Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-sgwe7s1eja
Target Ana.zip
SHA256 3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4
Tags
bootkit discovery evasion persistence trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

Threat Level: Shows suspicious behavior

The file Ana.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery evasion persistence trojan upx

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

UPX packed file

Checks whether UAC is enabled

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 15:06

Reported

2024-06-11 15:07

Platform

win10v2004-20240508-en

Max time kernel

2s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4344 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4344 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4344 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4344 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4344 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4344 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4344 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4344 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4344 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4344 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 4344 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 4344 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 aeravine.com udp

Files

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

memory/3112-22-0x0000000073BE2000-0x0000000073BE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/4496-33-0x0000000000400000-0x0000000000445000-memory.dmp

memory/4496-49-0x0000000000550000-0x00000000005E3000-memory.dmp

memory/2140-59-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

memory/3112-60-0x0000000073BE2000-0x0000000073BE4000-memory.dmp

memory/4496-58-0x00000000001C0000-0x00000000001F1000-memory.dmp

memory/4496-50-0x0000000000550000-0x00000000005E3000-memory.dmp

memory/3112-55-0x0000000073BE0000-0x0000000074191000-memory.dmp

memory/4496-46-0x0000000000550000-0x00000000005E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GB.EXE

MD5 fe731b4c6684d643eb5b55613ef9ed31
SHA1 cfafe2a14f5413278304920154eb467f7c103c80
SHA256 e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512 f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

C:\Users\Admin\AppData\Local\Temp\tsa.crt

MD5 6e630504be525e953debd0ce831b9aa0
SHA1 edfa47b3edf98af94954b5b0850286a324608503
SHA256 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512 bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2