Malware Analysis Report

2025-08-05 21:24

Sample ID 231221-2wynjsgafn
Target 1cfc9408aa24c2be24ad3376087dc83b
SHA256 6ca88c9e467778629605f0e02cd88922370593fd79ceb973ea6123583ec4afd3
Tags
bootkit persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6ca88c9e467778629605f0e02cd88922370593fd79ceb973ea6123583ec4afd3

Threat Level: Shows suspicious behavior

The file 1cfc9408aa24c2be24ad3376087dc83b was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence vmprotect

VMProtect packed file

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 22:56

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 22:56

Reported

2023-12-22 00:55

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe

"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic BaseBoard get SerialNumber

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 luckbaby.me udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/4112-0-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

memory/4112-1-0x0000000001C10000-0x0000000001C11000-memory.dmp

memory/4112-2-0x0000000002150000-0x0000000002151000-memory.dmp

memory/4112-4-0x0000000002170000-0x0000000002171000-memory.dmp

memory/4112-5-0x0000000002180000-0x0000000002181000-memory.dmp

memory/4112-3-0x0000000002160000-0x0000000002161000-memory.dmp

memory/4112-6-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/4112-7-0x0000000002190000-0x0000000002191000-memory.dmp

memory/4112-8-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4112-10-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/4112-15-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/4112-16-0x0000000000400000-0x0000000001B42000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 22:56

Reported

2023-12-22 00:55

Platform

win7-20231215-en

Max time kernel

25s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe

"C:\Users\Admin\AppData\Local\Temp\1cfc9408aa24c2be24ad3376087dc83b.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic BaseBoard get SerialNumber

Network

Country Destination Domain Proto
US 8.8.8.8:53 luckbaby.me udp

Files

memory/1980-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1980-2-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/1980-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1980-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1980-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1980-8-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/1980-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1980-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1980-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1980-16-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1980-21-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1980-19-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1980-31-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1980-29-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1980-26-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1980-24-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1980-32-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1980-36-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1980-37-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1980-34-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1980-39-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1980-41-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1980-43-0x00000000777E0000-0x00000000777E1000-memory.dmp

memory/1980-48-0x0000000000400000-0x0000000001B42000-memory.dmp

memory/1980-49-0x0000000000400000-0x0000000001B42000-memory.dmp