Malware Analysis Report

2024-09-23 12:07

Sample ID 240612-r6wa3asfql
Target 808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1
SHA256 808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1
Tags
bootkit evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1

Threat Level: Likely malicious

The file 808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1 was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence

Modifies Windows Firewall

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:48

Reported

2024-06-12 14:51

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe

"C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\SDK\DownloadSDKServer.exe enable=yes

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-xl9-ssl.xunlei.com udp
US 8.8.8.8:53 conf-m-ssl.xunlei.com udp
US 8.8.8.8:53 stat.download.xunlei.com udp
CN 47.101.179.215:8099 stat.download.xunlei.com tcp
CN 36.158.216.218:80 static-xl9-ssl.xunlei.com tcp
CN 36.158.216.218:80 static-xl9-ssl.xunlei.com tcp
CN 47.103.194.216:443 conf-m-ssl.xunlei.com tcp
CN 47.101.179.215:8099 stat.download.xunlei.com tcp
CN 111.6.201.218:80 static-xl9-ssl.xunlei.com tcp
CN 111.48.108.100:80 static-xl9-ssl.xunlei.com tcp

Files

\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\InstallEntry.dll

MD5 f1a0499d697fc29999887ded4d73674f
SHA1 53b5ce94b6abe984eaa890a8609eb2e44292fdd8
SHA256 9445e6fee25cf21b06e9cbee5745dadc5242dab6632dc3ecf53f00f9e6665961
SHA512 7201f9f2fd241ec956cff0fde79dfd12a3df2d4245298c38033e53110cc92359579ced43339974ecc3e331b29b9004e0edc7b32ea7ad926b7b0a2859c9317dfc

memory/2944-47-0x00000000000E0000-0x00000000000E1000-memory.dmp

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

MD5 6ab865bbd3b777d9b27c5d0d06bc9031
SHA1 014e8ba445e4a8342c59cc19f8a2ea26975a9844
SHA256 cc60e12bef82e510aed10b2ccf79fe59817b42d4aad169cec35c0e2c1b1f430e
SHA512 1289e4d4dc35c988f7ec8433048853ae6b6373bb38ba02b7e2378d94c809c5a016341ed0c5ef497756d21861e07925f0b0b134bbbf40e58f02592cc79bab6979

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\install_bkg.png

MD5 68a017c094dc1dcd136e6f2677e41848
SHA1 3ebba5af4ddeeaea06942bf1ed5e11014ec3994c
SHA256 6132f8b3d88cc71932332d18778c4bea460f7d0d7a08cd9f25b033300efbc595
SHA512 99030b787c9c18ed01a24772633bbcf431171a831cb4e281ac1dfd20845c496922e55877634e7eca7ad303adf8989c571fe8ee2220504dd10074cacd67f0726f

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 043b6f91f1716b40fa718ef0f53d1223
SHA1 6ca9eef90f4734484faea2612f8466312e3fc77c
SHA256 06c8277deafecf8193727acb23636013e6d6dc7cc2e9b3e6ea02ca4f140b01be
SHA512 be8c849374c199462e107c46c213759604b8edd14ecab437acb7387eed3ebc6d44469368f3a77081917fcf4a34d8662ac7e827ec21d9d5aecb5dab1d1ae58503

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 c5e7f2e6b187e5b4e5e4ad304e5f140e
SHA1 3f3fb5c143af1812e1e169ef4f4f88c95522c76c
SHA256 4ec810b1c88a36e61b16e9b24853a6c843935ca0d46fc68cbadd79719bf3bf76
SHA512 2cc0b0aba250342a2aa048c4b39273618af6145316cd40131415d89cc0ab2ba91a974d5a1ac9f6888bb84cf92b5340ece1c859c4f625eddafdab3b1c39806820

