Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-ez5vpsad81
Target 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5
SHA256 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5
Tags
vmprotect evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5

Threat Level: Known bad

The file 0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5 was found to be: Known bad.

Malicious Activity Summary

vmprotect evasion trojan

UAC bypass

VMProtect packed file

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 04:23

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 04:23

Reported

2023-12-08 04:23

Platform

win7-20231201-en

Max time kernel

4s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe

"C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/3064-0-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3064-2-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3064-4-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3064-5-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/3064-7-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/3064-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/3064-12-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/3064-14-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/3064-17-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/3064-19-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/3064-23-0x0000000000CE0000-0x00000000011A7000-memory.dmp

memory/3064-22-0x0000000000180000-0x0000000000181000-memory.dmp

memory/3064-25-0x0000000000180000-0x0000000000181000-memory.dmp

memory/3064-31-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/3064-30-0x0000000000190000-0x0000000000191000-memory.dmp

memory/3064-33-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/3064-28-0x0000000000190000-0x0000000000191000-memory.dmp

memory/3064-35-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/3064-38-0x0000000077B60000-0x0000000077B61000-memory.dmp

memory/3064-40-0x0000000000CE0000-0x00000000011A7000-memory.dmp

memory/3012-41-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/2428-42-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 04:23

Reported

2023-12-08 04:24

Platform

win10v2004-20231127-en

Max time kernel

13s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe

"C:\Users\Admin\AppData\Local\Temp\0b857def32c7bae500b087764ea39dae5a2021e78b833a11c54593f2b7569bf5.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa398f855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.5.85.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 67.26.109.254:80 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3148-0-0x0000000000250000-0x0000000000717000-memory.dmp

memory/3148-1-0x0000000002860000-0x0000000002861000-memory.dmp

memory/3148-2-0x0000000002990000-0x0000000002991000-memory.dmp

memory/3148-3-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/3148-4-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/3148-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/3148-6-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/3148-7-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3148-11-0x0000000000250000-0x0000000000717000-memory.dmp