Malware Analysis Report

2025-08-05 21:25

Sample ID 231222-kfahcafdf6
Target cOOla_unban.exe
SHA256 b3cbb74a4236bd44bb4bdc9d3ce5515a52abb470804de9949818d5d4989cacc5
Tags
vmprotect evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b3cbb74a4236bd44bb4bdc9d3ce5515a52abb470804de9949818d5d4989cacc5

Threat Level: Likely malicious

The file cOOla_unban.exe was found to be: Likely malicious.

Malicious Activity Summary

vmprotect evasion

Stops running service(s)

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 08:32

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 08:32

Reported

2023-12-22 08:33

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"

Signatures

Stops running service(s)

evasion

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe

"C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\cOOla_unban.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp

Files

memory/4840-2-0x00007FFF70940000-0x00007FFF70942000-memory.dmp

memory/4840-3-0x00007FF730EA0000-0x00007FF731849000-memory.dmp

memory/4840-1-0x00007FFF70930000-0x00007FFF70932000-memory.dmp

memory/4840-0-0x00007FF730EA0000-0x00007FF731849000-memory.dmp

memory/4840-7-0x00007FF730EA0000-0x00007FF731849000-memory.dmp