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 e242c73869a1c02d57a46dcd0ac50cbc
SHA1 b332bf954f7e90291416ff30085cb84c3bc3c603
SHA256 a2fe60fe06ce387f0ae59dff7ddf310818f8c2d58336501987064bbe3afa9893
SHA512 4434b63314d1afe911e38632c730ce5d5b618816dded7986e1b61ecafcdad359868586a43284a1cb7f6f58f15219488680b1a69215d21dc98b171d2d4017adc6

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 8df00ad52e2964cf24843502b66d15c2
SHA1 06249b51a09df4e2bdaf6bfe27a8474dde105d2a
SHA256 0880a80a3a8e89092dcc65bff5bf63a044c3a8763f543adea5bf3f027a125716
SHA512 e09a539e232ba37de09ecfb7e6558354b6d233d790074f291136f7c168d5f58bb77bf6c065a63f87d3732ce3dc1eb526a8e54bd546872c0c0e6a17645e3e5be4

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 cb8dc16b59722999e762558ac0afce45
SHA1 17673bbecb6a999073dffab34b73009c13cece24
SHA256 a92b1cac68378fcaef9d46be0f8e1f4b6d5ca3de30b4ec26bdc30eff3f6b3051
SHA512 381df44b51001f1bc213a9c224e1fe3fbe270b80a332a9655e2aafbef3229227c0672a541f405a66c68796f4c8380053b02daf35694115226b178b4641054d81

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 f350f4bb9cea348bc42eafdfd7f52182
SHA1 02a8fea0deac529d362a31969f7c8fc27bfcce3d
SHA256 3885706db8c031d804e7eeb87ec8a3826dbb407a103ce15b347bf33ae41f5c52
SHA512 708c23c67e00afe4387200efd1a313988546de0b13fd7d757b1d13bd1680ba29e585cdda159c705239e8520a57ecb4bbf35727c9be9e123aad81c76c4299ca70

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 83e7f0808802d4aefaba3ecbb87460b2
SHA1 f669f175562aae608f2a307d8c4b8a327b56de2a
SHA256 8d528e66094e298c9542215823363b66516a33a6bf8490b2122e74151b567dab
SHA512 c552181fdf3899336a5d5a2a5541c7c666e3ab0276563007c56a8e878386c6178024d30f7fe8b0bf75ece6ad371c553666e2bd09f935891db5741d23d3fba253

memory/2944-154-0x00000000000E0000-0x00000000000E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:48

Reported

2024-06-12 14:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe

"C:\Users\Admin\AppData\Local\Temp\808de6dc9229bd5402dfb6d195ec49bd3ee96e21c0719b26218ccf21b95842a1.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\SDK\DownloadSDKServer.exe enable=yes

Network

Country Destination Domain Proto
US 8.8.8.8:53 static-xl9-ssl.xunlei.com udp
US 8.8.8.8:53 stat.download.xunlei.com udp
US 8.8.8.8:53 conf-m-ssl.xunlei.com udp
US 8.8.8.8:53 static-xl9-ssl.xunlei.com udp
US 8.8.8.8:53 stat.download.xunlei.com udp

Files

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\InstallEntry.dll

MD5 f1a0499d697fc29999887ded4d73674f
SHA1 53b5ce94b6abe984eaa890a8609eb2e44292fdd8
SHA256 9445e6fee25cf21b06e9cbee5745dadc5242dab6632dc3ecf53f00f9e6665961
SHA512 7201f9f2fd241ec956cff0fde79dfd12a3df2d4245298c38033e53110cc92359579ced43339974ecc3e331b29b9004e0edc7b32ea7ad926b7b0a2859c9317dfc

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

MD5 821e98d684e9a52a309a7abb4e448a58
SHA1 20b4e5127792a16884773cb06ebc8569c90e8b70
SHA256 7152366bfa3cb4986997661744255f24d773318b3dbc7d92b3b3a01e31717f4d
SHA512 ecab8f672fbe4c45d791e950f611bad479687fa8fd8a3b94f5a7771959d493041fd4080bd7be4bb8e640ba79c7b4ed6b049a25b23f765500a012cdc90e172d26

