Malware Analysis Report

2024-11-13 19:00

Sample ID 240516-lcxn5sed34
Target 15462718181.zip
SHA256 7e63076d377997ecc53c4354ee90916e35b44b9f74d46c1af33cfc40fcd69ea5
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

7e63076d377997ecc53c4354ee90916e35b44b9f74d46c1af33cfc40fcd69ea5

Threat Level: Likely benign

The file 15462718181.zip was found to be: Likely benign.

Malicious Activity Summary


Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:23

Reported

2024-05-16 09:26

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1640 -s 372

Network

Country Destination Domain Proto
NL 195.20.16.45:80 tcp
DE 77.105.147.130:80 tcp

Files

memory/1640-2-0x0000000077060000-0x0000000077062000-memory.dmp

memory/1640-0-0x0000000077060000-0x0000000077062000-memory.dmp

memory/1640-6-0x000000013FC8F000-0x000000013FFDB000-memory.dmp

memory/1640-10-0x000000013FA90000-0x0000000140763000-memory.dmp

memory/1640-4-0x0000000077060000-0x0000000077062000-memory.dmp

memory/1640-18-0x000000013FA90000-0x0000000140763000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/1640-19-0x000000013FA90000-0x0000000140763000-memory.dmp

memory/1640-20-0x000000013FA90000-0x0000000140763000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:23

Reported

2024-05-16 09:26

Platform

win10-20240404-en

Max time kernel

127s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

Network

Country Destination Domain Proto
NL 195.20.16.45:80 tcp
DE 77.105.147.130:80 tcp
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/3044-0-0x00007FF69FB5F000-0x00007FF69FEAB000-memory.dmp

memory/3044-1-0x00007FFC7A720000-0x00007FFC7A722000-memory.dmp

memory/3044-3-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp

memory/3044-13-0x00007FF69FB5F000-0x00007FF69FEAB000-memory.dmp

memory/3044-14-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp

memory/3044-15-0x00007FF69F960000-0x00007FF6A0633000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 09:23

Reported

2024-05-16 09:27

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
DE 77.105.147.130:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 195.20.16.45:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4840-0-0x00007FF64046F000-0x00007FF6407BB000-memory.dmp

memory/4840-2-0x00007FF640270000-0x00007FF640F43000-memory.dmp

memory/4840-1-0x00007FF9900D0000-0x00007FF9900D2000-memory.dmp

memory/4840-13-0x00007FF64046F000-0x00007FF6407BB000-memory.dmp

memory/4840-14-0x00007FF640270000-0x00007FF640F43000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-16 09:23

Reported

2024-05-16 09:26

Platform

win11-20240508-en

Max time kernel

121s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe

"C:\Users\Admin\AppData\Local\Temp\e2d43773c472684dac1028f8838954e73f1135825d49e09d330ff1596594fb08.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

Network

Country Destination Domain Proto
NL 195.20.16.45:80 tcp
N/A 224.0.0.251:5353 udp
DE 77.105.147.130:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2764-2-0x00007FF79ADCF000-0x00007FF79B11B000-memory.dmp

memory/2764-1-0x00007FF79ABD0000-0x00007FF79B8A3000-memory.dmp

memory/2764-0-0x00007FFEFB3D0000-0x00007FFEFB3D2000-memory.dmp

memory/2764-13-0x00007FF79ABD0000-0x00007FF79B8A3000-memory.dmp

memory/2764-14-0x00007FF79ADCF000-0x00007FF79B11B000-memory.dmp