Malware Analysis Report

2025-01-03 05:03

Sample ID 230727-jmm7cabe98
Target Vuodneyx.exe
SHA256 cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de

Threat Level: Known bad

The file Vuodneyx.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 07:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 07:47

Reported

2023-07-27 07:50

Platform

win7-20230712-en

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"

Signatures

BitRAT

trojan bitrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskeng.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
PID 2136 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
PID 2136 wrote to memory of 1948 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1948 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
PID 1748 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
PID 1748 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
PID 1748 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe
PID 1748 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe

"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {15DB1C15-7A86-4FA8-8B11-1F970FD23B22} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:S4U:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

C:\Windows\system32\taskeng.exe

taskeng.exe {F9AC0FCB-5BFD-4814-AB3F-A9116DE7AF62} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe

C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe

"C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe"

Network

Country Destination Domain Proto
NL 208.67.104.96:39001 tcp
NL 208.67.104.96:80 208.67.104.96 tcp
NL 208.67.104.96:1234 tcp

Files

memory/2804-54-0x000000013F700000-0x000000013F7AA000-memory.dmp

memory/2804-55-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2804-56-0x000000001B900000-0x000000001B980000-memory.dmp

memory/2804-57-0x000000001B7C0000-0x000000001B8D0000-memory.dmp

memory/2804-58-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-59-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-61-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-63-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-65-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-67-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-69-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-73-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-71-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-77-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-79-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-75-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-81-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-83-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-85-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-87-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-89-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-91-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-93-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-95-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-97-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-99-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-101-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-103-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-105-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-107-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-109-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-111-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-113-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-115-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-117-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-121-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-119-0x000000001B7C0000-0x000000001B8CC000-memory.dmp

memory/2804-1112-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2804-1216-0x000000001B900000-0x000000001B980000-memory.dmp

memory/2804-2968-0x000000001AAF0000-0x000000001AB46000-memory.dmp

memory/2804-2969-0x0000000002320000-0x000000000236C000-memory.dmp

memory/2804-2970-0x000000001AF80000-0x000000001AFD4000-memory.dmp

memory/2804-2972-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/1976-2977-0x0000000019E20000-0x000000001A102000-memory.dmp

memory/1976-2978-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

memory/1976-2979-0x0000000001490000-0x0000000001510000-memory.dmp

memory/1976-2980-0x0000000001490000-0x0000000001510000-memory.dmp

memory/1976-2981-0x0000000001490000-0x0000000001510000-memory.dmp

memory/1976-2983-0x0000000000E50000-0x0000000000E58000-memory.dmp

memory/1976-2982-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

memory/1976-2984-0x0000000001490000-0x0000000001510000-memory.dmp

memory/1976-2985-0x000007FEF54E0000-0x000007FEF5E7D000-memory.dmp

C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe

MD5 f07259a0cd92a6c0640ff1acd0d1a54d
SHA1 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966
SHA256 cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de
SHA512 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28

\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe

MD5 f07259a0cd92a6c0640ff1acd0d1a54d
SHA1 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966
SHA256 cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de
SHA512 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28

C:\Users\Admin\AppData\Roaming\DayOfWeek\CanWrite.exe

MD5 f07259a0cd92a6c0640ff1acd0d1a54d
SHA1 270cc877c9b6571ec2b5c593dfba4f8ea4c5c966
SHA256 cfd11acb2343bcc79e51f5c9db8443e901894d7580b430aecf8338a71cf624de
SHA512 6d134f7121ebc3b4a53164c1be21b5428dad5c3dd24336398a9e07c933ca42387f498e93beeb61c9274683e497a781839a5b97404f14c3cfe1363e09b1116f28

memory/1948-2990-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1948-2991-0x000000013FF80000-0x000000014002A000-memory.dmp

memory/1948-2997-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1948-4453-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1948-4753-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1948-5903-0x0000000000830000-0x0000000000884000-memory.dmp

memory/1948-5904-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1948-5913-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1948-5916-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1748-5917-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1748-5918-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1748-5919-0x0000000000140000-0x00000000001C0000-memory.dmp

memory/1748-7115-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

memory/1748-7178-0x0000000000140000-0x00000000001C0000-memory.dmp

memory/1748-8830-0x0000000000140000-0x00000000001C0000-memory.dmp

memory/1748-8831-0x0000000000140000-0x00000000001C0000-memory.dmp

memory/1748-8832-0x0000000000140000-0x00000000001C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe

MD5 441dedecb2564b6df1ad2942958636c4
SHA1 33c91b6ebe8578d28ead35ff25d928285eeabd2f
SHA256 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16
SHA512 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22

C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe

MD5 441dedecb2564b6df1ad2942958636c4
SHA1 33c91b6ebe8578d28ead35ff25d928285eeabd2f
SHA256 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16
SHA512 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22

memory/1748-8840-0x0000000000140000-0x00000000001C0000-memory.dmp

memory/1748-8841-0x0000000000140000-0x00000000001C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nydaqqnx.exe

MD5 441dedecb2564b6df1ad2942958636c4
SHA1 33c91b6ebe8578d28ead35ff25d928285eeabd2f
SHA256 91e3e2bf786f5f441fc7461e98a55de547152edab9c95d38e230ac32c64e7a16
SHA512 3daa070ca3be0edacc3927413ae05d390b8e1f78d0a6aedacf169eacbc794f342fa1ec2dfca10bd4ee2c273ac99cfae8d515d1e1eabea48a2beed4218115da22

memory/2696-8843-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2696-8844-0x00000000003F0000-0x00000000003FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 07:47

Reported

2023-07-27 07:49

Platform

win10v2004-20230703-en

Max time kernel

33s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe

"C:\Users\Admin\AppData\Local\Temp\Vuodneyx.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.240.110.104.in-addr.arpa udp

Files

memory/2432-133-0x000001EEF7A80000-0x000001EEF7B2A000-memory.dmp

memory/2432-134-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp

memory/2432-135-0x000001EEF9720000-0x000001EEF9730000-memory.dmp

memory/2432-136-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-137-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-139-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-141-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-143-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-145-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-147-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-149-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-151-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-153-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-155-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-157-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-159-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-161-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-163-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-165-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-167-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-169-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-171-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-173-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-175-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-177-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-179-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-181-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-183-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-185-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-187-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-189-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-191-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-193-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-195-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-197-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-199-0x000001EEFA030000-0x000001EEFA13C000-memory.dmp

memory/2432-735-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp

memory/2432-919-0x000001EEF9720000-0x000001EEF9730000-memory.dmp

memory/2432-3048-0x00007FFE8AFF0000-0x00007FFE8BAB1000-memory.dmp