Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-mfb3aaaf34
Target 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e
SHA256 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e

Threat Level: Likely malicious

The file 608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Drops file in Drivers directory

Deletes itself

Loads dropped DLL

Checks computer location settings

VMProtect packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 10:24

Reported

2023-12-08 10:26

Platform

win7-20231023-en

Max time kernel

118s

Max time network

122s

Command Line

C:\Windows\system32\services.exe

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\kkctPtna.sys C:\Windows\SysWOW64\dllhost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\s2pg.dll C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\system32\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2228 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2864 wrote to memory of 468 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\system32\services.exe
PID 2228 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe

"C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\608C54~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 dssp.toolsabc.cn udp
N/A 127.0.0.1:49212 tcp
N/A 127.0.0.1:49214 tcp
US 8.8.8.8:53 a.eastfn.com udp
US 166.88.101.146:443 a.eastfn.com tcp

Files

memory/2864-0-0x0000000000170000-0x0000000000362000-memory.dmp

memory/2864-2-0x0000000000170000-0x0000000000362000-memory.dmp

\Windows\SysWOW64\s2pg.dll

MD5 b2ee390c0b9947b86ede4deb825710a4
SHA1 267ca058a46609439560b4742b26e6b4b7d72a6b
SHA256 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512 a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

memory/2864-7-0x0000000002340000-0x00000000026CB000-memory.dmp

memory/468-8-0x00000000001A0000-0x00000000001C6000-memory.dmp

memory/468-11-0x0000000000A40000-0x0000000000AC4000-memory.dmp

memory/468-10-0x00000000001A0000-0x00000000001C6000-memory.dmp

memory/468-14-0x0000000000A40000-0x0000000000AC4000-memory.dmp

memory/468-13-0x0000000000A40000-0x0000000000AC4000-memory.dmp

memory/468-18-0x0000000000A40000-0x0000000000AC4000-memory.dmp

memory/468-20-0x00000000FF9E0000-0x00000000FF9F0000-memory.dmp

memory/468-21-0x00000000FF9E0000-0x00000000FF9F0000-memory.dmp

memory/468-22-0x0000000000A40000-0x0000000000AC4000-memory.dmp

memory/2864-28-0x0000000002340000-0x00000000026CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 10:24

Reported

2023-12-08 10:26

Platform

win10v2004-20231127-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\ktkigeGt.sys C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\s4q8.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3492 set thread context of 4936 N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe

"C:\Users\Admin\AppData\Local\Temp\608c5496db6dd79f0383adb6109af52663289276bc9b7973b881e1d858d4702e.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\608C54~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 dssp.toolsabc.cn udp
US 8.8.8.8:53 a.eastfn.com udp
US 166.88.101.146:443 a.eastfn.com tcp
N/A 127.0.0.1:52380 tcp
N/A 127.0.0.1:52382 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 dssp.toolsabc.cn udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

memory/4936-0-0x0000000000E00000-0x0000000000FF2000-memory.dmp

memory/4936-2-0x00000000018E0000-0x0000000001C6B000-memory.dmp

C:\Windows\SysWOW64\s4q8.dll

MD5 b2ee390c0b9947b86ede4deb825710a4
SHA1 267ca058a46609439560b4742b26e6b4b7d72a6b
SHA256 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512 a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

memory/4936-10-0x00000000018E0000-0x0000000001C6B000-memory.dmp

memory/4936-12-0x00000000018E0000-0x0000000001C6B000-memory.dmp