Malware Analysis Report

2024-11-15 06:31

Sample ID 201214-v31ghkkbge
Target 1dfda4abbd51e74613b3ba1677af903e
SHA256 e5b6669d36d5bc85497f953c51aac4dfe9d7b5ce1dd9b43e6c26d345eba35948
Tags
bootkit evasion persistence trojan echelon discovery spyware stealer keylogger agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5b6669d36d5bc85497f953c51aac4dfe9d7b5ce1dd9b43e6c26d345eba35948

Threat Level: Known bad

The file 1dfda4abbd51e74613b3ba1677af903e was found to be: Known bad.

Malicious Activity Summary

bootkit evasion persistence trojan echelon discovery spyware stealer keylogger agenttesla

Echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-05 09:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-14 13:49

Reported

2020-12-14 13:52

Platform

win7v20201028

Max time kernel

13s

Max time network

15s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe

"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1912

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.220.115:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1636-3-0x0000000004DF0000-0x0000000004E01000-memory.dmp

memory/1636-2-0x00000000049E0000-0x00000000049F1000-memory.dmp

memory/1636-4-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/1636-5-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/1052-7-0x0000000000000000-mapping.dmp

memory/1052-8-0x0000000002260000-0x0000000002271000-memory.dmp

memory/1052-11-0x0000000002730000-0x0000000002741000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-14 13:49

Reported

2020-12-14 13:52

Platform

win10v20201028

Max time kernel

23s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"

Signatures

Echelon

stealer spyware echelon

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Reads user/profile data of web browsers

spyware

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe

"C:\Users\Admin\AppData\Local\Temp\1dfda4abbd51e74613b3ba1677af903e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 3288

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.42.25:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 www.msftconnecttest.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/3936-3-0x0000000005000000-0x0000000005001000-memory.dmp

memory/3936-2-0x0000000004800000-0x0000000004801000-memory.dmp

memory/3936-4-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/3936-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/3936-7-0x0000000006D00000-0x0000000006D01000-memory.dmp

memory/3936-8-0x0000000007D70000-0x0000000007DE0000-memory.dmp

memory/3936-9-0x0000000009050000-0x0000000009051000-memory.dmp

memory/3936-10-0x00000000090F0000-0x00000000090F1000-memory.dmp

memory/3936-11-0x0000000008F40000-0x0000000008F41000-memory.dmp

memory/3512-12-0x0000000004850000-0x0000000004851000-memory.dmp

memory/3512-13-0x0000000004850000-0x0000000004851000-memory.dmp

memory/3512-15-0x0000000005100000-0x0000000005101000-memory.dmp