Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-mfe4yabh5w
Target 972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80
SHA256 972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80

Threat Level: Likely malicious

The file 972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Drops file in Drivers directory

Loads dropped DLL

VMProtect packed file

Drops file in System32 directory

Unsigned PE

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 10:24

Reported

2023-12-08 10:26

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\kkEKnete.sys C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\s22g.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255\Blob = 030000000100000014000000caea990bbadfae7fe5f474bf08829473c8f2525520000000010000004e0300003082034a30820232a003020102021100d669155015a443be4d6ca72764747bf7300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323431355a180f32303633313132383130323431355a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a0282010100b4daabe3ee8f04382ac7da829bf3874e1aeac07030182188ac34eae3814ba794f7fc0acd0c3945c038773f0f85c907ac46b01de3bb1c322fb83d1ed019ebdf34ad79905fdb73a123355a2feceb05bba05f2a43bfcb5655c48b9202da3911bc30e70f21c7d02a93f22ee1f6698f8dd856e82881102a910adc74bfc51e2b936e3f59f1c2e689fb0a1d476d19cb90d9546e7cedb15ba46bf530a25d49818dd3ec2c28d87da6178aa9a9ef3d466e84a85432f6f342bd8c35f5ace038475f8b96cb5d748a30aab5213ff6743e7470f7243cbec26841791c3017a2b5e7ba3c5cf9d97eb38accd9e3448af46236a13a9e63be7cacd2ee54b8ca96e6d18f609b972a9f390203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101002007db1af1c9573aca7fefcac98c594bbcd44123408201de55fd9e2c32f78025c52014f39005bb9cc802ff86c10181376d6b86002b3cea1ceeb5dca1b26d49d7350b6dbf03e001353c1f780dfbd24cca8f9e73f95b42f9c3845f9816e2b8a6bb37ec493f116a4f7c8bc46a5c89d89afe4d4e6419421f5bead19a3856e0ab2ecc4dd280625bbe657017e7faf1332d6c3d734655ff5738c3967aedf30f236c95a254e727cef50a5ee52788d3d068fbf0c7e58fc41fdc554c6228b5f1df2af7071a0c93b412ea0fc56ae4418606243e3d36b8a56cb4fc8b31355106b48a388ab6fa4f3a0bd0cfda06e3317eb6c32bf28758d440ce1415560b65156610175f36e539 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
N/A 127.0.0.1:65238 tcp
N/A 127.0.0.1:65240 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\s22g.dll

MD5 b2ee390c0b9947b86ede4deb825710a4
SHA1 267ca058a46609439560b4742b26e6b4b7d72a6b
SHA256 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512 a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

memory/4436-7-0x000001962D340000-0x000001962D350000-memory.dmp

memory/4436-23-0x000001962D440000-0x000001962D450000-memory.dmp

memory/4436-39-0x0000019635740000-0x0000019635741000-memory.dmp

memory/4436-41-0x0000019635770000-0x0000019635771000-memory.dmp

memory/4436-42-0x0000019635770000-0x0000019635771000-memory.dmp

memory/4436-43-0x0000019635880000-0x0000019635881000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 10:24

Reported

2023-12-08 10:26

Platform

win7-20231130-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\kkEctgea.sys C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\s1l4.dll C:\Windows\SysWOW64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9\Blob = 030000000100000014000000717642e4a28c98f0588854b430a2fd16f5b5b1b920000000010000004e0300003082034a30820232a003020102021100a4046c55ab2d5eac79a31a645351be06300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323432325a180f32303633313132383130323432325a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a02820101009cda33f5c08aac323761eb442d98f6056a956db5327204c6a1e493746eaf64e0ddff845f291bd7f6568e0876227277ec2887576a83a7d73a7230f6d177d86d228fb6f859dc08a69506faa1788c0a8855190a9f2755da57d449802991212856118b3216a3b87156f3dbf0208bf8025fcc0f3c9ebdac74ce5bab5eaf43e70cead6c08abc75d0cd6e5c617b7f0b4750078fd9b75210b323ec857a9edc3fc8df716785f7540df1cbccd1e08f1ac88b37993838e196ee00ce707d53fcfbc6f8692e76fd35bd8d41d443d3e54f4730b21c77a6de165e02d8c592bf4cde70a659e4f4ab2309c5a6d51fc4677b882083cf191e6fb3b445ce0beaa93e89f2a3c7ceaac4e70203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010085fe4ab9a3793dc7a4abc5f3ad7f2dda9ad2a7e4b8bbc321048f068758a5904634d8b95816d7b3b9a323c26613af7c582ae895bcd427b48bbb1e9293e89ffe7824ac56ce95d2fcdef8019c416860cbae18d12e961248c908a35bd4eddb89d27d763c97d9abb1ca94b60ec4fd6e5f25f2da291baac278194ca3d840efe39e545065d107edca591bb1be8b769e6889e618e08bd2c95ac14af7ffece8f265cc3c1f450901be3281c9fad7cae65795a1b29661997cea1cec107f4e0250391d4d868039ff74dc5522312872ae2a1ef05abe0763d0e7fa7a746e856e5ceed90544d63b175719cad1188638d788014cff23aac9034b4145654b087a4d58f22357ea79cd C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1

Network

Country Destination Domain Proto
N/A 127.0.0.1:49196 tcp
N/A 127.0.0.1:49198 tcp

Files

\Windows\SysWOW64\s1l4.dll

MD5 b2ee390c0b9947b86ede4deb825710a4
SHA1 267ca058a46609439560b4742b26e6b4b7d72a6b
SHA256 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512 a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

memory/480-4-0x0000000000050000-0x0000000000076000-memory.dmp

memory/480-6-0x0000000000050000-0x0000000000076000-memory.dmp

memory/480-7-0x0000000000D30000-0x0000000000DB4000-memory.dmp

memory/480-10-0x0000000000D30000-0x0000000000DB4000-memory.dmp

memory/480-14-0x0000000000D30000-0x0000000000DB4000-memory.dmp

memory/480-16-0x00000000FF310000-0x00000000FF320000-memory.dmp

memory/480-18-0x0000000000D30000-0x0000000000DB4000-memory.dmp

memory/480-15-0x00000000FF310000-0x00000000FF320000-memory.dmp

memory/480-9-0x0000000000D30000-0x0000000000DB4000-memory.dmp