Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rcscbabh6y
Target b24fa78084497f1d9208787d96f9b6ea
SHA256 9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c

Threat Level: Known bad

The file b24fa78084497f1d9208787d96f9b6ea was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:03

Reported

2024-03-04 14:05

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vmutgpyw.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vmutgpyw.nls C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
File created C:\Windows\SysWOW64\vmutgpyw.tmp C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
File opened for modification C:\Windows\SysWOW64\vmutgpyw.tmp C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\vmutgpyw.dll" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe

"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat

Network

N/A

Files

C:\Windows\SysWOW64\vmutgpyw.tmp

MD5 b5b9b49c77d4582f4d6329634a214406
SHA1 74393ae410e0eec2de220e3b2a2522844549466f
SHA256 9935a45f977fdfdd9f0fe641420ff550d302ee62981b430bcb248038f826e3a3
SHA512 b47b5a8d19011d0538304b184e76feb9e6d0a4ddf6aacf38e626b73dd283ad054602a86121dd29e1828918b802ab0b05383d5b469a8b85d7635bf4b83c7a1bb2

C:\Windows\SysWOW64\vmutgpyw.nls

MD5 76a3016d1defcd1798f893e3859616dd
SHA1 5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047
SHA256 f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74
SHA512 812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977

memory/3008-16-0x0000000010000000-0x0000000010009000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat

MD5 bc2c7a46b8faafa782a38495979dffc2
SHA1 a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4
SHA256 07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a
SHA512 025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065

memory/3008-25-0x0000000010000000-0x0000000010009000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:03

Reported

2024-03-04 14:05

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bzrljqjr.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bzrljqjr.tmp C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
File opened for modification C:\Windows\SysWOW64\bzrljqjr.tmp C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
File opened for modification C:\Windows\SysWOW64\bzrljqjr.nls C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\bzrljqjr.dll" C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe

"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\bzrljqjr.tmp

MD5 7ec881dcfb336244abb3d5257be23959
SHA1 c86a7171239cc46e1054e8199f70777ff50b198f
SHA256 d22baaa57d5e54c02bd28a5269ee9815f7b8c7576d7851a4e40e06e7f878371e
SHA512 c047523ef8b4cae110b4e45231a7684f73e37b4e3e1c82534d5d341da15023053a8a3f6208c6a90262cd6dbd19aab577fd023306aa969700d466283b0cc767ba

C:\Windows\SysWOW64\bzrljqjr.nls

MD5 76a3016d1defcd1798f893e3859616dd
SHA1 5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047
SHA256 f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74
SHA512 812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977

memory/904-17-0x0000000010000000-0x0000000010009000-memory.dmp

memory/904-21-0x0000000010000000-0x0000000010009000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat

MD5 bc2c7a46b8faafa782a38495979dffc2
SHA1 a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4
SHA256 07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a
SHA512 025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065