-memory.dmp

memory/2640-62-0x0000000077410000-0x0000000077412000-memory.dmp

memory/2640-60-0x0000000077410000-0x0000000077412000-memory.dmp

memory/2640-59-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2640-57-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2640-55-0x000007FEF4740000-0x000007FEF5111000-memory.dmp

memory/2640-54-0x0000000077400000-0x0000000077402000-memory.dmp

memory/2640-92-0x0000000077250000-0x00000000773F9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 03:34

Reported

2023-08-11 03:39

Platform

win10-20230703-en

Max time kernel

202s

Max time network

258s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Network

Country Destination Domain Proto
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 localhost.exchange udp

Files

memory/3080-120-0x00007FFA1F480000-0x00007FFA1F482000-memory.dmp

memory/3080-121-0x00007FFA02650000-0x00007FFA03021000-memory.dmp

memory/3080-122-0x00007FFA1F490000-0x00007FFA1F492000-memory.dmp

memory/3080-123-0x00007FFA1C9E0000-0x00007FFA1C9E2000-memory.dmp

memory/3080-124-0x00007FFA1C9F0000-0x00007FFA1C9F2000-memory.dmp

memory/3080-125-0x00007FFA1C300000-0x00007FFA1C302000-memory.dmp

memory/3080-126-0x00007FFA1C310000-0x00007FFA1C312000-memory.dmp

memory/3080-128-0x00007FFA1F4A0000-0x00007FFA1F4A2000-memory.dmp

memory/3080-129-0x00007FFA02650000-0x00007FFA03021000-memory.dmp