36ae2a8411acf47d4b9ced09041c12145e34be1bad6950743498513d7d523560

Analysis

max time kernel
154s
max time network
123s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
14/10/2023, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mcut-wd.exe
Size

969KB
MD5

cae869d97dd4c752e32ad43407463b3d
SHA1

90ca39573866db1c713d3f816d3020505bfe120e
SHA256

36ae2a8411acf47d4b9ced09041c12145e34be1bad6950743498513d7d523560
SHA512

1542390f0e0f09b6795ab6f47b7be08361f984adbf15742d591ca047144a0844de56a3393f21a855a266b0e2e263f6407a37b052bf90778830923018b26ef493
SSDEEP

24576:xT+B1w5g5TIeTAPUf5s6EPn4rXC1WQbUcHxciz80x5Xvqv:Pq9xAMynEy1WSXSi7vM

Score

7^/10

antivm

Malware Config

Signatures

Changes its process name 32 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	tkLicOnline	597	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-devices2	624	Process not Found
Changes the process name, possibly in an attempt to hide itself	cevents	625	Process not Found
Changes the process name, possibly in an attempt to hide itself	pevents	626	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcutcs	627	Process not Found
Changes the process name, possibly in an attempt to hide itself	afcgi	628	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcutmonitor	629	Process not Found
Changes the process name, possibly in an attempt to hide itself	cevtcloud	630	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcutmess	631	Process not Found
Changes the process name, possibly in an attempt to hide itself	cmedia	632	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-cmedia-cs	633	Process not Found
Changes the process name, possibly in an attempt to hide itself	CMEDIACS	633	Process not Found
Changes the process name, possibly in an attempt to hide itself	cmedia2	634	Process not Found
Changes the process name, possibly in an attempt to hide itself	cserver	635	Process not Found
Changes the process name, possibly in an attempt to hide itself	aserver	636	Process not Found
Changes the process name, possibly in an attempt to hide itself	amessenger	637	Process not Found
Changes the process name, possibly in an attempt to hide itself	php	639	Process not Found
Changes the process name, possibly in an attempt to hide itself	nginx	638	Process not Found
Changes the process name, possibly in an attempt to hide itself	hwbridge	654	Process not Found
Changes the process name, possibly in an attempt to hide itself	cvideo	655	Process not Found
Changes the process name, possibly in an attempt to hide itself	cvideolpr	656	Process not Found
Changes the process name, possibly in an attempt to hide itself	OpenVpnS	657	Process not Found
Changes the process name, possibly in an attempt to hide itself	minternet	658	Process not Found
Changes the process name, possibly in an attempt to hide itself	mnetwork	593	mcut-wd.exe
Changes the process name, possibly in an attempt to hide itself	Asterisk	660	Process not Found
Changes the process name, possibly in an attempt to hide itself	vpn	662	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-mobiup	663	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-devices	664	Process not Found
Changes the process name, possibly in an attempt to hide itself	mobi-track-email.exe	668	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcuwppctw	667	Process not Found
Changes the process name, possibly in an attempt to hide itself	mobitelegram	666	Process not Found
Changes the process name, possibly in an attempt to hide itself	mcut-wpp	665	Process not Found

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	mcut-wd.exe

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/class/sunxi_info/sys_info	mcut-wd.exe

Reads runtime system information 39 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/self/exe	mcut-wd.exe
File opened for reading	/proc/version	mcut-wd.exe
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	mcut-wd.exe
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl

/tmp/mcut-wd.exe
/tmp/mcut-wd.exe
1⤵
- Changes its process name
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:593
- /bin/sh
  sh -c "mkdir -p /var/mcut/.data//acesso//tmp/"
  2⤵
  PID:594
- - /bin/mkdir
    mkdir -p /var/mcut/.data//acesso//tmp/
    3⤵
    - Reads runtime system information
    PID:595
- /bin/sh
  sh -c "systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target > /dev/null 2>&1"
  2⤵
  PID:607
- - /bin/systemctl
    systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
    3⤵
    - Reads runtime system information
    PID:608

/bin/sh
sh -c "df -h"
1⤵
PID:598
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:599

