Malware Analysis Report

2025-01-22 13:05

Sample ID 240626-ccry8a1arj
Target c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156
SHA256 c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156

Threat Level: Shows suspicious behavior

The file c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Loads dropped DLL

VMProtect packed file

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:56

Reported

2024-06-26 01:58

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe

"C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 420

Network

N/A

Files

memory/1684-27-0x0000000001E60000-0x0000000001E61000-memory.dmp

memory/1684-29-0x0000000001E60000-0x0000000001E61000-memory.dmp

memory/1684-24-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/1684-22-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/1684-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1684-17-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1684-14-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1684-12-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1684-9-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1684-7-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1684-5-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1684-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1684-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1684-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1684-34-0x0000000000400000-0x0000000001E4F000-memory.dmp

memory/1684-33-0x0000000000400000-0x0000000001E4F000-memory.dmp

\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

MD5 8b6c94bbdbfb213e94a5dcb4fac28ce3
SHA1 b56102ca4f03556f387f8b30e2b404efabe0cb65
SHA256 982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53
SHA512 9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

memory/1684-39-0x0000000004C10000-0x0000000004DDD000-memory.dmp

memory/1684-41-0x0000000004C10000-0x0000000004DDD000-memory.dmp

memory/1684-45-0x0000000004C10000-0x0000000004DDD000-memory.dmp

memory/1684-46-0x0000000000400000-0x0000000001E4F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 01:56

Reported

2024-06-26 01:59

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe

"C:\Users\Admin\AppData\Local\Temp\c811ab102dcf299138db5d8ef73f3922738a163917c0f077324459e52c59c156.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2272 -ip 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 992

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/2272-0-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2272-1-0x0000000002030000-0x0000000002031000-memory.dmp

memory/2272-7-0x0000000000C21000-0x00000000012EA000-memory.dmp

memory/2272-6-0x0000000000400000-0x0000000001E4F000-memory.dmp

memory/2272-5-0x0000000003D40000-0x0000000003D41000-memory.dmp

memory/2272-4-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/2272-3-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2272-2-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

MD5 8b6c94bbdbfb213e94a5dcb4fac28ce3
SHA1 b56102ca4f03556f387f8b30e2b404efabe0cb65
SHA256 982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53
SHA512 9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

memory/2272-15-0x0000000005130000-0x00000000052FD000-memory.dmp

memory/2272-17-0x0000000005130000-0x00000000052FD000-memory.dmp

memory/2272-21-0x0000000005130000-0x00000000052FD000-memory.dmp

memory/2272-22-0x0000000000C21000-0x00000000012EA000-memory.dmp

memory/2272-23-0x0000000000400000-0x0000000001E4F000-memory.dmp