Malware Analysis Report

2025-03-14 22:10

Sample ID 240407-2yrysaha9v
Target 86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961
SHA256 86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961
Tags
persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961

Threat Level: Likely malicious

The file 86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Detects executables packed with aPLib.

Modifies AppInit DLL entries

Loads dropped DLL

Checks computer location settings

Deletes itself

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 22:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 22:59

Reported

2024-04-07 23:02

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

Signatures

Detects executables packed with aPLib.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\convutou.dll C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe

"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259401442.bat" "C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe""

C:\Windows\SysWOW64\attrib.exe

attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

Network

N/A

Files

memory/1304-0-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1304-1-0x0000000001000000-0x000000000102A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259401442.bat

MD5 604802586163bdc9eda42f6a471e01ad
SHA1 fc255017a78e3ec103f73c8c8651effe08089c81
SHA256 02f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3
SHA512 66dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888

\Windows\SysWOW64\convutou.dll

MD5 11a19ac2f9a6f12bcb7c292037e69ca1
SHA1 69af12335c4b88cb86699176cf53972a44fa584f
SHA256 77bfcadd94b1bee2bd3db65de6806336cb89dad53ad6208443f6bcab6432c964
SHA512 104dcdf73b1d8fe20fcf479366c0142a6fbace859c5f35920fc246fcb6010c6e937004d91bc5d968559dd0636e85c290db5d74b539c8ebff9288b7cd4afa23b2

memory/1304-13-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/1304-14-0x0000000010000000-0x0000000010012000-memory.dmp

memory/1304-15-0x0000000001000000-0x000000000102A000-memory.dmp

memory/1304-16-0x0000000010000000-0x0000000010012000-memory.dmp

memory/2368-21-0x0000000010000000-0x0000000010012000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 22:59

Reported

2024-04-07 23:02

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

Signatures

Detects executables packed with aPLib.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explhost.dll C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe N/A

Enumerates physical storage devices

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe

"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240619390.bat" "C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe""

C:\Windows\SysWOW64\attrib.exe

attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\86a77561147a1bff0279d78d42e7e1f9e31ce7256287d6f94082c2365cba2961.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/4124-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/4124-1-0x0000000001000000-0x000000000102A000-memory.dmp

C:\Windows\SysWOW64\explhost.dll

MD5 11a19ac2f9a6f12bcb7c292037e69ca1
SHA1 69af12335c4b88cb86699176cf53972a44fa584f
SHA256 77bfcadd94b1bee2bd3db65de6806336cb89dad53ad6208443f6bcab6432c964
SHA512 104dcdf73b1d8fe20fcf479366c0142a6fbace859c5f35920fc246fcb6010c6e937004d91bc5d968559dd0636e85c290db5d74b539c8ebff9288b7cd4afa23b2

memory/4124-9-0x0000000001000000-0x000000000102A000-memory.dmp

memory/4124-10-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/4124-11-0x0000000010000000-0x0000000010012000-memory.dmp

memory/4124-12-0x0000000001000000-0x000000000102A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240619390.bat

MD5 604802586163bdc9eda42f6a471e01ad
SHA1 fc255017a78e3ec103f73c8c8651effe08089c81
SHA256 02f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3
SHA512 66dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888

memory/4408-17-0x0000000010000000-0x0000000010012000-memory.dmp