Malware Analysis Report

2025-03-15 06:03

Sample ID 240510-yt533afa7x
Target 30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1
SHA256 30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1
Tags
vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1

Threat Level: Known bad

The file 30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1 was found to be: Known bad.

Malicious Activity Summary

vmprotect

Detects executables packed with VMProtect.

Detects executables packed with VMProtect.

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 20:05

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 20:05

Reported

2024-05-10 20:08

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe

"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"

C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe

"C:\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe"

Network

N/A

Files

\Program Files (x86)\jghdfbrcr\vuhrsegtxqxt.exe

MD5 7f9acb6f47becd9b59fb80e26614f268
SHA1 4d799f4fe324db16dccf7cbff78630e63dca4450
SHA256 8e296d90c37810c6eb5ad4eac1feaa97ec464a20d5a98368b7dbfe4e1e0142f2
SHA512 7ded67dc093891356f8484dd38e0fd733c211bc926f6322c50a85bb786586dd71c43ddd9269a1373f0e609378e0bca879e612b8945d793d411c382cbd3a5817e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 20:05

Reported

2024-05-10 20:08

Platform

win10v2004-20240426-en

Max time kernel

128s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\njwlphmtul\huwsn.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\njwlphmtul\huwsn.exe C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe

"C:\Users\Admin\AppData\Local\Temp\30b05ec91a99c4d8f53bd4d985c173ad4a6443057ae5f8a7b60f362aaed6aac1.exe"

C:\Program Files (x86)\njwlphmtul\huwsn.exe

"C:\Program Files (x86)\njwlphmtul\huwsn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\njwlphmtul\huwsn.exe

MD5 d0c7e3b3f70b26ed67a8663ebaf85ff1
SHA1 b7c21d74f7b949a534ae3afe5e0eaeab9a0a7b69
SHA256 fdb553f13deee4fee0ad12966c2f4e595c818f16e5faa3216256fc990ec1d380
SHA512 9504a018d955c7ddf2589da3fd1b58b411af5c15b47dc657dd793641b9b981ef082406022f25ea8e44b65267a2e0dda5b10eeecd1dae949b91fde57b26606c37