Malware Analysis Report

2024-11-30 23:27

Sample ID 230813-mawjqsah62
Target a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.exe
SHA256 a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24
Tags
vmprotect systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24

Threat Level: Known bad

The file a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

vmprotect systembc trojan

SystemBC

Blocklisted process makes network request

VMProtect packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-13 10:16

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 10:16

Reported

2023-08-13 10:18

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1

Network

Country Destination Domain Proto
RU 5.42.65.67:4298 tcp

Files

memory/2812-54-0x0000000077710000-0x0000000077712000-memory.dmp

memory/2812-56-0x000007FEF4FA0000-0x000007FEF5996000-memory.dmp

memory/2812-57-0x0000000077710000-0x0000000077712000-memory.dmp

memory/2812-59-0x0000000077710000-0x0000000077712000-memory.dmp

memory/2812-60-0x0000000077720000-0x0000000077722000-memory.dmp

memory/2812-62-0x0000000077720000-0x0000000077722000-memory.dmp

memory/2812-64-0x0000000077720000-0x0000000077722000-memory.dmp

memory/2812-65-0x0000000077730000-0x0000000077732000-memory.dmp

memory/2812-67-0x0000000077730000-0x0000000077732000-memory.dmp

memory/2812-69-0x0000000077730000-0x0000000077732000-memory.dmp

memory/2812-70-0x0000000077740000-0x0000000077742000-memory.dmp

memory/2812-72-0x0000000077740000-0x0000000077742000-memory.dmp

memory/2812-74-0x0000000077740000-0x0000000077742000-memory.dmp

memory/2812-77-0x000007FEFD650000-0x000007FEFD652000-memory.dmp

memory/2812-79-0x000007FEFD650000-0x000007FEFD652000-memory.dmp

memory/2812-82-0x000007FEFD660000-0x000007FEFD662000-memory.dmp

memory/2812-84-0x000007FEFD660000-0x000007FEFD662000-memory.dmp

memory/2812-85-0x0000000077750000-0x0000000077752000-memory.dmp

memory/2812-87-0x0000000077750000-0x0000000077752000-memory.dmp

memory/2812-89-0x0000000077750000-0x0000000077752000-memory.dmp

memory/2812-91-0x0000000077560000-0x0000000077709000-memory.dmp

memory/2812-90-0x000007FEF4FA0000-0x000007FEF5996000-memory.dmp

memory/2812-92-0x0000000077560000-0x0000000077709000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 10:16

Reported

2023-08-13 10:18

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a736c699fe879975bc8daa8525984ba514ae96a294f74d570dff0cbfd2117e24exeexe_JC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 5.42.65.67:4298 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.131.255.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2436-133-0x00007FFAB8E90000-0x00007FFAB8E92000-memory.dmp

memory/2436-135-0x00007FFAB8EA0000-0x00007FFAB8EA2000-memory.dmp

memory/2436-134-0x00007FFA9B470000-0x00007FFA9BE66000-memory.dmp

memory/2436-136-0x00007FFAB8190000-0x00007FFAB8192000-memory.dmp

memory/2436-137-0x00007FFAB81A0000-0x00007FFAB81A2000-memory.dmp

memory/2436-138-0x00007FFAB6960000-0x00007FFAB6962000-memory.dmp

memory/2436-139-0x00007FFAB6970000-0x00007FFAB6972000-memory.dmp

memory/2436-141-0x00007FFAB8EB0000-0x00007FFAB8EB2000-memory.dmp

memory/2436-142-0x00007FFA9B470000-0x00007FFA9BE66000-memory.dmp