Malware Analysis Report

2024-11-16 12:45

Sample ID 240307-qq2bpscc77
Target b8d7e60c2d30188fb56de8819b2e226c
SHA256 83fe0ebc31413bb25767a473a559ed684f18fd7a912fdb9d064e45d5f46b84b1
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

83fe0ebc31413bb25767a473a559ed684f18fd7a912fdb9d064e45d5f46b84b1

Threat Level: Likely malicious

The file b8d7e60c2d30188fb56de8819b2e226c was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Loads dropped DLL

Modifies file permissions

Deletes itself

Drops file in System32 directory

Unsigned PE

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 13:28

Reported

2024-03-07 13:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 1524 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 1524 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 1524 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 1524 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 1524 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 1524 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe

"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM NVCAgent.npc

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\clr_f7692be.bat

Network

N/A

Files

C:\Windows\SysWOW64\IMM32.DLL

MD5 1ace4fae10b9ef9c1184aa2ce8030fca
SHA1 0bc4a69788894a8377b654c3a4ea1a9b15264790
SHA256 fcb1ea98db1a802681ab9dd894c329eb3ee7dc941d43b04826be561e6213f155
SHA512 8540ad9ac2cde82d29f93b7cca3122ff5b93957230aeeb9d1f58842cb344bec83fb316786d1c76216d27c143b79ab6fbb1d198f43f36b8fad60f724a853af2f2

C:\Windows\SysWOW64\ole.dll

MD5 1abf0f1e4b80ace83c3fb9c8a4b065a7
SHA1 f844bd0d0d10241fadafa7e90e69653fdfac99d4
SHA256 e4fc83df6936dacac02d8463b496f533133b1ebadb774d6f0aa8154dcf6d01ae
SHA512 ea5cb7ff5bace90b4c2e81f11fa8dcbaee90c18d3cffbbf22752057c47a9c8a5fb500e3de2bfc95cde8c82bc20d212176a295c7515f5370984429e4d553b8eff

memory/2492-12-0x0000000075350000-0x00000000753C0000-memory.dmp

\??\c:\clr_f7692be.bat

MD5 2b006c0f06d2a09b7b8c8d67d5a6e97b
SHA1 74fb65bd7db7ff67aff3f3e2db2273740a172bc2
SHA256 65c60b56c33e25676fb2fa1f7331bd2f2264ce179ce7a3e9604a94d19619f35d
SHA512 c403b24077d7047f9a08f714890ee80a634c883ac68fa9276e8e4011817b7f25cc29cfe198171fdb3b7850ff5379175b5615052d86a5f2f8e5db81db8274b916

memory/2492-15-0x0000000075350000-0x00000000753C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 13:28

Reported

2024-03-07 13:31

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 4952 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 4952 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\taskkill.exe
PID 4952 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 4952 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 4952 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\takeown.exe
PID 4952 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\icacls.exe
PID 4952 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe

"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM NVCAgent.npc

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\clr_e57eb5a.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 51.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/4952-9-0x0000000076BE0000-0x0000000076C05000-memory.dmp

\??\c:\clr_e57eb5a.bat

MD5 b05b955e9fb5a310c63884f022a2f898
SHA1 4e0b1ce84b1236f71fbab292b43be9ab6659b303
SHA256 6a4c7c59998fc6960765986234bb882a0d669bfe7b0982febc69be05f227ced5
SHA512 92831b363fbcc170203e52b80e3139f7ab424770de1249afa6e934664b3e12811d75b37aad4a128a6243e9aba9bf43e595ce2ed5dd073d58b5c2c255f0366ff1