Malware Analysis Report

2025-08-11 01:21

Sample ID 231222-p4kqfadgf5
Target 90b756764ad408cdd3ac6cafb7c1bfb8
SHA256 a9db58e1f44a7fb8dbd4551d33befb2296cbe0d4fd1e4686b0384d4adabc5cf8
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a9db58e1f44a7fb8dbd4551d33befb2296cbe0d4fd1e4686b0384d4adabc5cf8

Threat Level: Shows suspicious behavior

The file 90b756764ad408cdd3ac6cafb7c1bfb8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-22 12:53

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 12:52

Reported

2023-12-23 16:03

Platform

win7-20231215-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe

"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"

C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 os.ieycc.com udp

Files

memory/3016-0-0x0000000000400000-0x0000000001567000-memory.dmp

memory/3016-1-0x0000000000400000-0x0000000001567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

MD5 2d3f65b69bf57e23f27cb3cf549f7e3f
SHA1 54bffeb759310d5fa08c4054ef02e07ab76cb426
SHA256 c09160b7f4cc97f76cf159c680364cd6874e799c1a68168a532234c07d8cb868
SHA512 510b6145cafa11deea7428b6f30134785825862cc3d620183ebc370a1c679f6f7cb93a3d47c102980e14f8ec9d5775739d812b4790287532ba244b387499e2d3

C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

MD5 44982bcbd3a2451db80c6281c210b8cd
SHA1 1a0f4f39f033e2d344a99fbc70c64c0b9ccf4005
SHA256 151a693bdc7be9d953c138a3fa3ca831a52435086cf38ba1545d4a5295e3903b
SHA512 6b1140b1ea4ac58f724771d7016641cdf02d6a22269fc6cc54b1589feb873840233648d1e254e32b818d048f3c4b7c088df34e22b36e0f2e26e9b6cbd4fff03b

\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

MD5 bc066787d7b5c455304233759bd2fb2b
SHA1 734c31a1b9948c110326bbd41023f74bc0373561
SHA256 59f0b9086bb60c3298e115a34b1686bfe4cf046e7d0661e8c6d85ef5a1e59287
SHA512 cc88084303b78bf309f4de569da0e19058a91f7b4c4d54bb120984b91211df35439c73ea511b0c6b4dcce64a65bb8785dc7f0e79ab3e37d379a7aad27361f30a

memory/3016-13-0x0000000006D60000-0x0000000007EC7000-memory.dmp

\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

MD5 4d44c43792556837c7b08e4ceee83cb6
SHA1 46e635f2439ca2bdad3bf49e525f1a462f16bc65
SHA256 5c2bc92ec2efcb73d5fdc580d84704dd97ecaa5f2d617c85b2708bf43aa31683
SHA512 7bc7ef88779d16311275a1eb5fd2010fdb20ba1560146935136f14a4e18f9b774163c52dcf49fced07f3ce3e01025892c292a55b2842538620c99eede9a579fc

memory/2776-14-0x0000000000400000-0x0000000001567000-memory.dmp

memory/3016-15-0x0000000006D60000-0x0000000007EC7000-memory.dmp

memory/2776-16-0x0000000000400000-0x0000000001567000-memory.dmp

memory/3016-19-0x0000000000400000-0x0000000001567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B0D0F0B120E156F155F15D0F0B160C0C160B.exe

MD5 7359109ead98380983e77bac5fb4eb5a
SHA1 2157a844342aeb4c46fb1ec89d34cd8160ea9205
SHA256 583b2c7cda8898ea5b664810c91b86ba1b012e098e97b4226db6d8d05825bb33
SHA512 0cefd67cc64bbeb97b797bab2d087d28a1d1804aa860bef34fbd00b8540a326c64505d7f429d8f7a1c9011a106495bd0648039bce73fcafeec8354e70d6bfe92

\Users\Admin\AppData\Roaming\testing.dat

MD5 ef65c95d77b45554b88292633dfe011c
SHA1 1ed63a17fc2752d2b2c9bec1b5bbad95886916d9
SHA256 a8b8abfa22fd6785a37e866a416a5d498ffbf16c179fb2face23270ad9d79cbf
SHA512 2d86826a4f0412b384e354f6dec02f20fc9fc19b63589bd7748bf16eb785233808e7be902161e38beee54b02773434f367acc33293fa3ec9f0afe04547d836fb

memory/2776-26-0x0000000074860000-0x0000000074B8D000-memory.dmp

memory/2776-31-0x0000000000400000-0x0000000001567000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 12:52

Reported

2023-12-23 16:03

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe

"C:\Users\Admin\AppData\Local\Temp\90b756764ad408cdd3ac6cafb7c1bfb8.exe"

C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe

C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 os.ieycc.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
PH 23.37.1.217:80 www.microsoft.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
PH 23.37.1.217:80 www.microsoft.com tcp
US 8.8.8.8:53 217.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.16.110.114:80 tcp
GB 96.17.178.176:80 tcp
GB 96.16.110.114:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 88.221.134.18:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp

Files

memory/1476-0-0x0000000000400000-0x0000000001567000-memory.dmp

memory/1476-1-0x0000000000400000-0x0000000001567000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe

MD5 4174fbfce638df328e2dab0359587ffd
SHA1 401451b22f6cbba8c8cde28d62b14ab6109631be
SHA256 66a2d18f1e413d8a05d03a5faec2401001793ae5076fa43366afe1bb8fcd068b
SHA512 80ea0fd7180202d2bb8855e4953a3b02d4dca33f900e1da33806d98717898ad427a773d3896901b920d370339ad8660c1c3aa362990fd0456d2d8c957c61e1a7

C:\Users\Admin\AppData\Local\Temp\1E0A0D0F120B156C155B15C0A0D160B0F160E.exe

MD5 23dc4d75bd4f4f1e1942742cc70de311
SHA1 e5118a424792ebd533ffad846d221f9f1a272254
SHA256 1283568f754be312fb00929a0ab89b5090a4bcbf45406074c8267f061ba99eb7
SHA512 c1832b523e353bd9d2969600649027683d2ce9f1b5c237d3402f1e9f3f53b7178f8a58d765a10c8aa91676f957df8a186b056ed13d61019d568faaa22b0f1a80

memory/1076-9-0x0000000000400000-0x0000000001567000-memory.dmp

memory/1076-10-0x0000000000400000-0x0000000001567000-memory.dmp

memory/1476-13-0x0000000000400000-0x0000000001567000-memory.dmp

C:\Users\Admin\AppData\Roaming\testing.dat

MD5 6533d39141dc1398e19c1fbc1a36b5d1
SHA1 3a2c56f97303f9ab5bb0f7b9adb71bdd468c340e
SHA256 810e007bfce6c33b979068b5c7af5f8ea67e900f2d484d46c31e3cd290aec475
SHA512 56e5affef615f7b256c7e9285bf406772337222c33e79802c05df1fbd44e130b51571b3ddc5b3d95010f93f706874ce4464a53738babfec30d96612b76ded38e

memory/1076-20-0x0000000072FB0000-0x00000000732DD000-memory.dmp

memory/1076-25-0x0000000000400000-0x0000000001567000-memory.dmp