Malware Analysis Report

2025-08-11 01:36

Sample ID 231207-s5we4sda39
Target eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1
SHA256 eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1
Tags
upx vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1

Threat Level: Likely malicious

The file eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1 was found to be: Likely malicious.

Malicious Activity Summary

upx vmprotect

Downloads MZ/PE file

UPX packed file

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-07 15:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 15:43

Reported

2023-12-07 15:48

Platform

win7-20231025-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe

"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"

C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp

C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp

Network

Country Destination Domain Proto
CN 121.26.169.78:6673 121.26.169.78 tcp

Files

\Users\Admin\AppData\Local\Temp\f763ab0.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

C:\Users\Admin\AppData\Local\Temp\f763ab0.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

memory/2720-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2720-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2720-14-0x0000000000400000-0x0000000002B9C000-memory.dmp

memory/2720-15-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2720-13-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2720-17-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2720-19-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2720-22-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2720-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2720-27-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2720-29-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2720-32-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2720-34-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2720-37-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2720-39-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2720-42-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2720-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2720-44-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2720-46-0x0000000077EA0000-0x0000000077EA1000-memory.dmp

memory/2720-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-54-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-66-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-69-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-71-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-73-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-75-0x0000000000400000-0x0000000002B9C000-memory.dmp

memory/2720-77-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-79-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-83-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-86-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-90-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-94-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-97-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-100-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-103-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-106-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-108-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2720-109-0x0000000010000000-0x000000001003E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 15:43

Reported

2023-12-07 15:48

Platform

win10v2004-20231127-en

Max time kernel

155s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e585e28.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe

"C:\Users\Admin\AppData\Local\Temp\eee8f24df2c2acd4d3a0af577157f501e8d6e22430cb9de5547d15e4d3a484e1.exe"

C:\Users\Admin\AppData\Local\Temp\e585e28.tmp

C:\Users\Admin\AppData\Local\Temp\e585e28.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
CN 121.26.169.78:6673 121.26.169.78 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 78.169.26.121.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 250.194.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e585e28.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

C:\Users\Admin\AppData\Local\Temp\e585e28.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

C:\Users\Admin\AppData\Local\Temp\e585e28.tmp

MD5 ab4d9ec45b79e2c85a42ad41903c88a9
SHA1 60f9a8d8c7f159b8e1f2df26035190c915777abe
SHA256 f858c1818b607224a90b1b26309e8553d4662a1dd42474beacb2bb2851d8c35a
SHA512 c335e7f51a08369f4008290b74320bc0962260eac4c81244d6bddb28fd1512bf995f437487d955c71ba216c0e0aa500f7d01f0745975ca1eb74694d37f820415

memory/4408-7-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/4408-8-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/4408-9-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/4408-10-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/4408-11-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/4408-12-0x00000000031E0000-0x00000000031E1000-memory.dmp

memory/4408-13-0x0000000000400000-0x0000000002B9C000-memory.dmp

memory/4408-14-0x00000000031F0000-0x00000000031F1000-memory.dmp

memory/4408-16-0x0000000000400000-0x0000000002B9C000-memory.dmp

memory/4408-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-50-0x0000000000400000-0x0000000002B9C000-memory.dmp

memory/4408-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-54-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-56-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-58-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-60-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-65-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-67-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-71-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-69-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4408-72-0x0000000010000000-0x000000001003E000-memory.dmp