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\install_bkg.png

MD5 68a017c094dc1dcd136e6f2677e41848
SHA1 3ebba5af4ddeeaea06942bf1ed5e11014ec3994c
SHA256 6132f8b3d88cc71932332d18778c4bea460f7d0d7a08cd9f25b033300efbc595
SHA512 99030b787c9c18ed01a24772633bbcf431171a831cb4e281ac1dfd20845c496922e55877634e7eca7ad303adf8989c571fe8ee2220504dd10074cacd67f0726f

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 83e7f0808802d4aefaba3ecbb87460b2
SHA1 f669f175562aae608f2a307d8c4b8a327b56de2a
SHA256 8d528e66094e298c9542215823363b66516a33a6bf8490b2122e74151b567dab
SHA512 c552181fdf3899336a5d5a2a5541c7c666e3ab0276563007c56a8e878386c6178024d30f7fe8b0bf75ece6ad371c553666e2bd09f935891db5741d23d3fba253

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 8df00ad52e2964cf24843502b66d15c2
SHA1 06249b51a09df4e2bdaf6bfe27a8474dde105d2a
SHA256 0880a80a3a8e89092dcc65bff5bf63a044c3a8763f543adea5bf3f027a125716
SHA512 e09a539e232ba37de09ecfb7e6558354b6d233d790074f291136f7c168d5f58bb77bf6c065a63f87d3732ce3dc1eb526a8e54bd546872c0c0e6a17645e3e5be4

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 cb8dc16b59722999e762558ac0afce45
SHA1 17673bbecb6a999073dffab34b73009c13cece24
SHA256 a92b1cac68378fcaef9d46be0f8e1f4b6d5ca3de30b4ec26bdc30eff3f6b3051
SHA512 381df44b51001f1bc213a9c224e1fe3fbe270b80a332a9655e2aafbef3229227c0672a541f405a66c68796f4c8380053b02daf35694115226b178b4641054d81

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 043b6f91f1716b40fa718ef0f53d1223
SHA1 6ca9eef90f4734484faea2612f8466312e3fc77c
SHA256 06c8277deafecf8193727acb23636013e6d6dc7cc2e9b3e6ea02ca4f140b01be
SHA512 be8c849374c199462e107c46c213759604b8edd14ecab437acb7387eed3ebc6d44469368f3a77081917fcf4a34d8662ac7e827ec21d9d5aecb5dab1d1ae58503

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 f350f4bb9cea348bc42eafdfd7f52182
SHA1 02a8fea0deac529d362a31969f7c8fc27bfcce3d
SHA256 3885706db8c031d804e7eeb87ec8a3826dbb407a103ce15b347bf33ae41f5c52
SHA512 708c23c67e00afe4387200efd1a313988546de0b13fd7d757b1d13bd1680ba29e585cdda159c705239e8520a57ecb4bbf35727c9be9e123aad81c76c4299ca70

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 e242c73869a1c02d57a46dcd0ac50cbc
SHA1 b332bf954f7e90291416ff30085cb84c3bc3c603
SHA256 a2fe60fe06ce387f0ae59dff7ddf310818f8c2d58336501987064bbe3afa9893
SHA512 4434b63314d1afe911e38632c730ce5d5b618816dded7986e1b61ecafcdad359868586a43284a1cb7f6f58f15219488680b1a69215d21dc98b171d2d4017adc6

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]

MD5 c5e7f2e6b187e5b4e5e4ad304e5f140e
SHA1 3f3fb5c143af1812e1e169ef4f4f88c95522c76c
SHA256 4ec810b1c88a36e61b16e9b24853a6c843935ca0d46fc68cbadd79719bf3bf76
SHA512 2cc0b0aba250342a2aa048c4b39273618af6145316cd40131415d89cc0ab2ba91a974d5a1ac9f6888bb84cf92b5340ece1c859c4f625eddafdab3b1c39806820