Malware Analysis Report

2025-03-15 05:55

Sample ID 240514-ygckzsda8x
Target 2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f
SHA256 2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f
Tags
vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f

Threat Level: Known bad

The file 2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f was found to be: Known bad.

Malicious Activity Summary

vmprotect

Detects executables packed with VMProtect.

Detects executables packed with VMProtect.

Drops file in Drivers directory

VMProtect packed file

Unsigned PE

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-14 19:45

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 19:45

Reported

2024-05-14 19:47

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\nejrfvp.sys C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe N/A
File opened for modification C:\Windows\system32\drivers\nejrfvp.sys C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe

"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 19:45

Reported

2024-05-14 19:47

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\adlvssh.sys C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe N/A
File opened for modification C:\Windows\system32\drivers\adlvssh.sys C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe

"C:\Users\Admin\AppData\Local\Temp\2665433f219ea6f1beb22edef08d85eac676dd6c8fa872e4720fc9c77e82516f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 89.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\adlvssh.sys

MD5 a467aa29895bcc4b2f4d2e46c81d9d4d
SHA1 ccda54aea8bb77c30b32bf33e8808a9f97d52664
SHA256 4f64ade810183f1f1508ac008bb6669411d53c1383a48a4fc7309a8f10df302b
SHA512 581cb1b4322de64acba704fa4ab89bc82b2c608e40a6f26a899c5bdb184e39040e0e396dfe30ce28ee660c3ae1c2c87421998fa1dcbef724c57ebf0707f2c59e