Malware Analysis Report

2025-03-15 05:52

Sample ID 240627-vtj9ta1fka
Target E.rar
SHA256 6fa520411abb138d517698fbb52b2ac2af01cb424fd0e27a6adbf8c3a2d52535
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fa520411abb138d517698fbb52b2ac2af01cb424fd0e27a6adbf8c3a2d52535

Threat Level: Likely malicious

The file E.rar was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

Manipulates Digital Signatures

VMProtect packed file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 17:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 17:16

Reported

2024-06-27 17:22

Platform

win10v2004-20240611-en

Max time kernel

244s

Max time network

194s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\E.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\E.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 17:16

Reported

2024-06-27 17:22

Platform

win10v2004-20240611-en

Max time kernel

203s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E.exe"

Signatures

Downloads MZ/PE file

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 836 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\E.exe N/A
PID 4584 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\E.exe N/A
PID 4924 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\E.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 756 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 756 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 756 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 756 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 756 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 756 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 836 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1944 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1944 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1944 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1944 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1944 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1944 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1944 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1944 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4584 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4904 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4904 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4904 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4904 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4904 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4904 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4904 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4904 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\E.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\E.exe

"C:\Users\Admin\AppData\Local\Temp\E.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\SysWOW64\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5

C:\Windows\SysWOW64\find.exe

find /i /v "md5"

C:\Windows\SysWOW64\find.exe

find /i /v "certutil"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Users\Admin\AppData\Local\Temp\E.exe

"C:\Users\Admin\AppData\Local\Temp\E.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\SysWOW64\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5

C:\Windows\SysWOW64\find.exe

find /i /v "md5"

C:\Windows\SysWOW64\find.exe

find /i /v "certutil"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Users\Admin\AppData\Local\Temp\E.exe

"C:\Users\Admin\AppData\Local\Temp\E.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\SysWOW64\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\E.exe" MD5

C:\Windows\SysWOW64\find.exe

find /i /v "md5"

C:\Windows\SysWOW64\find.exe

find /i /v "certutil"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

Country Destination Domain Proto
US 8.8.8.8:53 pvtauth.site udp
N/A 127.0.0.1:58422 tcp
N/A 127.0.0.1:58424 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 34.41.21.104.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58448 tcp
N/A 127.0.0.1:58450 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58453 tcp
N/A 127.0.0.1:58455 tcp
US 8.8.8.8:53 efsanetakipci.com udp
TR 45.84.189.227:443 efsanetakipci.com tcp
US 8.8.8.8:53 227.189.84.45.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
N/A 127.0.0.1:58473 tcp
N/A 127.0.0.1:58475 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58478 tcp
N/A 127.0.0.1:58480 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
TR 45.84.189.227:443 efsanetakipci.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:58488 tcp
N/A 127.0.0.1:58490 tcp
N/A 127.0.0.1:58494 tcp
N/A 127.0.0.1:58496 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
N/A 127.0.0.1:58513 tcp
N/A 127.0.0.1:58515 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58520 tcp
N/A 127.0.0.1:58522 tcp
N/A 127.0.0.1:58525 tcp
N/A 127.0.0.1:58527 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58531 tcp
N/A 127.0.0.1:58533 tcp
N/A 127.0.0.1:58536 tcp
N/A 127.0.0.1:58538 tcp
N/A 127.0.0.1:58542 tcp
N/A 127.0.0.1:58544 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58547 tcp
N/A 127.0.0.1:58549 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58553 tcp
N/A 127.0.0.1:58555 tcp
N/A 127.0.0.1:58558 tcp
N/A 127.0.0.1:58560 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58563 tcp
N/A 127.0.0.1:58565 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58568 tcp
N/A 127.0.0.1:58570 tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58573 tcp
N/A 127.0.0.1:58575 tcp
N/A 127.0.0.1:58578 tcp
N/A 127.0.0.1:58580 tcp
N/A 127.0.0.1:58583 tcp
N/A 127.0.0.1:58585 tcp
N/A 127.0.0.1:58588 tcp
N/A 127.0.0.1:58590 tcp
N/A 127.0.0.1:58593 tcp
N/A 127.0.0.1:58595 tcp
US 104.21.41.34:443 pvtauth.site tcp
N/A 127.0.0.1:58598 tcp
N/A 127.0.0.1:58600 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Helper.dll

MD5 de6e61eb81a84df1d6c2b56b920c3c23
SHA1 efaca46958ffaeb70c4b62f5d096519b0b7e6035
SHA256 46b79d79a77a4e390383231c8761b7fd031965aed7e9db7fa9944f3011676bbd
SHA512 2237ef1cd9bf21c9efd5ab64c1638ea28c3302735dbd1dc5e7a2f4f156adb02947649c4ef29b0ac8436e6a1998e756912a1d8ae4530a40c5e5a7823a7506ede4

C:\Users\Admin\AppData\Local\Temp\Mapper.dll

MD5 eef2e264d11153b7f999f0f1e311b786
SHA1 0a2191637a69f0938f5475c0d09e37d6abbb0270
SHA256 bda73870dda2ab199fd0928853617f9aefa82abe9b51137d2ea14b0117d909ba
SHA512 1194f95ceba56e819655c7398771134ece6275ffc22cfc95659c1fbb86a0c36c8e05f4c8f1821c0cbda377c968f534d5b1fcf2c74d643d92e139d21aecc5c59c

C:\Users\Admin\AppData\Local\Temp\module.dll

MD5 dcc3a12c1daea2fff2bd699cba54e5ad
SHA1 af52ae76eb460027768d8c9cef7afac6e31e5d02
SHA256 983369074900218fee0bda623bc3eb69c4007b0b5775f4e403fc9880be32fe1d
SHA512 13852e7ffd731eaa6b7fa25e4721342701898b82f68efd058f79d12cf5c244ce8c2d10b1d54b7559b6b19a82943eeb28f1b28a3f7a1f32fb794156228da73dec