Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-j66g2avdja
Target 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511
SHA256 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511

Threat Level: Shows suspicious behavior

The file 05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:17

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:17

Reported

2024-06-26 08:20

Platform

win10v2004-20240508-en

Max time kernel

40s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe

"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"

C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe

C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 os.ljq520.top udp
US 8.8.8.8:53 os.ieycc.com udp
US 8.8.8.8:53 os.ieycc.com udp

Files

memory/4764-1-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/4764-0-0x0000000002170000-0x0000000002171000-memory.dmp

memory/4764-8-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/4764-6-0x0000000002760000-0x0000000002761000-memory.dmp

memory/4764-5-0x0000000002750000-0x0000000002751000-memory.dmp

memory/4764-4-0x0000000002740000-0x0000000002741000-memory.dmp

memory/4764-3-0x0000000002730000-0x0000000002731000-memory.dmp

memory/4764-2-0x0000000002720000-0x0000000002721000-memory.dmp

memory/4764-11-0x0000000000400000-0x0000000002111000-memory.dmp

memory/4764-12-0x0000000000400000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E0A0A0B120C156B155E15F0D0E160F0E160F.exe

MD5 7d4c68203073898e59c1f60d3506bee0
SHA1 d59ebbc985a569f92f79d9496f7bddb1d35f6885
SHA256 6fd5db61455d99800b2eccd8b1176fa9809207c3c50d1f42da5146806909b4fd
SHA512 ee931d036fa644ae2918acf8186feab3698eac49f0f44059cc2b4f987113a2f1ccd1a51189d2ba6ddead7059ad673225fdd8d665317c1d85a861b42261f576d0

memory/4744-19-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4744-18-0x0000000002290000-0x0000000002291000-memory.dmp

memory/4744-24-0x0000000002630000-0x0000000002631000-memory.dmp

memory/4744-23-0x0000000002620000-0x0000000002621000-memory.dmp

memory/4744-22-0x0000000002600000-0x0000000002601000-memory.dmp

memory/4744-21-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/4744-20-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/4744-28-0x0000000000400000-0x0000000002111000-memory.dmp

memory/4764-29-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/4764-30-0x0000000000400000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Roaming\testing.dat

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240

memory/4744-37-0x0000000073B00000-0x0000000073E2D000-memory.dmp

memory/4744-41-0x0000000000400000-0x0000000002111000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:17

Reported

2024-06-26 08:20

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe

"C:\Users\Admin\AppData\Local\Temp\05bf5c90ddb1600874328b35875ad66a588606f126b9427e3fe68c54fcdf6511.exe"

C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe

C:\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 os.ljq520.top udp
CN 120.27.243.153:32520 os.ljq520.top tcp
CN 120.27.243.153:32520 os.ljq520.top tcp
CN 120.27.243.153:32520 os.ljq520.top tcp
US 8.8.8.8:53 os.ieycc.com udp

Files

memory/2928-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2928-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2928-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2928-34-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2928-38-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/2928-32-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2928-30-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2928-29-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2928-27-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2928-24-0x0000000002120000-0x0000000002121000-memory.dmp

memory/2928-22-0x0000000002120000-0x0000000002121000-memory.dmp

memory/2928-19-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2928-17-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2928-14-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2928-12-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2928-9-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2928-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2928-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2928-35-0x0000000000400000-0x0000000002111000-memory.dmp

memory/2928-39-0x0000000000400000-0x0000000002111000-memory.dmp

memory/2928-40-0x0000000000400000-0x0000000002111000-memory.dmp

\Users\Admin\AppData\Local\Temp\1A0B0B0B120C156F155E15D0A0E160A0E160A.exe

MD5 d1e2e748ba78e4c436446cbf36076c8b
SHA1 6d263a24bd30f46fb1a97e1ea312359b3c364cc3
SHA256 4b2b52e82a6415c8c6a22cf67ed26b37a07c0934386a8d712397b6e5b699773a
SHA512 fafdfaabec86cad43c76234baa76ea8ebd3cd9d588a28d0ab7b598af8b4089ec488a4e3f111139c8327080023c4f2f537f4261e014dd96b2331e0b3bfb7abc6b

memory/2460-71-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2460-69-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2460-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2460-64-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2460-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2460-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2928-85-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/2928-86-0x0000000000400000-0x0000000002111000-memory.dmp

\Users\Admin\AppData\Roaming\testing.dat

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240