Malware Analysis Report

2025-01-22 13:01

Sample ID 240626-j6nbfsxepp
Target c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f
SHA256 c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f

Threat Level: Shows suspicious behavior

The file c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:16

Reported

2024-06-26 08:19

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe

"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"

C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe

C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 os.ljq520.top udp
CN 120.27.243.153:32520 os.ljq520.top tcp
CN 120.27.243.153:32520 os.ljq520.top tcp
CN 120.27.243.153:32520 os.ljq520.top tcp
US 8.8.8.8:53 os.ieycc.com udp

Files

memory/1644-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1644-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1644-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1644-7-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1644-9-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1644-5-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1644-30-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1644-38-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/1644-39-0x0000000000400000-0x0000000002111000-memory.dmp

memory/1644-35-0x0000000000400000-0x0000000002111000-memory.dmp

memory/1644-34-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1644-32-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1644-29-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1644-27-0x0000000000320000-0x0000000000321000-memory.dmp

memory/1644-24-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1644-22-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1644-40-0x0000000000400000-0x0000000002111000-memory.dmp

memory/1644-19-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1644-17-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1644-14-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1644-12-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E0A0C0B120A156E155A15D0F0D160B0D160D.exe

MD5 075aca639797adb4e31f283b4de0ff9e
SHA1 150cec1ba5c8763d96f8b1e2b22e5dc0aa1adede
SHA256 d6cf2c3101168b34873f56661c425e984b95a46d0944f16e4ed72df17ac1e46b
SHA512 a7e418956ad9f885e2b2b3d5b1b2a3e636da24d4c44a14502979f29afd72448ae884e97b0d515e8f476a818a6424beb4a0ce6d03bdd733db79a9315a347861c2

memory/1644-86-0x0000000000400000-0x0000000002111000-memory.dmp

memory/1644-83-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/2808-71-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2808-69-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2808-66-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2808-64-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2808-61-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2808-59-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2808-56-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2808-54-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Roaming\testing.dat

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:16

Reported

2024-06-26 08:19

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe

"C:\Users\Admin\AppData\Local\Temp\c31593901343aabce327ff867f8963a3bcaefe318c96478a6b582a441c2c037f.exe"

C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe

C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 os.ljq520.top udp
CN 120.27.243.153:32520 os.ljq520.top tcp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 120.27.243.153:32520 os.ljq520.top tcp
CN 120.27.243.153:32520 os.ljq520.top tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 os.ieycc.com udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/2260-0-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/2260-1-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2260-2-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2260-4-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2260-3-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2260-6-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2260-5-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2260-7-0x0000000000400000-0x0000000002111000-memory.dmp

memory/2260-8-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2260-11-0x0000000000400000-0x0000000002111000-memory.dmp

memory/2260-12-0x0000000000400000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F0E0E0F120A156A155B15E0B0B160A0C160C.exe

MD5 fc621d4a96b1f5a78d1572425e781341
SHA1 9eda2e7aac28052a66dc3a8ebc553257d3560af1
SHA256 2a4a270b899fee6e524bae68b3c02353cb5c5a8a197c7ebada9c1390d10e8d70
SHA512 69b6cbc331bb100da5eff918860df5bd01adcd146c2f98fbc36352f715835ee7c4c8751350fa3743c557df75177f8c696ed58ccf287a675fb0eeeff46b4f58d4

memory/3536-18-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2260-28-0x0000000000EC4000-0x0000000001461000-memory.dmp

memory/3536-29-0x0000000000400000-0x0000000002111000-memory.dmp

memory/2260-30-0x0000000000400000-0x0000000002111000-memory.dmp

memory/3536-31-0x0000000000400000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Roaming\testing.dat

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240

memory/3536-37-0x0000000073450000-0x000000007377D000-memory.dmp