Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t6wypsfd77
Target Win7Recovery.zip
SHA256 dfbbc4d8e684ccbb14739ab8e6ddc8dde751dc8ce55fd50717d4c0e7353402c4
Tags
evasion persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dfbbc4d8e684ccbb14739ab8e6ddc8dde751dc8ce55fd50717d4c0e7353402c4

Threat Level: Likely malicious

The file Win7Recovery.zip was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence upx

Disables Task Manager via registry modification

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:40

Reported

2024-03-02 16:41

Platform

win7-20240221-en

Max time kernel

18s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\WbVhxCIDDK = "C:\\ProgramData\\WbVhxCIDDK.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A
N/A N/A C:\ProgramData\WbVhxCIDDK.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\ProgramData\WbVhxCIDDK.exe

"C:\ProgramData\WbVhxCIDDK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 searchalice.org udp
US 8.8.8.8:53 clickbatonrouge.org udp
US 8.8.8.8:53 searchatlantic.org udp
US 8.8.8.8:53 searchbeen.org udp
US 8.8.8.8:53 searchant.org udp
US 8.8.8.8:53 clickfer.org udp
US 3.33.130.190:80 clickfer.org tcp
US 3.33.130.190:443 clickfer.org tcp
US 3.33.130.190:443 clickfer.org tcp
US 8.8.8.8:53 searchbowl.org udp

Files

memory/2164-0-0x0000000000600000-0x0000000000678000-memory.dmp

memory/2164-1-0x00000000002D0000-0x000000000032D000-memory.dmp

memory/2164-3-0x0000000000600000-0x0000000000678000-memory.dmp

\ProgramData\WbVhxCIDDK.exe

MD5 ab65e866abc51f841465d19aba35fb14
SHA1 ec79f1f511a199291b0893bc866a788ceac19f6e
SHA256 2ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755
SHA512 2474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e

memory/2032-13-0x00000000002B0000-0x000000000030D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar500B.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2164-133-0x00000000002D0000-0x000000000032D000-memory.dmp