Malware Analysis Report

2025-08-05 21:24

Sample ID 231222-jb6jjscbdn
Target 7986521f50626c7ddcb0e4003be4d05d
SHA256 6f02e7fbf59bc2c380badba6a56507ef342cdb1ae1723ac504001214069989c4
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6f02e7fbf59bc2c380badba6a56507ef342cdb1ae1723ac504001214069989c4

Threat Level: Shows suspicious behavior

The file 7986521f50626c7ddcb0e4003be4d05d was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 07:30

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 07:30

Reported

2023-12-22 10:02

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe

"C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3424-0-0x0000000074CF0000-0x00000000754A0000-memory.dmp

memory/3424-1-0x0000000000010000-0x00000000000E6000-memory.dmp

memory/3424-2-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/3424-3-0x0000000006D30000-0x0000000006DC2000-memory.dmp

memory/3424-4-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-5-0x0000000006D00000-0x0000000006D0A000-memory.dmp

memory/3424-6-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-7-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-8-0x0000000074CF0000-0x00000000754A0000-memory.dmp

memory/3424-9-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-10-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-11-0x0000000006F30000-0x0000000006F40000-memory.dmp

memory/3424-12-0x0000000006F30000-0x0000000006F40000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 07:30

Reported

2023-12-22 10:02

Platform

win7-20231215-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe

"C:\Users\Admin\AppData\Local\Temp\7986521f50626c7ddcb0e4003be4d05d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2500-0-0x00000000011C0000-0x0000000001296000-memory.dmp

memory/2500-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2500-2-0x00000000092A0000-0x00000000092E0000-memory.dmp

memory/2500-3-0x00000000092A0000-0x00000000092E0000-memory.dmp

memory/2500-4-0x00000000092A0000-0x00000000092E0000-memory.dmp

memory/2500-6-0x00000000092A0000-0x00000000092E0000-memory.dmp

memory/2500-5-0x00000000747B0000-0x0000000074E9E000-memory.dmp