Malware Analysis Report

2025-01-22 12:57

Sample ID 240626-brpa7syelr
Target d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78
SHA256 d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78

Threat Level: Shows suspicious behavior

The file d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

UPX packed file

Enumerates connected drives

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:22

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:22

Reported

2024-06-26 01:25

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe

"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.yinliu2.com udp
HK 8.218.194.237:80 ip.yinliu2.com tcp
US 8.8.8.8:53 pv.sohu.com udp
GB 43.132.64.25:80 pv.sohu.com tcp
CN 222.211.73.252:3001 tcp
CN 222.211.73.252:3002 tcp
CN 222.211.73.252:3000 tcp

Files

memory/2052-29-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2052-27-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2052-24-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2052-22-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2052-19-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2052-17-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2052-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2052-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2052-9-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2052-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2052-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2052-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2052-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2052-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2052-35-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-38-0x00000000009BB000-0x000000000116E000-memory.dmp

memory/2052-34-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2052-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-84-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-85-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2052-32-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2052-30-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2052-86-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-87-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-88-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-89-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-90-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-91-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-92-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-93-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/2052-94-0x0000000000400000-0x0000000001DD3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 01:22

Reported

2024-06-26 01:25

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe

"C:\Users\Admin\AppData\Local\Temp\d8df3d7d2a614de55ed4d741359289e8cd5bb1da2f87f64c94c629f48ff7ca78.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=4540 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip.yinliu2.com udp
BE 88.221.83.187:443 www.bing.com tcp
HK 8.218.194.237:80 ip.yinliu2.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 pv.sohu.com udp
GB 43.132.64.25:80 pv.sohu.com tcp
CN 222.211.73.252:3000 tcp
US 8.8.8.8:53 237.194.218.8.in-addr.arpa udp
US 8.8.8.8:53 25.64.132.43.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 222.211.73.252:3002 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
CN 222.211.73.252:3001 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4952-0-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/4952-2-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/4952-1-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4952-7-0x0000000002130000-0x0000000002131000-memory.dmp

memory/4952-6-0x00000000009BB000-0x000000000116E000-memory.dmp

memory/4952-5-0x0000000002110000-0x0000000002111000-memory.dmp

memory/4952-4-0x0000000002100000-0x0000000002101000-memory.dmp

memory/4952-3-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/4952-8-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-55-0x0000000004080000-0x00000000040A6000-memory.dmp

memory/4952-56-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-54-0x0000000003F40000-0x0000000003F66000-memory.dmp

memory/4952-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-57-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4952-58-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-59-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-60-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-61-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-62-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-63-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-64-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-65-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-66-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-67-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-68-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-69-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-70-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-71-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-72-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-73-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-74-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-75-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-76-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-77-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-78-0x0000000000400000-0x0000000001DD3000-memory.dmp

memory/4952-79-0x0000000000400000-0x0000000001DD3000-memory.dmp