Malware Analysis Report

2025-08-05 21:24

Sample ID 231222-q3engacabj
Target tmp
SHA256 1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13

Threat Level: Shows suspicious behavior

The file tmp was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 13:46

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 13:46

Reported

2023-12-22 13:49

Platform

win7-20231215-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2780 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2712 wrote to memory of 588 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 588 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 588 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 588 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2608 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2608 wrote to memory of 436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sl4.0.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\ProgramData\pinterests\XRJNZC.exe

"C:\ProgramData\pinterests\XRJNZC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f

C:\Windows\system32\taskeng.exe

taskeng.exe {20E2DDCF-EC3B-4C66-8EA5-B2B84678E8D3} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

Network

N/A

Files

memory/760-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/760-3-0x0000000001180000-0x0000000001C9B000-memory.dmp

memory/760-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/760-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/760-6-0x0000000000100000-0x0000000000101000-memory.dmp

memory/760-10-0x0000000000100000-0x0000000000101000-memory.dmp

memory/760-8-0x0000000000100000-0x0000000000101000-memory.dmp

memory/760-15-0x0000000000110000-0x0000000000111000-memory.dmp

memory/760-20-0x0000000000170000-0x0000000000171000-memory.dmp

memory/760-18-0x0000000000170000-0x0000000000171000-memory.dmp

memory/760-13-0x0000000000110000-0x0000000000111000-memory.dmp

memory/760-28-0x0000000000190000-0x0000000000191000-memory.dmp

memory/760-25-0x0000000000180000-0x0000000000181000-memory.dmp

memory/760-30-0x0000000000190000-0x0000000000191000-memory.dmp

memory/760-23-0x0000000000180000-0x0000000000181000-memory.dmp

memory/760-36-0x0000000001180000-0x0000000001C9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sl4.0.bat

MD5 70fd3e695143a6f33f01ba03e2e145a8
SHA1 2f35693596fc13edcbc22d85740d331a23f054fd
SHA256 259b6a0c7670d976754252a352050ebee5e10403175e1a52b391382119036f3f
SHA512 c63de2ae5754f1347bce66c3fc05fafb59a957d07c7e698ca5706115627540dfd6f1e281a5819351e5d737f10ad478d9ed398d8abbdd51a3202ed90648de4774

memory/760-49-0x0000000001180000-0x0000000001C9B000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 83ccf7576abc90dd1ec49418ecf65e1b
SHA1 908665d8280efec426068c04bd96f1fe13362e0f
SHA256 6cc7b5136c0d57b63951ed53fe0a724fe8767b3260b8e85c72f0f598fac958c5
SHA512 b63feb7ded67ceddc593368105c087905944c838cab0c769237d4c60324b313d6b6a74dc294ab6988187265aefad8dc26e1fb570d270253f2929e56b64137fb6

C:\ProgramData\pinterests\XRJNZC.exe

MD5 c94e002ad8ef0791887fd52dc9d9175e
SHA1 83c2ba2fe6c771682d13272f48a6815ab4c689d7
SHA256 5b4e36faa3700341141a35522c5f9afa5767ba7f0d46a4676ffbf0e8a3d29117
SHA512 699fdb5aeedf087f3ebb5425ef69518120c2a4f51d3d45d7608160b315cf17f94d9edafec58d339d8f1700de732f9662005231b1fbf1e96d4816040cb2f26a60

\ProgramData\pinterests\XRJNZC.exe

MD5 827e3cdd6fa549e3e3e912622fd8f711
SHA1 decc157d095e2dc54bee3d35e659e67bcc0e049f
SHA256 923b810dd9f761016fb30e2c45ddbb0302eb83ea08986edb1b69731cdc81bb18
SHA512 eee467c204e725c63a29a25a4085cd6850d46725ed37af3cafc26bd9a2f82f4a520fe060fb003c971d076da91c28d6780b67cdf9cc9d4a48837d787634b1fb7d

memory/2712-55-0x0000000001380000-0x0000000001E9B000-memory.dmp

memory/2712-58-0x0000000001380000-0x0000000001E9B000-memory.dmp

memory/2712-79-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2712-77-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2712-74-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2712-72-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2712-69-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2712-64-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2712-59-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2712-92-0x0000000001380000-0x0000000001E9B000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 5daace837c50f6a423dab71ab5eab6dc
SHA1 00068ac5ce79274407b8b60357ccccfc9c4cae31
SHA256 4c69f4101dc5c7b4f6818f981fa841e717b09a90b7b890ba232c8b487e3621d5
SHA512 f3e34fc51b41111691c7cb2ddb8fcac9c4cb1821135bae60938da30c1782bca6a620417cd68215effb769c15ff56849fe260954061fd6d92fa99080afe649454

memory/1528-95-0x0000000001380000-0x0000000001E9B000-memory.dmp

memory/1528-132-0x0000000001380000-0x0000000001E9B000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 60d425143796a0b56290deb6ff0c1c83
SHA1 142131de4c873368a78a9e011f230612bd81f735
SHA256 cd8448e47f9eb29671ff69b93109f716930b7f64e51ab1edc83352693c2626dc
SHA512 da6196f8960f5875764083c5cfc94545636b651dd4f2019547d02f8f5551e7b2d54837fbb019f3120120b62aeb8bfa17374b1e17c487cf5bf9cc4c8362546d86

memory/436-134-0x0000000001380000-0x0000000001E9B000-memory.dmp

memory/436-172-0x0000000001380000-0x0000000001E9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 13:46

