Malware Analysis Report

2025-01-22 12:49

Sample ID 240521-rpmycsha6y
Target 5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3
SHA256 5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3

Threat Level: Shows suspicious behavior

The file 5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 14:22

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 14:22

Reported

2024-05-21 14:24

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe

"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 techie258.lofter.com udp
SG 8.219.190.98:443 techie258.lofter.com tcp
US 8.8.8.8:53 www.tutule4d.com udp
CN 101.42.45.7:6678 www.tutule4d.com tcp
CN 101.42.45.7:6678 www.tutule4d.com tcp

Files

memory/1072-2-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1072-0-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1072-29-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1072-27-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1072-24-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1072-22-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1072-19-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1072-17-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1072-14-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1072-12-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1072-9-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1072-7-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1072-5-0x0000000000330000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

MD5 707aa56cf742eb934185edf0a69d7289
SHA1 dab68976c4bd2d420c8adcd268fc1ffdd5e277e0
SHA256 3582d7ad93c54c2efddac6df4cf7d9e4b2ef1d8895dc9d12a781faf3cfb8bf12
SHA512 8be50ffedd0a250b4519069cec5781a9d0182fe47dce79c1991fc775a9580550c4b512de37e3423dc5d22013dce4cdcb1f178becbf5ef8ccb610c7ccd6d0f54d

memory/1072-37-0x00000000009BA000-0x0000000000E8C000-memory.dmp

memory/1072-43-0x0000000000400000-0x000000000178B000-memory.dmp

memory/1072-4-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1072-34-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1072-32-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1072-30-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1072-44-0x0000000000400000-0x000000000178B000-memory.dmp

memory/1072-45-0x0000000000400000-0x000000000178B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 14:22

Reported

2024-05-21 14:24

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe

"C:\Users\Admin\AppData\Local\Temp\5c5c64372704f24c6a7fe22f061008d21c9ad20685462643e5d0633520402fb3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 techie258.lofter.com udp
SG 8.219.190.98:443 techie258.lofter.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 98.190.219.8.in-addr.arpa udp
CN 8.141.58.141:6678 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 8.141.58.141:6678 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1172-9-0x00000000009BA000-0x0000000000E8C000-memory.dmp

memory/1172-7-0x0000000000400000-0x000000000178B000-memory.dmp

memory/1172-6-0x0000000003680000-0x0000000003681000-memory.dmp

memory/1172-5-0x0000000003670000-0x0000000003671000-memory.dmp

memory/1172-4-0x00000000018E0000-0x00000000018E1000-memory.dmp

memory/1172-3-0x00000000018D0000-0x00000000018D1000-memory.dmp

memory/1172-2-0x00000000018A0000-0x00000000018A1000-memory.dmp

memory/1172-1-0x0000000001880000-0x0000000001881000-memory.dmp

memory/1172-0-0x0000000001870000-0x0000000001871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HPSocket4C.dll

MD5 707aa56cf742eb934185edf0a69d7289
SHA1 dab68976c4bd2d420c8adcd268fc1ffdd5e277e0
SHA256 3582d7ad93c54c2efddac6df4cf7d9e4b2ef1d8895dc9d12a781faf3cfb8bf12
SHA512 8be50ffedd0a250b4519069cec5781a9d0182fe47dce79c1991fc775a9580550c4b512de37e3423dc5d22013dce4cdcb1f178becbf5ef8ccb610c7ccd6d0f54d

memory/1172-16-0x0000000000400000-0x000000000178B000-memory.dmp

memory/1172-17-0x0000000000400000-0x000000000178B000-memory.dmp