c86b6c2324ca6a47719d06771e43902c85d4a61e071742f7581fcd18b8a43266

Analysis

max time kernel
153s
max time network
144s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230621-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/07/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mcut-wd.exe
Size

953KB
MD5

11459442ee471c622fedb7af17260b1c
SHA1

8f3af75d80e9880c69dfa3e76e70f7cdb1f352b0
SHA256

c86b6c2324ca6a47719d06771e43902c85d4a61e071742f7581fcd18b8a43266
SHA512

d25fdebcfb1f5ba18a4fed2d3a3540a778ea659c71ae5b1f5fc254658a3782e37f19f45304a1a13ef879657d6ec9d5581c2ef74b3678210295811dd4b28346af
SSDEEP

24576:TMl7rjelWyJjFIbaOFyFzz9Da224r08qo7hz:GziFI3FyxzQ2vr08Fhz

Score

7^/10

antivm

Malware Config

Signatures

Changes its process name 31 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	tkLicOnline	602	df
Changes the process name, possibly in an attempt to hide itself	mcut-devices2	743	sh
Changes the process name, possibly in an attempt to hide itself	cevents	744	mkdir
Changes the process name, possibly in an attempt to hide itself	pevents	745	sh
Changes the process name, possibly in an attempt to hide itself	mcutcs	746	systemctl
Changes the process name, possibly in an attempt to hide itself	afcgi	747	sh
Changes the process name, possibly in an attempt to hide itself	mcutmonitor	748	systemctl
Changes the process name, possibly in an attempt to hide itself	cevtcloud	749	sh
Changes the process name, possibly in an attempt to hide itself	mcutmess	750	systemctl
Changes the process name, possibly in an attempt to hide itself	cmedia	751	sh
Changes the process name, possibly in an attempt to hide itself	mcut-cmedia-cs	752	systemctl
Changes the process name, possibly in an attempt to hide itself	CMEDIACS	752	systemctl
Changes the process name, possibly in an attempt to hide itself	cmedia2	753	sh
Changes the process name, possibly in an attempt to hide itself	cserver	754	mkdir
Changes the process name, possibly in an attempt to hide itself	aserver	755	Process not Found
Changes the process name, possibly in an attempt to hide itself	amessenger	756	Process not Found
Changes the process name, possibly in an attempt to hide itself	php	758	Process not Found
Changes the process name, possibly in an attempt to hide itself	nginx	757	Process not Found
Changes the process name, possibly in an attempt to hide itself	hwbridge	773	Process not Found
Changes the process name, possibly in an attempt to hide itself	cvideo	774	Process not Found
Changes the process name, possibly in an attempt to hide itself	cvideolpr	775	Process not Found
Changes the process name, possibly in an attempt to hide itself	OpenVpnS	776	Process not Found
Changes the process name, possibly in an attempt to hide itself	minternet	777	Process not Found
Changes the process name, possibly in an attempt to hide itself	mnetwork	598	mcut-wd.exe
Changes the process name, possibly in an attempt to hide itself	Asterisk	779	Process not Found
Changes the process name, possibly in an attempt to hide itself	vpn	781	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-mobiup	782	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-devices	783	Process not Found
Changes the process name, possibly in an attempt to hide itself	mobitelegram	785	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcuwppctw	786	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-wpp	784	Process not Found

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	mcut-wd.exe

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/class/sunxi_info/sys_info	mcut-wd.exe

Reads runtime system information 39 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	mcut-wd.exe
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/version	mcut-wd.exe
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/exe	mcut-wd.exe
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl

/tmp/mcut-wd.exe
/tmp/mcut-wd.exe
1⤵
- Changes its process name
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:598
- /bin/sh
  sh -c "mkdir -p /var/mcut/.data//acesso//tmp/"
  2⤵
  PID:599
- - /bin/mkdir
    mkdir -p /var/mcut/.data//acesso//tmp/
    3⤵
    - Reads runtime system information
    PID:600
- /bin/sh
  sh -c "systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target"
  2⤵
  PID:726
- - /bin/systemctl
    systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
    3⤵
    - Reads runtime system information
    PID:727

/bin/sh
sh -c "df -h"
1⤵
PID:603
- /bin/df
  df -h
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:604

/bin/sh
sh -c "ls -lh /dev/disk/by-uuid/"
1⤵
PID:605
- /bin/ls
  ls -lh /dev/disk/by-uuid/
  2⤵
  - Reads runtime system information
  PID:606

/bin/sh
sh -c "mkdir -p /var/mcut/.data//tmp/temp"
1⤵
PID:759
- /bin/mkdir
  mkdir -p /var/mcut/.data//tmp/temp
  2⤵
  - Reads runtime system information
  PID:760

/bin/sh
sh -c "mkdir -p /var/mcut/.data//tmp/logs"
1⤵
- Changes its process name
PID:761
- /bin/mkdir
  mkdir -p /var/mcut/.data//tmp/logs
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:762

/bin/sh
sh -c "systemctl stop nginx"
1⤵
- Changes its process name
PID:763
- /bin/systemctl
  systemctl stop nginx
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:764

/bin/sh
sh -c "systemctl disable nginx"
1⤵
- Changes its process name
PID:765
- /bin/systemctl
  systemctl disable nginx
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:766

/bin/sh
sh -c "systemctl stop mcut-nginx"
1⤵
- Changes its process name
PID:767
- /bin/systemctl
  systemctl stop mcut-nginx
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:768

/bin/sh
sh -c "systemctl disable mcut-nginx"
1⤵
- Changes its process name
PID:769
- /bin/systemctl
  systemctl disable mcut-nginx
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:770

/bin/sh
sh -c "mkdir -p /var/log/nginx/"
1⤵
- Changes its process name
PID:771
- /bin/mkdir
  mkdir -p /var/log/nginx/
  2⤵
  - Changes its process name
  - Reads runtime system information
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mcut/.data/.license/DINFO2-mcut-wd.MCU

Filesize
1KB

MD5
c084c3c56a67e4fd58284bfb5a8893cc

SHA1
512d87e0dd47b5faab68c7081718fba2a5f6084e

SHA256
f707f194343ef8152dd9a65932a404f2e1c3dc61161a2c8f30d54a06c15c6936

SHA512
dac23fb5317ee4abff2441602ed6a99eea11802698e9e2c0b2ec1855cb9301ec4f3c3ce8ba09ee78461a0fbbda517208341563d7a87ecf5a06c4b46c151f4087

Download Submit
/var/mcut/.data/.license/licinfo.MCU

Filesize
79B

MD5
e06b7b5f4ee0e5c129bfc59e6cad69f5

SHA1
06f7938f37946b172ad244d7c503b13c2fce3c79

SHA256
527047e9413f6e32d40e7380383cc521b559c27ca2b1570aa634da109eebdb02

SHA512
76d92a34cdbf9a36c123649d0ce8d958cbc49e27d226d67f4833006c7ad37e674b244faf821c0f1370081800ff7897f67660afb55445a8bd072243eaf515bb70

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads