Malware Analysis Report

2025-01-03 09:35

Sample ID 240604-pn6yqsga4x
Target 2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia
SHA256 ac94e16a789a3d82cacb85f06c344f6caf6c6cc41f345898a059640f417c0754
Tags
bootkit persistence upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ac94e16a789a3d82cacb85f06c344f6caf6c6cc41f345898a059640f417c0754

Threat Level: Likely malicious

The file 2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence upx

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer start page

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 12:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 12:29

Reported

2024-06-04 12:32

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\User Data\Default\Preferences C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
File opened for modification C:\Program Files\Google\Chrome\User Data\Default\Web Data C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName = "v9" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\URL = "http://search.v9.com/web/?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_QM00013&ts=1717504180" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_QM00013&ts=1717504180" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://search.v9.com/web/?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_QM00013&ts=1717504180" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_QM00013&ts=1717504180" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe -oem=ismh -app=v9hp -flag=3 -nation=br

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat (null)

Network

Country Destination Domain Proto
US 8.8.8.8:53 static.v9.com udp
US 174.36.247.78:80 static.v9.com tcp
US 8.8.8.8:53 xa.xingcloud.com udp
US 174.36.247.78:80 static.v9.com tcp
US 174.36.247.78:80 static.v9.com tcp

Files

\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe

MD5 9a2f642a99c19b2d7ee60109c7de1b81
SHA1 8543ffe5e79516d110526fd305dbeacf04b041cb
SHA256 c07330c686767287b1d490f5c44d2b0265790860b32f1889d16d60c06d15f111
SHA512 1a0eeea8f17d19e81bd331ce324361520339fe75d6110e664fffe7fa654a4f091bb0377e9344f90310e4c85ca37c1dc01022e18d95aee72f60c204bb38099241

memory/2212-5-0x0000000002190000-0x00000000023ED000-memory.dmp

memory/2428-8-0x0000000000F70000-0x00000000011CD000-memory.dmp

memory/2428-10-0x0000000000F70000-0x00000000011CD000-memory.dmp

memory/2428-12-0x0000000000F70000-0x00000000011CD000-memory.dmp

memory/2428-14-0x0000000000F70000-0x00000000011CD000-memory.dmp

memory/2428-17-0x0000000000F70000-0x00000000011CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat

MD5 253c6de75a58b886dcff8e928b1c874c
SHA1 3a268b6ae30025368b044e2c9c77fbb45273e276
SHA256 b273345ac98c356321209a94dc905ebc7994069addc65f373924db97b5be45f3
SHA512 bcaac00a98c272ed6f0fc24518659128b3c808d2939ec23d5f42a22ca0db28c4ea5bc287386e8e4e10b138ac4689e1361afc3563271304ec1119458bc3c313f7

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9db.con

MD5 ba76dbee9e8861874a392edcec9b3fa6
SHA1 f288f5f5579c7d55e7168ea41910fea32be8475a
SHA256 ef9f360ea2fb8335e26b984986f785023024247299224c9f733ec8bdefcd2f40
SHA512 6a430fc2482aacffd7258eaa8626e72300edb05750e6f4f320e76f876b87894dadc857a94e8d7f038042fb78d0bfa87cea42d8d3552832171e5794c6d368e40a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 12:29

Reported

2024-06-04 12:32

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\User Data\Default\Preferences C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
File opened for modification C:\Program Files\Google\Chrome\User Data\Default\Web Data C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName = "v9" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\URL = "http://search.v9.com/web/?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_DD00013&ts=1717504178" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_DD00013&ts=1717504178" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://search.v9.com/web/?q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86} C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_DD00013&ts=1717504178" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.v9.com/?utm_source=b&utm_medium=ismh&from=ismh&uid=DADY_HARDDISK_DD00013&ts=1717504178" C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_c9f3394b842c5eb2d28774f4ef1d3998_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe -oem=ismh -app=v9hp -flag=3 -nation=br

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat (null)

Network

Country Destination Domain Proto
US 8.8.8.8:53 static.v9.com udp
US 174.36.247.78:80 static.v9.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xa.xingcloud.com udp
US 174.36.247.78:80 static.v9.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 xa.xingcloud.com udp
US 174.36.247.78:80 static.v9.com tcp
US 8.8.8.8:53 xa.xingcloud.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9ht.exe

MD5 9a2f642a99c19b2d7ee60109c7de1b81
SHA1 8543ffe5e79516d110526fd305dbeacf04b041cb
SHA256 c07330c686767287b1d490f5c44d2b0265790860b32f1889d16d60c06d15f111
SHA512 1a0eeea8f17d19e81bd331ce324361520339fe75d6110e664fffe7fa654a4f091bb0377e9344f90310e4c85ca37c1dc01022e18d95aee72f60c204bb38099241

memory/4612-6-0x0000000000600000-0x000000000085D000-memory.dmp

memory/4612-7-0x0000000000600000-0x000000000085D000-memory.dmp

memory/4612-9-0x0000000000600000-0x000000000085D000-memory.dmp

memory/4612-11-0x0000000000600000-0x000000000085D000-memory.dmp

memory/4612-13-0x0000000000600000-0x000000000085D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hfblddeldir.bat

MD5 253c6de75a58b886dcff8e928b1c874c
SHA1 3a268b6ae30025368b044e2c9c77fbb45273e276
SHA256 b273345ac98c356321209a94dc905ebc7994069addc65f373924db97b5be45f3
SHA512 bcaac00a98c272ed6f0fc24518659128b3c808d2939ec23d5f42a22ca0db28c4ea5bc287386e8e4e10b138ac4689e1361afc3563271304ec1119458bc3c313f7

C:\Users\Admin\AppData\Local\Temp\V9Zip_000\v9db.con

MD5 ba76dbee9e8861874a392edcec9b3fa6
SHA1 f288f5f5579c7d55e7168ea41910fea32be8475a
SHA256 ef9f360ea2fb8335e26b984986f785023024247299224c9f733ec8bdefcd2f40
SHA512 6a430fc2482aacffd7258eaa8626e72300edb05750e6f4f320e76f876b87894dadc857a94e8d7f038042fb78d0bfa87cea42d8d3552832171e5794c6d368e40a