Malware Analysis Report

2024-09-23 12:04

Sample ID 240612-pp216sydjq
Target Ana.exe
SHA256 117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb
Tags
bootkit discovery evasion persistence trojan upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

Threat Level: Shows suspicious behavior

The file Ana.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery evasion persistence trojan upx

Checks BIOS information in registry

UPX packed file

Executes dropped EXE

Checks installed software on the system

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:31

Reported

2024-06-12 12:33

Platform

win10-20240404-en

Max time kernel

17s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ana.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 1888 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 1888 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 1888 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 1888 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 1888 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 1888 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 1888 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 1888 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 1888 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 1888 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 1888 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 1888 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 1888 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 1888 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Ana.exe

"C:\Users\Admin\AppData\Local\Temp\Ana.exe"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\dc3c49651ffc4653ad5a859e889db6ce /t 3404 /p 3400

Network

Country Destination Domain Proto
US 8.8.8.8:53 aeravine.com udp
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 bemachin.com udp
US 66.96.162.135:80 middlechrist.com tcp
US 8.8.8.8:53 aeravine.com udp

Files

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

memory/836-20-0x00000000006B0000-0x0000000000743000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/836-28-0x00000000006B0000-0x0000000000743000-memory.dmp

memory/836-27-0x00000000006B0000-0x0000000000743000-memory.dmp

memory/4632-26-0x0000000000400000-0x000000000040A000-memory.dmp

memory/836-25-0x0000000000450000-0x0000000000481000-memory.dmp

memory/836-24-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

memory/4684-36-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/4904-43-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tsa.crt

MD5 6e630504be525e953debd0ce831b9aa0
SHA1 edfa47b3edf98af94954b5b0850286a324608503
SHA256 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512 bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

memory/4632-42-0x0000000000400000-0x000000000040A000-memory.dmp