Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-h2adcsbh79
Target 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c
SHA256 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c

Threat Level: Shows suspicious behavior

The file 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 07:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 07:13

Reported

2024-05-26 07:16

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2712 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
PID 2712 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
PID 2712 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
PID 2712 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe

"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &start "" "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe

"4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

Network

Country Destination Domain Proto
CN 124.221.189.58:9001 tcp

Files

memory/2936-3-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2936-5-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2936-4-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2936-2-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2936-1-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2936-0-0x0000000000290000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib

MD5 031ad1ecd93701d39265771942ec716c
SHA1 cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA256 9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512 374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

memory/2572-11-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-13-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-12-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-15-0x0000000003990000-0x0000000003991000-memory.dmp

memory/2572-19-0x0000000003990000-0x0000000003991000-memory.dmp

memory/2572-18-0x0000000003990000-0x0000000003991000-memory.dmp

memory/2572-17-0x0000000003990000-0x0000000003991000-memory.dmp

memory/2572-16-0x0000000003990000-0x0000000003991000-memory.dmp

memory/2572-20-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2572-21-0x0000000003990000-0x0000000003991000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 07:13

Reported

2024-05-26 07:16

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe

"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &start "" "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe

"4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 124.221.189.58:9001 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/4144-2-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4144-7-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4144-5-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4144-4-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4144-3-0x0000000002810000-0x0000000002811000-memory.dmp

memory/4144-6-0x0000000002810000-0x0000000002811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib

MD5 031ad1ecd93701d39265771942ec716c
SHA1 cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA256 9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512 374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

memory/2164-14-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-13-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-12-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-10-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-11-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-16-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-17-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-15-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-18-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2164-21-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-22-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-20-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-19-0x00000000039E0000-0x00000000039E1000-memory.dmp

memory/2164-23-0x0000000003A20000-0x0000000003A21000-memory.dmp