Malware Analysis Report

2024-11-30 23:27

Sample ID 230811-fe3ehscg71
Target 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c
SHA256 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c
Tags
vmprotect systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c

Threat Level: Known bad

The file 3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c was found to be: Known bad.

Malicious Activity Summary

vmprotect systembc trojan

SystemBC

Blocklisted process makes network request

VMProtect packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-11 04:48

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 04:47

Reported

2023-08-11 04:53

Platform

win7-20230712-en

Max time kernel

202s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Network

Country Destination Domain Proto
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 localhost.exchange udp

Files

memory/2220-55-0x000007FEF4DE0000-0x000007FEF57B1000-memory.dmp

memory/2220-54-0x0000000077630000-0x0000000077632000-memory.dmp

memory/2220-57-0x0000000077630000-0x0000000077632000-memory.dmp

memory/2220-59-0x0000000077630000-0x0000000077632000-memory.dmp

memory/2220-60-0x0000000077640000-0x0000000077642000-memory.dmp

memory/2220-62-0x0000000077640000-0x0000000077642000-memory.dmp

memory/2220-64-0x0000000077640000-0x0000000077642000-memory.dmp

memory/2220-65-0x0000000077650000-0x0000000077652000-memory.dmp

memory/2220-69-0x0000000077650000-0x0000000077652000-memory.dmp

memory/2220-67-0x0000000077650000-0x0000000077652000-memory.dmp

memory/2220-70-0x0000000077660000-0x0000000077662000-memory.dmp

memory/2220-74-0x0000000077660000-0x0000000077662000-memory.dmp

memory/2220-72-0x0000000077660000-0x0000000077662000-memory.dmp

memory/2220-77-0x000007FEFD380000-0x000007FEFD382000-memory.dmp

memory/2220-79-0x000007FEFD380000-0x000007FEFD382000-memory.dmp

memory/2220-84-0x000007FEFD390000-0x000007FEFD392000-memory.dmp

memory/2220-82-0x000007FEFD390000-0x000007FEFD392000-memory.dmp

memory/2220-85-0x0000000077670000-0x0000000077672000-memory.dmp

memory/2220-87-0x0000000077670000-0x0000000077672000-memory.dmp

memory/2220-90-0x0000000077480000-0x0000000077629000-memory.dmp

memory/2220-89-0x0000000077670000-0x0000000077672000-memory.dmp

memory/2220-91-0x000007FEF4DE0000-0x000007FEF57B1000-memory.dmp

memory/2220-92-0x0000000077480000-0x0000000077629000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 04:47

Reported

2023-08-11 04:53

Platform

win10-20230703-en

Max time kernel

201s

Max time network

258s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bc9a13ed11a0da691a2b97ddd52168dbead463fd5371916a1d574184c422a3c.dll,#1

Network

Country Destination Domain Proto
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 localhost.exchange udp

Files

memory/3740-122-0x00007FFF1BF90000-0x00007FFF1BF92000-memory.dmp

memory/3740-123-0x00007FFF00490000-0x00007FFF00E61000-memory.dmp

memory/3740-124-0x00007FFF1BFA0000-0x00007FFF1BFA2000-memory.dmp

memory/3740-125-0x00007FFF1A390000-0x00007FFF1A392000-memory.dmp

memory/3740-126-0x00007FFF1A3A0000-0x00007FFF1A3A2000-memory.dmp

memory/3740-127-0x00007FFF19310000-0x00007FFF19312000-memory.dmp

memory/3740-128-0x00007FFF19320000-0x00007FFF19322000-memory.dmp

memory/3740-130-0x00007FFF1BFB0000-0x00007FFF1BFB2000-memory.dmp

memory/3740-131-0x00007FFF00490000-0x00007FFF00E61000-memory.dmp