Malware Analysis Report

2024-11-13 16:48

Sample ID 200916-h2x1v2xdss
Target dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597
SHA256 dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597
Tags
buer loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597

Threat Level: Known bad

The file dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597 was found to be: Known bad.

Malicious Activity Summary

buer loader

Buer

Buer Loader

Drops startup file

Enumerates connected drives

Suspicious use of SetThreadContext

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-09-16 16:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-09-16 16:43

Reported

2020-09-16 16:45

Platform

win7

Max time kernel

4s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe"

Signatures

Buer

loader buer

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1588 set thread context of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1588 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe

"C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

N/A

Files

memory/1588-0-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/1588-1-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1588-3-0x0000000000960000-0x0000000000971000-memory.dmp

memory/1640-5-0x0000000040000000-0x000000004000C000-memory.dmp

memory/1640-6-0x0000000040002E38-mapping.dmp

memory/1640-7-0x0000000040000000-0x000000004000C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-09-16 16:43

Reported

2020-09-16 16:45

Platform

win10v200722

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe"

Signatures

Buer

loader buer

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\F: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\M: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\Q: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\R: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\Z: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\B: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\G: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\L: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\T: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\X: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\E: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\H: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\K: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\N: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\V: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\W: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\I: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\J: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\O: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\P: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\S: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\U: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened (read-only) \??\Y: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3956 set thread context of 2056 N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe

"C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\322b286117c0dcd2bde0}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 kackdelar.top udp
N/A 8.8.8.8:53 kackdelar.top udp
N/A 8.8.8.8:53 kackdelar.top udp

Files

memory/3956-0-0x0000000073490000-0x0000000073B7E000-memory.dmp

memory/3956-1-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/3956-3-0x0000000005790000-0x0000000005791000-memory.dmp

memory/3956-4-0x0000000006080000-0x0000000006091000-memory.dmp

memory/2056-6-0x0000000040000000-0x000000004000C000-memory.dmp

memory/2056-7-0x0000000040002E38-mapping.dmp

memory/2056-8-0x0000000040000000-0x000000004000C000-memory.dmp

memory/4020-9-0x0000000000000000-mapping.dmp

memory/4020-10-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/4020-11-0x0000000004470000-0x0000000004471000-memory.dmp

memory/4020-12-0x0000000006C90000-0x0000000006C91000-memory.dmp

memory/4020-13-0x0000000006B60000-0x0000000006B61000-memory.dmp

memory/4020-14-0x0000000006C00000-0x0000000006C01000-memory.dmp

memory/4020-15-0x0000000007510000-0x0000000007511000-memory.dmp

memory/4020-16-0x0000000007580000-0x0000000007581000-memory.dmp

memory/4020-17-0x0000000007340000-0x0000000007341000-memory.dmp

memory/4020-18-0x0000000007C90000-0x0000000007C91000-memory.dmp

memory/4020-19-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

memory/4020-21-0x00000000089A0000-0x00000000089D3000-memory.dmp

memory/4020-28-0x0000000008980000-0x0000000008981000-memory.dmp

memory/4020-29-0x0000000008A00000-0x0000000008A01000-memory.dmp

memory/4020-30-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

memory/4020-31-0x0000000008E70000-0x0000000008E71000-memory.dmp

memory/4020-33-0x0000000008E60000-0x0000000008E61000-memory.dmp