Malware Analysis Report

2024-10-24 21:47

Sample ID 240522-nv6e4sdh3v
Target mcut-wd.exe
SHA256 1bf0be20e23a9fac7d3f289262dcdb93f01229cc2a7bba27adccc122c6867ade
Tags
upx antivm evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1bf0be20e23a9fac7d3f289262dcdb93f01229cc2a7bba27adccc122c6867ade

Threat Level: Shows suspicious behavior

The file mcut-wd.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm evasion

UPX packed file

Reads MAC address of network interface

Changes its process name

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:44

Reported

2024-05-22 11:50

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/mcut-wd.exe]

Signatures

Reads MAC address of network interface

evasion
Description Indicator Process Target
File opened for reading /sys/class/net/ens3/address /tmp/mcut-wd.exe N/A
File opened for reading /sys/class/net/lo/address /tmp/mcut-wd.exe N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself tkLicOnline N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/mcut-wd.exe N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/class/sunxi_info/sys_info /tmp/mcut-wd.exe N/A
File opened for reading /sys/class/net /bin/ls N/A
File opened for reading /sys/class/net/address /tmp/mcut-wd.exe N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/self/exe /tmp/mcut-wd.exe N/A
File opened for reading /proc/version /tmp/mcut-wd.exe N/A
File opened for reading /proc/cmdline /tmp/mcut-wd.exe N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/device-tree/model /tmp/mcut-wd.exe N/A
File opened for reading /proc/self/mountinfo /bin/df N/A

Processes

/tmp/mcut-wd.exe

[/tmp/mcut-wd.exe]

/bin/sh

[sh -c mkdir -p /var/mcut/.data//acesso//tmp/]

/bin/mkdir

[mkdir -p /var/mcut/.data//acesso//tmp/]

/bin/sh

[sh -c df -h]

/bin/df

[df -h]

/bin/sh

[sh -c ls -lh /dev/disk/by-uuid/]

/bin/ls

[ls -lh /dev/disk/by-uuid/]

/bin/sh

[sh -c ls /sys/class/net]

/bin/ls

[ls /sys/class/net]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 cliente.mcu.com.br udp
N/A 224.0.0.251:5353 udp
GB 89.187.167.4:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.8:443 1527653184.rsc.cdn77.org tcp

Files

/var/mcut/log/mcut-wd.log

MD5 18151d840abde785b6cfb2d15f6f73d3
SHA1 8f0a4de61aa20248bd62db7471df3b4f59e09451
SHA256 9c72a16ca8cd23b7287be92cfa1ee6b07ed1f5da5e1dba337dece11dae5ec6a0
SHA512 0e9a08a4c636c0628e91684eabd6ced1fb06acc9a27b8d5defe5070a4e6e2f3d22898fb6deaa85d7f259f75c9e64b8f4e945fc906d127fbf57ef0fe4761b85e6

memory/1491-1-0x0000000000400000-0x00000000008b6940-memory.dmp