Malware Analysis Report

2025-01-22 12:50

Sample ID 240521-1jr5kabd2v
Target 2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber
SHA256 c3aac8c7b03b5eaea9448f609b17865132b0380df61a7722eaa44ea3b5fe5771
Tags
vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3aac8c7b03b5eaea9448f609b17865132b0380df61a7722eaa44ea3b5fe5771

Threat Level: Known bad

The file 2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber was found to be: Known bad.

Malicious Activity Summary

vmprotect

Detects executables packed with VMProtect.

Detects executables packed with VMProtect.

Checks computer location settings

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 21:41

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 21:41

Reported

2024-05-21 21:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Network

N/A

Files

memory/2212-0-0x0000000000910000-0x000000000330D000-memory.dmp

memory/2212-1-0x0000000077740000-0x0000000077741000-memory.dmp

memory/2212-3-0x0000000077740000-0x0000000077741000-memory.dmp

memory/2212-7-0x0000000077580000-0x0000000077581000-memory.dmp

memory/2212-9-0x0000000000910000-0x000000000330D000-memory.dmp

memory/2212-11-0x0000000077740000-0x0000000077741000-memory.dmp

\Users\Admin\AppData\Local\Temp\sample.exe

MD5 2f40714311d1e338824fc3a5a04d8d83
SHA1 d81d6ab046d8cee03d4a4954f854b2697ff95ff3
SHA256 820334d12b9140f66b47c1fa4f381ea45beaea66f8e5991a6ba4675cf125be1c
SHA512 027b114bf64547e4576e31e15be3d2bb9f2361fc6c22cfa5d3cbfba9341397aaceb3f3c45008bc5272c87ce11400fe950403f41b85bcd644ab45702bb2cbac48

memory/2212-19-0x0000000000910000-0x000000000330D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 21:41

Reported

2024-05-21 21:43

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe"

Signatures

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe N/A

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-21_ea82c60f49d4c4e87f3f9072a24f939e_avoslocker_karagany_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
BE 88.221.83.194:443 www.bing.com tcp
US 8.8.8.8:53 194.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2096-0-0x0000000000020000-0x0000000002A1D000-memory.dmp

memory/2096-1-0x0000000000020000-0x0000000002A1D000-memory.dmp

memory/2096-3-0x0000000077AF0000-0x0000000077AF1000-memory.dmp

memory/2096-6-0x0000000076410000-0x0000000076411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sample.exe

MD5 2f40714311d1e338824fc3a5a04d8d83
SHA1 d81d6ab046d8cee03d4a4954f854b2697ff95ff3
SHA256 820334d12b9140f66b47c1fa4f381ea45beaea66f8e5991a6ba4675cf125be1c
SHA512 027b114bf64547e4576e31e15be3d2bb9f2361fc6c22cfa5d3cbfba9341397aaceb3f3c45008bc5272c87ce11400fe950403f41b85bcd644ab45702bb2cbac48

memory/2096-14-0x0000000000020000-0x0000000002A1D000-memory.dmp