Malware Analysis Report

2025-03-14 23:09

Sample ID 240406-31mmhsfe45
Target a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608
SHA256 a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608

Threat Level: Shows suspicious behavior

The file a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:58

Reported

2024-04-07 00:01

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~39EC.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\findcher = "C:\\Users\\Admin\\AppData\\Roaming\\Cameeate\\icacmsdt.exe" C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\caclexec.exe C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\caclexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe

"C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe"

C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe

"C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe"

C:\Windows\SysWOW64\caclexec.exe

C:\Windows\SysWOW64\caclexec.exe -k

C:\Users\Admin\AppData\Local\Temp\~39EC.tmp

"C:\Users\Admin\AppData\Local\Temp\~39EC.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 680

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

memory/2764-0-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

memory/2764-1-0x0000000000E60000-0x0000000000E9E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Cameeate\icacmsdt.exe

MD5 2199e3f5b475682cc3d2ecedab3422f1
SHA1 79ce85ee1176d2107088dad68a9972c55d707c91
SHA256 87664fa4ceafddc961ff7a451d6377df382ff78b718d0d0ab24cac0c8a832193
SHA512 83b6f4ab5ef31829de634a48722d78447aeb50c6d7018673eaffdb536739d71a718396e95f0445fe6cf230a707fb8a11d46c0b1de7624e831cbcc0c4772afdc6

memory/2384-10-0x0000000000590000-0x00000000005CE000-memory.dmp

C:\Windows\SysWOW64\caclexec.exe

MD5 1980c5f95c9086ec653763e8ed23f61d
SHA1 987ee36b06cc5b80cd51f5b94e1a459f902592a0
SHA256 a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608
SHA512 c58f6ab2027fd4f117026c65fca50107421c65d305bd8e7ff6cd5f20b0eb3ac30e339d76ac25b8e43bdfc790b63ff6d0836b30e7aac8d89b8d4b4cef55b0f186

memory/3468-18-0x0000000008790000-0x00000000087D1000-memory.dmp

memory/2244-21-0x0000000000E20000-0x0000000000E50000-memory.dmp

memory/2244-17-0x00000000007A0000-0x00000000007DE000-memory.dmp

memory/3468-15-0x0000000008790000-0x00000000087D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~39EC.tmp

MD5 10dab540f5305afba952a0c985018943
SHA1 f1b602e15f3f2f09d6d78034883d0d90d3c010ef
SHA256 3ea31f98d69137e5c59403f1a94e7586951687675819626d561f4614a2d72c8d
SHA512 a8e970895c963441abb1622b900fe4b9748ab274f9de7b4f320e5477a9065ee75dfc37bf92d152215fdaa644f94f2771b73eb6f70373ebab0822f83b917f44a4

memory/2384-6-0x00000000003E0000-0x0000000000410000-memory.dmp

memory/2244-22-0x00000000007A0000-0x00000000007DE000-memory.dmp

memory/2384-26-0x00000000003E0000-0x0000000000410000-memory.dmp

memory/2764-27-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

memory/2764-28-0x0000000000E60000-0x0000000000E9E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:58

Reported

2024-04-07 00:01

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bthunger\ddodnatt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~17F4.tmp N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdsort = "C:\\Users\\Admin\\AppData\\Roaming\\bthunger\\ddodnatt.exe" C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\convtune.exe C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bthunger\ddodnatt.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\convtune.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe

"C:\Users\Admin\AppData\Local\Temp\a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608.exe"

C:\Users\Admin\AppData\Roaming\bthunger\ddodnatt.exe

"C:\Users\Admin\AppData\Roaming\bthunger\ddodnatt.exe"

C:\Users\Admin\AppData\Local\Temp\~17F4.tmp

"C:\Users\Admin\AppData\Local\Temp\~17F4.tmp"

C:\Windows\SysWOW64\convtune.exe

C:\Windows\SysWOW64\convtune.exe -k

Network

N/A

Files

memory/2068-0-0x0000000000C40000-0x0000000000C70000-memory.dmp

memory/2068-1-0x00000000000E0000-0x000000000011E000-memory.dmp

\Users\Admin\AppData\Roaming\bthunger\ddodnatt.exe

MD5 17f51b6e0e860c069c0dc29a127dee54
SHA1 415b8f4b645145b5867cae56b6de212fcf5865f9
SHA256 23476a212fcfbf631408346b48ade10de5c308d15687586b00495f51b715f2dc
SHA512 29db198a91f1d17ab177ce3b159c667ed5a6e906abe518a1027c06c5d60388f2072384cdca90070685d8b28fb78ad4bc5e23b30f818d6455806bb2df6cc46a5b

\Users\Admin\AppData\Local\Temp\~17F4.tmp

MD5 4230e36d2aca923880c25370eee46fe5
SHA1 bd9e70699e115a08325404ac5d2bacf7957656b2
SHA256 5f6b25897c930d9ef7f9809e3ce6a41f49bdf70dea0f13bde813b29286b5db27
SHA512 da7d74694ca7dc6438125132e50ec6533d8a6bd03ff60fc9cb637d344a534dc5b2878a6967aed5c5f777f00cecd98796140b8d5b8c847374588468d2d7eb3945

memory/2068-12-0x0000000000150000-0x0000000000180000-memory.dmp

memory/2068-18-0x0000000000150000-0x0000000000180000-memory.dmp

C:\Windows\SysWOW64\convtune.exe

MD5 1980c5f95c9086ec653763e8ed23f61d
SHA1 987ee36b06cc5b80cd51f5b94e1a459f902592a0
SHA256 a37db35967b89fd82e38207d33709a4efd56dfc6fc1970a8466b91877d52d608
SHA512 c58f6ab2027fd4f117026c65fca50107421c65d305bd8e7ff6cd5f20b0eb3ac30e339d76ac25b8e43bdfc790b63ff6d0836b30e7aac8d89b8d4b4cef55b0f186

memory/2068-25-0x0000000000C40000-0x0000000000C70000-memory.dmp

memory/2608-29-0x0000000001260000-0x0000000001290000-memory.dmp

memory/2608-33-0x0000000000070000-0x00000000000AE000-memory.dmp

memory/2608-31-0x0000000000070000-0x00000000000AE000-memory.dmp

memory/2068-28-0x00000000000E0000-0x000000000011E000-memory.dmp

memory/1212-23-0x0000000002570000-0x00000000025B1000-memory.dmp

memory/2608-24-0x0000000000070000-0x00000000000AE000-memory.dmp

memory/1212-20-0x0000000002570000-0x00000000025B1000-memory.dmp

memory/2368-19-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

memory/1212-17-0x0000000002570000-0x00000000025B1000-memory.dmp