Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-kbyz5sdb62
Target 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918
SHA256 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918

Threat Level: Shows suspicious behavior

The file 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 08:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 08:26

Reported

2024-05-26 08:28

Platform

win7-20240419-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2492 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2492 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2492 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2492 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
PID 2492 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
PID 2492 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
PID 2492 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &start "" "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

"33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

Network

Country Destination Domain Proto
CN 124.221.189.58:9001 tcp

Files

memory/2128-0-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/2128-3-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-8-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-6-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-4-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2128-9-0x0000000000400000-0x0000000000A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib

MD5 031ad1ecd93701d39265771942ec716c
SHA1 cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA256 9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512 374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

memory/2608-11-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/2608-14-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-18-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-17-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-16-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-23-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/2608-22-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/2608-21-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/2608-20-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/2608-19-0x00000000039A0000-0x00000000039A1000-memory.dmp

memory/2608-24-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/2608-25-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2608-26-0x00000000039A0000-0x00000000039A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 08:26

Reported

2024-05-26 08:28

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &start "" "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

"33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
CN 124.221.189.58:9001 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/4972-0-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/4972-6-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/4972-5-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/4972-4-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/4972-3-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/4972-7-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/4440-8-0x0000000000400000-0x0000000000A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib

MD5 031ad1ecd93701d39265771942ec716c
SHA1 cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA256 9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512 374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

memory/4440-16-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-15-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-14-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-13-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-12-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-11-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-17-0x0000000000400000-0x0000000000A31000-memory.dmp

memory/4440-18-0x0000000002870000-0x0000000002871000-memory.dmp

memory/4440-19-0x0000000003920000-0x0000000003921000-memory.dmp