Analysis Overview
SHA256
1bf0be20e23a9fac7d3f289262dcdb93f01229cc2a7bba27adccc122c6867ade
Threat Level: Shows suspicious behavior
The file mcut-wd.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Reads MAC address of network interface
Changes its process name
Checks CPU configuration
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 11:44
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 11:44
Reported
2024-05-22 11:50
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Reads MAC address of network interface
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/net/ens3/address | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /sys/class/net/lo/address | /tmp/mcut-wd.exe | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | tkLicOnline | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/mcut-wd.exe | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/sunxi_info/sys_info | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /sys/class/net | /bin/ls | N/A |
| File opened for reading | /sys/class/net/address | /tmp/mcut-wd.exe | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/filesystems | /bin/ls | N/A |
| File opened for reading | /proc/self/exe | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /proc/version | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /proc/cmdline | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/device-tree/model | /tmp/mcut-wd.exe | N/A |
| File opened for reading | /proc/self/mountinfo | /bin/df | N/A |
Processes
/tmp/mcut-wd.exe
[/tmp/mcut-wd.exe]
/bin/sh
[sh -c mkdir -p /var/mcut/.data//acesso//tmp/]
/bin/mkdir
[mkdir -p /var/mcut/.data//acesso//tmp/]
/bin/sh
[sh -c df -h]
/bin/df
[df -h]
/bin/sh
[sh -c ls -lh /dev/disk/by-uuid/]
/bin/ls
[ls -lh /dev/disk/by-uuid/]
/bin/sh
[sh -c ls /sys/class/net]
/bin/ls
[ls /sys/class/net]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 1.1.1.1:53 | cliente.mcu.com.br | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 89.187.167.4:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.8:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/var/mcut/log/mcut-wd.log
| MD5 | 18151d840abde785b6cfb2d15f6f73d3 |
| SHA1 | 8f0a4de61aa20248bd62db7471df3b4f59e09451 |
| SHA256 | 9c72a16ca8cd23b7287be92cfa1ee6b07ed1f5da5e1dba337dece11dae5ec6a0 |
| SHA512 | 0e9a08a4c636c0628e91684eabd6ced1fb06acc9a27b8d5defe5070a4e6e2f3d22898fb6deaa85d7f259f75c9e64b8f4e945fc906d127fbf57ef0fe4761b85e6 |
memory/1491-1-0x0000000000400000-0x00000000008b6940-memory.dmp