Malware Analysis Report

2025-01-22 13:00

Sample ID 240626-k45ndszdqr
Target d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4
SHA256 d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4

Threat Level: Shows suspicious behavior

The file d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

UPX packed file

Enumerates connected drives

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 09:10

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 09:10

Reported

2024-06-26 09:12

Platform

win7-20240419-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe

"C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip1.yinliu2.com udp
CN 222.211.73.252:3002 ip1.yinliu2.com tcp
CN 222.211.73.252:3003 ip1.yinliu2.com tcp
CN 222.211.73.252:3000 ip1.yinliu2.com tcp
CN 222.211.73.252:3001 ip1.yinliu2.com tcp
CN 222.211.73.252:3005 ip1.yinliu2.com tcp
CN 222.211.73.252:3004 ip1.yinliu2.com tcp

Files

memory/2172-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2172-35-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-34-0x0000000001470000-0x0000000001471000-memory.dmp

memory/2172-41-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-42-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-43-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-44-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-40-0x0000000002D00000-0x0000000002D26000-memory.dmp

memory/2172-39-0x00000000014A0000-0x00000000014C6000-memory.dmp

memory/2172-38-0x0000000000687000-0x0000000000CE0000-memory.dmp

memory/2172-32-0x0000000001470000-0x0000000001471000-memory.dmp

memory/2172-30-0x0000000001470000-0x0000000001471000-memory.dmp

memory/2172-45-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-29-0x0000000001460000-0x0000000001461000-memory.dmp

memory/2172-27-0x0000000001460000-0x0000000001461000-memory.dmp

memory/2172-24-0x0000000001450000-0x0000000001451000-memory.dmp

memory/2172-22-0x0000000001450000-0x0000000001451000-memory.dmp

memory/2172-19-0x0000000001440000-0x0000000001441000-memory.dmp

memory/2172-17-0x0000000001440000-0x0000000001441000-memory.dmp

memory/2172-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2172-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2172-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2172-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2172-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2172-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2172-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2172-46-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-47-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-48-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-49-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-50-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-51-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-52-0x0000000000400000-0x0000000001436000-memory.dmp

memory/2172-53-0x0000000000400000-0x0000000001436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 09:10

Reported

2024-06-26 09:12

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe

"C:\Users\Admin\AppData\Local\Temp\d2fc2574c3d0c7c842ec55159924a86513913c72d66436e8d01ad9793e43cfb4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3060,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=1312 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ip1.yinliu2.com udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
CN 222.211.73.252:3000 ip1.yinliu2.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.251:443 www.bing.com tcp
US 8.8.8.8:53 251.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 222.211.73.252:3002 ip1.yinliu2.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 222.211.73.252:3004 ip1.yinliu2.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
CN 222.211.73.252:3005 ip1.yinliu2.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
CN 222.211.73.252:3003 ip1.yinliu2.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
CN 222.211.73.252:3001 ip1.yinliu2.com tcp

Files

memory/1000-2-0x0000000001A20000-0x0000000001A21000-memory.dmp

memory/1000-7-0x0000000003340000-0x0000000003341000-memory.dmp

memory/1000-6-0x0000000000687000-0x0000000000CE0000-memory.dmp

memory/1000-4-0x0000000003320000-0x0000000003321000-memory.dmp

memory/1000-3-0x0000000003300000-0x0000000003301000-memory.dmp

memory/1000-1-0x0000000001A10000-0x0000000001A11000-memory.dmp

memory/1000-0-0x00000000015F0000-0x00000000015F1000-memory.dmp

memory/1000-5-0x0000000003330000-0x0000000003331000-memory.dmp

memory/1000-9-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-11-0x0000000003650000-0x0000000003676000-memory.dmp

memory/1000-13-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-12-0x0000000003680000-0x00000000036A6000-memory.dmp

memory/1000-14-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-15-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-16-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-17-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-18-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-19-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-20-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-21-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-22-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-23-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-24-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-25-0x0000000000400000-0x0000000001436000-memory.dmp

memory/1000-26-0x0000000000400000-0x0000000001436000-memory.dmp