Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-lh1b8adg3v
Target 75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d
SHA256 75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d
Tags
upx bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d

Threat Level: Shows suspicious behavior

The file 75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 09:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 09:32

Reported

2024-05-26 09:35

Platform

win7-20240419-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

"C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

"C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

Network

Country Destination Domain Proto
CN 203.107.1.33:80 tcp
US 8.8.8.8:53 api.cps5.com udp
CN 106.55.172.132:9000 api.cps5.com tcp
US 8.8.8.8:53 up.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
CN 203.107.1.34:80 tcp
CN 203.107.1.65:80 tcp
CN 1.116.117.217:9000 tcp

Files

memory/1936-0-0x0000000000400000-0x0000000000D2F000-memory.dmp

\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

MD5 50c266e46ccf9bc8956279f78d51f205
SHA1 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256 c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA512 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

MD5 4bf2e67583e9436eb0281657f8c512d6
SHA1 d4b95b0237bbea566599a08871780f0876840137
SHA256 75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d
SHA512 0514e851fde655d686ed73e8c9776713550abece4a592f0c8ecfb5d8b0fea46f4005856fbaadf752eaf94974b3cf090760f6b159e953d4b654ebe4ccd61d0d4e

memory/2148-12-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/1936-10-0x0000000007E00000-0x000000000872F000-memory.dmp

memory/1936-17-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/2148-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-62-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-65-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-60-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-58-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-56-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-54-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-64-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2148-66-0x00000000756AF000-0x00000000756B0000-memory.dmp

memory/2148-71-0x00000000072D0000-0x00000000072E0000-memory.dmp

memory/2148-72-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/2148-74-0x00000000756AF000-0x00000000756B0000-memory.dmp

memory/2148-75-0x00000000072D0000-0x00000000072E0000-memory.dmp

memory/2148-78-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/2148-81-0x0000000000400000-0x0000000000D2F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 09:32

Reported

2024-05-26 09:35

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

"C:\Users\Admin\AppData\Local\Temp\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

"C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BE 2.17.196.91:443 www.bing.com tcp
US 8.8.8.8:53 91.196.17.2.in-addr.arpa udp
CN 203.107.1.33:80 tcp
US 8.8.8.8:53 api.cps5.com udp
CN 106.55.172.132:9000 api.cps5.com tcp
US 8.8.8.8:53 up.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
US 8.8.8.8:53 226.77.1.128.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 203.107.1.34:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 203.107.1.65:80 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
CN 1.116.117.217:9000 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3384-0-0x0000000000400000-0x0000000000D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

MD5 50c266e46ccf9bc8956279f78d51f205
SHA1 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256 c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA512 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

C:\kaidisoft\bilibilivideo\75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d.exe

MD5 4bf2e67583e9436eb0281657f8c512d6
SHA1 d4b95b0237bbea566599a08871780f0876840137
SHA256 75180f8b9b6b3e79a9ef09a9fba5c4b7125ac8e1c9994d41430cbd9fcad8264d
SHA512 0514e851fde655d686ed73e8c9776713550abece4a592f0c8ecfb5d8b0fea46f4005856fbaadf752eaf94974b3cf090760f6b159e953d4b654ebe4ccd61d0d4e

memory/3384-20-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/4972-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-67-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-64-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-62-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-58-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-56-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-54-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-68-0x0000000076D13000-0x0000000076D14000-memory.dmp

memory/4972-72-0x0000000000400000-0x0000000000D2F000-memory.dmp

memory/4972-74-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4972-75-0x0000000076D13000-0x0000000076D14000-memory.dmp

memory/4972-81-0x0000000000400000-0x0000000000D2F000-memory.dmp