Malware Analysis Report

2025-08-05 21:11

Sample ID 231231-mbcg9adch8
Target 325cfaf6a3942af25d654ca13cc9f795
SHA256 cc145daee28e88dfb6b51e77a5d9f29152d4da1f5789b2b3a4d8fcb736543e3b
Tags
miner vmprotect
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cc145daee28e88dfb6b51e77a5d9f29152d4da1f5789b2b3a4d8fcb736543e3b

Threat Level: Likely malicious

The file 325cfaf6a3942af25d654ca13cc9f795 was found to be: Likely malicious.

Malicious Activity Summary

miner vmprotect

Detectes Phoenix Miner Payload

Deletes itself

VMProtect packed file

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 10:17

Reported

2024-01-10 08:13

Platform

win7-20231215-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"

Signatures

Detectes Phoenix Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe

"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

C:\Windows\system32\PING.EXE

ping -n 10 127.0.0.1

Network

N/A

Files

memory/2124-0-0x0000000140000000-0x0000000142A34000-memory.dmp

memory/2124-1-0x0000000077990000-0x0000000077991000-memory.dmp

memory/2124-3-0x0000000077990000-0x0000000077991000-memory.dmp

memory/2124-5-0x0000000077990000-0x0000000077991000-memory.dmp

memory/2124-7-0x0000000077990000-0x0000000077991000-memory.dmp

memory/2124-9-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp

memory/2124-11-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp

memory/2124-13-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp

memory/2124-16-0x0000000140000000-0x0000000142A34000-memory.dmp

memory/2124-15-0x000007FEFD8D0000-0x000007FEFD8D1000-memory.dmp

memory/2124-21-0x0000000077990000-0x0000000077991000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSEs.exe

MD5 30ab5838cc15d70fd39faad81f64f712
SHA1 1cd9ccc075da933c34acccf7a24445a4ece7dd64
SHA256 295b1ea128454f1c9224113d7e074795f545d85a6133bb77aa10fd12f538cb2f
SHA512 a7f1b313db71d009afc4444ce458dc5537dc0f544c2138d9ca210a2ac63fa1dc47f6bbb0529c66c1622e1821dfbdec89349320a42100e7ddd484df1c19458378

C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSE.exe

MD5 acc4d5da6dc251691567d6833b1b56b9
SHA1 885b1864ab51cdddec6257087396db2e5e5204a1
SHA256 9458075d710c58ac2ff0a14811758c8d91279b3940a71846b0ddedaa580d0042
SHA512 81bda2d2e94ea7afdd30329145ef4b67537a639a0d657b838606106a6938f29adf7e21dbc3de5058255d2da3b1efd8e0b3ab1818cc0056a4a905e87b37379638

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 8c8782f67bc6d4823d996cef5d65e5a5
SHA1 b1c7659248601845685a89c09575f033c9526f63
SHA256 85668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817
SHA512 011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb

memory/2124-55-0x0000000140000000-0x0000000142A34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 10:17

Reported

2024-01-10 08:13

Platform

win10v2004-20231222-en

Max time kernel

141s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"

Signatures

Detectes Phoenix Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2464 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe

"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"

C:\Windows\system32\PING.EXE

ping -n 10 127.0.0.1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.90:80 tcp
N/A 52.111.229.19:443 tcp
GB 88.221.135.90:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
GB 88.221.135.90:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 13.89.178.26:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp

Files

memory/3548-0-0x0000000140000000-0x0000000142A34000-memory.dmp

memory/3548-3-0x0000000140000000-0x0000000142A34000-memory.dmp

memory/3548-5-0x00007FF9CBF90000-0x00007FF9CBF91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut6D31.tmp

MD5 da8b9858de517c82565b4db05480e12e
SHA1 316c95ff894ec51c90f3a51f8b9cfd5d1dee0c00
SHA256 11bc5103504955a39a4b054e3e61d812cca75b5cb05b5bb31a582e941c9a6d9d
SHA512 1302bc641bb8b8c9e2b54101f22f2035a66ee7278ac4da662117c6af42513e16f69a0c8c50151ade544ac324c6f8c9f1c923ba2cf69e1b3b4456eb336694f0c1

C:\Users\Admin\AppData\Roaming\Microsoft\GpuDrive\WmiPrevSE.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 8c8782f67bc6d4823d996cef5d65e5a5
SHA1 b1c7659248601845685a89c09575f033c9526f63
SHA256 85668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817
SHA512 011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb

memory/3548-36-0x0000000140000000-0x0000000142A34000-memory.dmp