Reported

2023-12-22 13:49

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\ProgramData\pinterests\XRJNZC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A
N/A N/A C:\ProgramData\pinterests\XRJNZC.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3l0.0.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\ProgramData\pinterests\XRJNZC.exe

"C:\ProgramData\pinterests\XRJNZC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/4644-1-0x0000000001910000-0x0000000001911000-memory.dmp

memory/4644-0-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/4644-2-0x0000000000C70000-0x000000000178B000-memory.dmp

memory/4644-3-0x0000000001940000-0x0000000001941000-memory.dmp

memory/4644-4-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/4644-7-0x00000000036F0000-0x00000000036F1000-memory.dmp

memory/4644-6-0x0000000000C70000-0x000000000178B000-memory.dmp

memory/4644-5-0x00000000036E0000-0x00000000036E1000-memory.dmp

memory/4644-13-0x0000000000C70000-0x000000000178B000-memory.dmp

memory/4644-21-0x0000000000C70000-0x000000000178B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s3l0.0.bat

MD5 b9e7d705d0214d48ae01afdb92bf0436
SHA1 53f628afd3c56e982df0380a8944a306ea06efd5
SHA256 c62ac393835116f03916cc8d4e6f6599d59fe6f31bda7baf9a76a29ce914fdd6
SHA512 2c6d24f306ec523b25b8171edee64fc54f5a180ccda3aee7b144748a7b66e80115823e73a89b143d6fb98e54dbb461a4d880da42ba4dcacbd3aaa96fae01802c

C:\ProgramData\pinterests\XRJNZC.exe

MD5 7144b1d844d15423fc7a123b6bda62e1
SHA1 548a60041c848fc5086c2d2987ac034de4b9241a
SHA256 d25dac2d29f0ac33038edba1ded1b25b4f2b3734e98a84a4a26e5a974b63744f
SHA512 33c853f4c1ea1aa48db636b9f994d5cb8badbda414063c8bb3941d26fe67805a9625230710c85b4ed1d960f77a0e0b4c5b4e58836a969a2c1d606f1448db80aa

C:\ProgramData\pinterests\XRJNZC.exe

MD5 a470bf2832ff24b84ea77cb6b14204b2
SHA1 288c07d7ddbe40f54437702ab0646df5532c8d3e
SHA256 bac6d45cf5b7fb9063fe5b18b801f71d31b17a25a81140091e93879f82bdc502
SHA512 6327f28d43857b5bdcae43677cb6a572ab9fedafbde8d3fb7ae0fcd768bf95bcee7f4765f97989fa45dcf4c5ed5baf67ac7c64bc3ea08567436bfdde98a21d28

memory/4736-27-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/4736-31-0x00000000030A0000-0x00000000030A1000-memory.dmp

memory/4736-30-0x00000000014F0000-0x00000000014F1000-memory.dmp

memory/4736-33-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/4736-29-0x00000000014D0000-0x00000000014D1000-memory.dmp

memory/4736-28-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/4736-26-0x0000000001490000-0x0000000001491000-memory.dmp

memory/4736-25-0x0000000001480000-0x0000000001481000-memory.dmp

memory/4736-38-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/4736-40-0x0000000000400000-0x0000000000F1B000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 2c5c0baa6bd9ea6f8000dd65bb843886
SHA1 9e30af10130e67d42406221efcd5b8f5d9428515
SHA256 9628c5401297e147bb23a7932de8b0e46229db71ba0fbc0e686b293a1ee4ca41
SHA512 733c0958fab832139a0a864cf9f796d242282062d57fa3d59d1f359589bad789686fe6eef4e91fc129a3057538f9414e6beb46e6e6cbaec3a5e1f51c633c83c1

memory/1288-42-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1288-48-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/1288-49-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1288-47-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/1288-46-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/1288-45-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/1288-44-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/1288-43-0x00000000014A0000-0x00000000014A1000-memory.dmp

memory/1288-54-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1288-56-0x0000000000400000-0x0000000000F1B000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 7feb51455fc72384d3f3956220075b2f
SHA1 661e8cb9e4cef960a475bb34cc1b057d5b977047
SHA256 a6eec4c6cd83a206b012ca274d6ce442880c0000d23ce0a39b4f4b7e0706a17a
SHA512 c65fc2d01ebf30a938da9be1f26d660df1ac705679292831b47eb89088a4e6db6e7571da3ac87b703895cb5c1a82114db963f63502734f8c65a4346788c5239b

memory/1796-58-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1796-62-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/1796-61-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1796-64-0x0000000003000000-0x0000000003001000-memory.dmp

memory/1796-65-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1796-63-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/1796-60-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1796-59-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/1796-70-0x0000000000400000-0x0000000000F1B000-memory.dmp

memory/1796-72-0x0000000000400000-0x0000000000F1B000-memory.dmp