Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-ebd23sgg7v
Target d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e
SHA256 d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e
Tags
evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e

Threat Level: Known bad

The file d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e was found to be: Known bad.

Malicious Activity Summary

evasion

Detects Windows executables referencing non-Windows User-Agents

Detects Windows executables referencing non-Windows User-Agents

Sets file to hidden

Checks computer location settings

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:45

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 03:48

Platform

win7-20240508-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\zskhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe

"C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D60771~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 n1852qXMu.nnnn.eu.org udp
US 8.8.8.8:53 NMjKq0Kf68.nnnn.eu.org udp
US 8.8.8.8:53 x3uV7ToHqM.nnnn.eu.org udp
US 8.8.8.8:53 XjbORHOZ4.nnnn.eu.org udp
US 8.8.8.8:53 7PIMPlWJI.nnnn.eu.org udp

Files

C:\Windows\Debug\zskhost.exe

MD5 66d625fd9cc1b04f67b23a687c810c9a
SHA1 1ead9491d97c314873f73309bbdd4d3f51b2efdd
SHA256 67a92b8b72836db1cd67cb80a339723742b867e4de3933ec9d875284f185b7df
SHA512 9fb77b2ff6981f543321d158e2a826b6ba13307e1335c19f9a5512b713398e2bf8fc3756560b28b343ea0d2c6128d70606a7bdf8d1e51e7556dc6e8f2fbe3b2a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:45

Reported

2024-06-01 03:48

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\kqchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\kqchost.exe C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A
File opened for modification C:\Windows\Debug\kqchost.exe C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A
File opened for modification C:\Windows\Debug\kqchost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe

"C:\Users\Admin\AppData\Local\Temp\d6077160070968e0b35f9bd91cf42f3c76df11003923b9446d8b87d2131eb84e.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\kqchost.exe

C:\Windows\Debug\kqchost.exe

C:\Windows\Debug\kqchost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D60771~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 ttmLIhF7T6.nnnn.eu.org udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 Ww58w0v1Xe.nnnn.eu.org udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 6cmJhyP9Gs.nnnn.eu.org udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 gIxVySsl06.nnnn.eu.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 GyegjPMsEo.nnnn.eu.org udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Windows\Debug\kqchost.exe

MD5 1fc202b589061a03d81b9186f22667ed
SHA1 a12664b8894614e32f3b778373962f107d54c5b7
SHA256 d01f3b740ff2ae2325629ce9b967ad4bb8912bad13fc938d20e412f31d54730c
SHA512 4b8a9c719437cb0557c41ced63797e71f0abd090d6ef2ac4abfdea9df2bb708e9af7bcf0ffe9ce63b76740589fc24e3563553fea686c320b080e858ae8fc28db