Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-nj7tssvgmk
Target beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672
SHA256 beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672
Tags
upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672

Threat Level: Shows suspicious behavior

The file beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx vmprotect

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 11:26

Reported

2024-06-26 11:29

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wxrobot.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~1\COMMON~1 C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe

"C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe"

C:\Users\Admin\AppData\Local\Temp\wxrobot.exe

C:\Users\Admin\AppData\Local\Temp\wxrobot.exe

Network

N/A

Files

memory/1752-0-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-2-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-4-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-3-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-1-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-7-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-5-0x0000000002BB0000-0x0000000002D7D000-memory.dmp

memory/1752-8-0x0000000002BB0000-0x0000000002D7D000-memory.dmp

memory/1752-12-0x0000000000CB0000-0x0000000000CBB000-memory.dmp

memory/1752-13-0x0000000000400000-0x0000000000A61000-memory.dmp

\Users\Admin\AppData\Local\Temp\wxrobot.exe

MD5 76544e1bdec1faf0479ba42233fab383
SHA1 c5010237c0da0750cacb6f6403a04becae34a8c8
SHA256 beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672
SHA512 3e4494956eb16e51108727eba4f4fbb52de731ae85f3ad9f79a33ba3a5a1c3f2b9917985cfbf6d881eeb40941a91b1c6e187748b2547eb4ad011f0ad3c3d00f4

memory/1752-23-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-21-0x0000000004000000-0x0000000004661000-memory.dmp

memory/2720-24-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-26-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-27-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-28-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-29-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-32-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-30-0x0000000002DD0000-0x0000000002F9D000-memory.dmp

memory/2720-37-0x00000000003C0000-0x00000000003CB000-memory.dmp

memory/2720-33-0x0000000002DD0000-0x0000000002F9D000-memory.dmp

memory/2720-38-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/1752-39-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2720-40-0x0000000000400000-0x0000000000A61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 11:26

Reported

2024-06-26 11:29

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wxrobot.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~1\COMMON~1 C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe

"C:\Users\Admin\AppData\Local\Temp\beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672.exe"

C:\Users\Admin\AppData\Local\Temp\wxrobot.exe

C:\Users\Admin\AppData\Local\Temp\wxrobot.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4876-0-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-2-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-1-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-3-0x000000000085E000-0x000000000089F000-memory.dmp

memory/4876-4-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-5-0x0000000002BE0000-0x0000000002DAD000-memory.dmp

memory/4876-7-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-8-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-13-0x0000000002AB0000-0x0000000002ABB000-memory.dmp

memory/4876-9-0x0000000002BE0000-0x0000000002DAD000-memory.dmp

memory/4876-14-0x0000000000400000-0x0000000000A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wxrobot.exe

MD5 76544e1bdec1faf0479ba42233fab383
SHA1 c5010237c0da0750cacb6f6403a04becae34a8c8
SHA256 beea1ddc31b23101043a9fcd847d896dd65eed4df163fdb9c36452812d798672
SHA512 3e4494956eb16e51108727eba4f4fbb52de731ae85f3ad9f79a33ba3a5a1c3f2b9917985cfbf6d881eeb40941a91b1c6e187748b2547eb4ad011f0ad3c3d00f4

memory/4876-19-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-20-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-21-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-22-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-23-0x000000000085E000-0x000000000089F000-memory.dmp

memory/2780-24-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-25-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-26-0x0000000002CC0000-0x0000000002E8D000-memory.dmp

memory/2780-28-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-33-0x0000000002AA0000-0x0000000002AAB000-memory.dmp

memory/2780-29-0x0000000002CC0000-0x0000000002E8D000-memory.dmp

memory/2780-34-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-35-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/4876-36-0x0000000000400000-0x0000000000A61000-memory.dmp

memory/2780-37-0x0000000000400000-0x0000000000A61000-memory.dmp