Malware Analysis Report

2025-01-22 12:49

Sample ID 240521-qmkjsafd8t
Target 721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0
SHA256 721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0

Threat Level: Shows suspicious behavior

The file 721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:22

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:22

Reported

2024-05-21 13:25

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe

"C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.5ipz.com udp
CN 113.75.20.79:19668 www.5ipz.com tcp
US 8.8.8.8:53 5ipz.com udp
CN 113.75.20.79:19668 5ipz.com tcp
CN 120.76.220.47:19668 tcp

Files

memory/1940-0-0x0000000000400000-0x0000000002382000-memory.dmp

memory/1940-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1940-30-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1940-40-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1940-38-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1940-36-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1940-35-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1940-33-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1940-31-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1940-28-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1940-25-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1940-23-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1940-20-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1940-18-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1940-15-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1940-13-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1940-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1940-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1940-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1940-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1940-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1940-42-0x0000000000400000-0x0000000002382000-memory.dmp

memory/1940-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-90-0x0000000000400000-0x0000000002382000-memory.dmp

memory/1940-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1940-91-0x0000000000400000-0x0000000002382000-memory.dmp

memory/1940-92-0x0000000000400000-0x0000000002382000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:22

Reported

2024-05-21 13:25

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe

"C:\Users\Admin\AppData\Local\Temp\721aae198a174981b3fe1c1967d5d933f7cbd17b855402dee8a9639bc35538e0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.5ipz.com udp
CN 113.75.20.79:19668 www.5ipz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 5ipz.com udp
CN 113.75.20.79:19668 5ipz.com tcp
CN 120.76.220.47:19668 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/2348-0-0x0000000000F15000-0x00000000013EC000-memory.dmp

memory/2348-2-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2348-1-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2348-6-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2348-5-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2348-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2348-3-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2348-7-0x0000000004290000-0x0000000004291000-memory.dmp

memory/2348-8-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/2348-11-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-9-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-13-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2348-60-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-61-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-62-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-63-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-64-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-65-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-66-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-67-0x0000000000400000-0x0000000002382000-memory.dmp

memory/2348-68-0x0000000000F15000-0x00000000013EC000-memory.dmp