/bin/sh
sh -c "ls -lh /dev/disk/by-uuid/"
1⤵
PID:600
- /bin/ls
  ls -lh /dev/disk/by-uuid/
  2⤵
  - Reads runtime system information
  PID:601

/bin/sh
sh -c "mkdir -p /var/mcut/.data//tmp/temp"
1⤵
PID:640
- /bin/mkdir
  mkdir -p /var/mcut/.data//tmp/temp
  2⤵
  - Reads runtime system information
  PID:641

/bin/sh
sh -c "mkdir -p /var/mcut/.data//tmp/logs"
1⤵
PID:642
- /bin/mkdir
  mkdir -p /var/mcut/.data//tmp/logs
  2⤵
  - Reads runtime system information
  PID:643

/bin/sh
sh -c "systemctl stop nginx > /dev/null 2>&1"
1⤵
PID:644
- /bin/systemctl
  systemctl stop nginx
  2⤵
  - Reads runtime system information
  PID:645

/bin/sh
sh -c "systemctl disable nginx > /dev/null 2>&1"
1⤵
PID:646
- /bin/systemctl
  systemctl disable nginx
  2⤵
  - Reads runtime system information
  PID:647

/bin/sh
sh -c "systemctl stop mcut-nginx > /dev/null 2>&1"
1⤵
PID:648
- /bin/systemctl
  systemctl stop mcut-nginx
  2⤵
  - Reads runtime system information
  PID:649

/bin/sh
sh -c "systemctl disable mcut-nginx > /dev/null 2>&1"
1⤵
PID:650
- /bin/systemctl
  systemctl disable mcut-nginx
  2⤵
  - Reads runtime system information
  PID:651

/bin/sh
sh -c "mkdir -p /var/log/nginx/ > /dev/null 2>&1"
1⤵
PID:652
- /bin/mkdir
  mkdir -p /var/log/nginx/
  2⤵
  - Reads runtime system information
  PID:653

/bin/sh
sh -c "touch /opt/McuTecnologia/app/asterisk/var/log/asterisk/messages"
1⤵
PID:787
- /usr/bin/touch
  touch /opt/McuTecnologia/app/asterisk/var/log/asterisk/messages
  2⤵
  PID:788

/bin/sh
sh -c "touch /var/mcut/log/asterisk/var/log/asterisk/messages"
1⤵
PID:789
- /usr/bin/touch
  touch /var/mcut/log/asterisk/var/log/asterisk/messages
  2⤵
  PID:790

/bin/sh
sh -c "touch /var/mcut/log/mcut-php7.4-fpm.log"
1⤵
PID:791
- /usr/bin/touch
  touch /var/mcut/log/mcut-php7.4-fpm.log
  2⤵
  PID:792

/bin/sh
sh -c "touch /var/mcut/log/nginx/access.log"
1⤵
PID:793
- /usr/bin/touch
  touch /var/mcut/log/nginx/access.log
  2⤵
  PID:794

/bin/sh
sh -c "touch /var/mcut/log/nginx/error.log"
1⤵
PID:795
- /usr/bin/touch
  touch /var/mcut/log/nginx/error.log
  2⤵
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mcut/.data/.license/DINFO2-mcut-wd.MCU.tmp.writing

Filesize
1KB

MD5
2906435f712aa2be23fba7dd5ec06beb

SHA1
477da650f98b017e65ffc63c2017cc53ab3ff113

SHA256
b2988f9e0e151492c69a8dbb246a399fe3332fc49a6915eb278e6985620fea05

SHA512
02cd022f3c74f65bc02b97e13d0d82ce2a1227d3cafd188f4d02ba863b73f395094c3debe7d51c575259e5c4458ec308c18c6495c25039897d09135b6675c3da

Download Submit
/var/mcut/.data/.license/licinfo.MCU.tmp.writing

Filesize
79B

MD5
2ac690c9f2d8de9fc02aa4d6a020a151

SHA1
0fddad62601c3130d9273d1311bd7954ac70bd5a

SHA256
8a58b3224aa9bd21c075c262b05ec211fcffda51412710025092366e629dcba5

SHA512
1c42eeed06d765cd670277b217f68bef1b023dd4fbab08ecd25a2677b0201a0b041b8b0d242699d8eac66b8932931ee9af7509f1eff93934be5fa546efc5673b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads