Malware Analysis Report

2024-09-11 07:33

Sample ID 240613-zg92xszcmb
Target 25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b
SHA256 25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b

Threat Level: Shows suspicious behavior

The file 25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 20:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 20:42

Reported

2024-06-13 20:45

Platform

win7-20240220-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe

"C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 8.8.8.8:53 update.bskrt.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 8.8.8.8:53 update.bskrt.com udp

Files

memory/3036-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\beepdl.dll

MD5 1c53bf360dbcd74cca338e7c6314fa85
SHA1 48de107930fd584ffc0aa6c3164cb4a1b40a583e
SHA256 e91ec6095993a55bcf0ee1ff42f43b9b421334385b51e1013864aefcf2a93099
SHA512 1ba793a20099761b6d2c24e0cf8a976df5cbc448ef6d4119964e78dc7de6d639711dede68023b43b8658d4852ceb1ae245bf529f9f745b12bb8b5e38f2a8f0ac

memory/3036-22-0x0000000001F20000-0x0000000001F55000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\libeay32.dll

MD5 767f239e5abb7d0038a738cf89ffc91b
SHA1 ab7a36d9de4773fa080a68f3d30b75d0058aaab9
SHA256 73568b7210fb233b871091781d61a582ba99b977837c0a8a1a24507531a3e74d
SHA512 560357e77351a52f4ac78d522d51c017012fc0fbd07fe4ac81a47ecec6a044f27395acdfcd7d15df89210b9e08b1e8b9f59697e157e13ed42d75b5988e670b3a

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\ssleay32.dll

MD5 f3f46ebf34d452129a13e7b54c179b52
SHA1 9c00d31dee46b49473f2ca7c76c07e880d08d7ef
SHA256 8f1e2a095f0542b42d634a14cc82849318cb0685949f6d10fc475f5469552a38
SHA512 e884455c0fdf24d967812a754017c09ff8ccd66966dba6286ea9358705d092e1dafc2c8f54d39da7959d2beed360b045a300c5954674b2162276521cfe6f483d

memory/3036-34-0x0000000001F20000-0x0000000001F55000-memory.dmp

memory/3036-33-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3036-39-0x0000000001F60000-0x0000000001F84000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Ksicfg.dll

MD5 fe99097e6928edb3731e4c7d162cd9b5
SHA1 3a4779e36a41efcb7ac5ece34ee44ded35a3f3dc
SHA256 bfeb09e01563ce21aacdf5d83be184307de06be2a30177d60a8a605ecf851cf9
SHA512 ee17caa56925c8d377255564a522d5fcd8220486fe53c821aa0a4b2c42787838c24829c150bb7f00e0b09ec458b5309d14d260fb0903c362f9ee697a32e42ed3

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\webctrl.dll

MD5 d0372bedb70710aeff382818ad683f54
SHA1 f960deffdde9cd5cb5fd3608185a49a91d398f3e
SHA256 b3daff58c8e7ca8ce6fe155ca78c681a7d3144a538c3ed4c2913e91a1d2bd717
SHA512 4b24a990ba155b664bad58884810123898f99f3ffe3d9704662c9576d31d60f1889c7a368589af7c3c9559e5fb9921cf87bc4faf73b4b83d1262b50c9bb5f706

memory/3036-57-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3036-58-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3036-60-0x0000000001F60000-0x0000000001F84000-memory.dmp

memory/3036-76-0x0000000003BB0000-0x0000000003BBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\botva2.dll

MD5 9076347bbeb70f995d0c419212960597
SHA1 51fd657ef5e154a2937837172b0156bb8762bba3
SHA256 29f5fbafcfaf1bd0355debdeb4a3888169de3fa8e7464c7efdab48499c7a699b
SHA512 b4644d21624a75aa0dffc7b591be2c779273bc64aaf525cd5b0c604c93667606dc43997cf2fd90481aa643db104401d9ab4e9eda394ae1d73a68337dc90867c5

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Chk_Top.png

MD5 5b97587a44821ac216631f322cb1d8a1
SHA1 ca86219ce90a12cb5e331d7678a239a1d45a2f7b
SHA256 a976356c83165123371fc229dff49a6a23e47809612aa406cd530f374c2b95d8
SHA512 616dad7742ed62e84b0b2721161195a8523d3d40873569d5d191425c9ddce755d04c502546af3461a13ccd3e1426d92872c929046b9d6703ed0b0f257fc6e1c3

\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\CallbackCtrl.dll

MD5 f07e819ba2e46a897cfabf816d7557b2
SHA1 8d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA256 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA512 7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Chk_Bottom.png

MD5 a05324addf51e021f4797cff386e6709
SHA1 52fc63516107cd826e2ead5f9b95bbc05f1f7e47
SHA256 423b1f770de458d4abc33732d1f0a8241060b8b833b51f885680b1691dad37dc
SHA512 e467513927c5f8f64823e4fbb8263420a723cb84dd271c85d3ce09cace2017e14b21765321491266ea4afa146e095f9b7553dd4020e3a1653fd1053951694b2d

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Btn_Inst.png

MD5 8298116fcc6775e6124918904ec521a0
SHA1 dd91128a28bd00f53cb96936b841f8b6bbdf8005
SHA256 4e94e23980c162f45fe2c92ee233368b90e1ff5aba2cbad16238bb4d744060dc
SHA512 876c18cd9aae26bbdd6d87ca031425f6a78734345a7aed4afdb197113920faa3ea532dd64a2fc8a316440f545b46f304c25daea9d867a675661e24e2950fe363

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Btn_Dir.png

MD5 971d69bcba199a80b6d4a674ddc54eef
SHA1 90bf267519edd7d7d56736839bf7b1a8fdc21a46
SHA256 1feeab2ab4a7db9b76b427d356a19072387c7f6168e044b00278a77b6666b6e8
SHA512 7660cf7fcbd85c3198265d187dbdf89051360abb52e20e3f967330ba84fc906b7ce85236b31086192b49a67d2d3adb18b68c728c3efa58def077e994eef0f445

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Btn_Done.png

MD5 6c1b64925557baf8a3342c677921433f
SHA1 921ed417d738eb6cdd9380375b9f758cdf03a912
SHA256 7d20813460907dea7dfd014355dd499bbea70168d61e2cd1df19e0ca38187d98
SHA512 e9e7e908bbb6aebe59ae6a94b0210619135ce6f0d39616b57663d4ddeea04e99952b006e1ce194c7745f77908293bb6b6cd326391f500962665e009adb7f0e43

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Btn_Close.png

MD5 e420845e26573c91393bf74df3c1d0c8
SHA1 0bc8eaaaf8515aaac199a3cd90149c0d2bae34ee
SHA256 7c14cf6bb998e69c22bfb482c69ca8b64d73c8d96c340bbafd1f5989dea0dd83
SHA512 cdce793cf2a742cb9b74cb3a0e3dfb1ac813627ae7bfdadde4da0f1e9e59418f9a776b807e8fe96b682fbf77ae86142783926fe06a7a62a5da177362b575bd63

C:\Users\Admin\AppData\Local\Temp\is-IC3AF.tmp\Bkg.jpg

MD5 65f87b2e43abba9306d9125fa476db9a
SHA1 60afabccc0b885096e4b75a3a16427eee23205e5
SHA256 85ad487219978bf619e61a8569b29f26d38377bbec67c86372e56611a8ed3e7a
SHA512 36ea701a89b4ca80b6e5442097b66f4d755b31f3a9b4fc1cb995ffc5947adf12a99e046a4ed1c38e0755996504097e3facd2e1d6a98662bd77a2e45939724741

memory/3036-219-0x0000000001F60000-0x0000000001F84000-memory.dmp

memory/3036-220-0x0000000003BB0000-0x0000000003BBE000-memory.dmp

memory/3036-217-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3036-218-0x0000000001F20000-0x0000000001F55000-memory.dmp

memory/3036-238-0x0000000003BB0000-0x0000000003BBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 20:42

Reported

2024-06-13 20:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe

"C:\Users\Admin\AppData\Local\Temp\25d789c592c6c536c8f65e333663e3720f1387bd092ec16d6b8a6bb38120014b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.taobao.com udp
US 8.8.8.8:53 ip.taobao.com udp
US 8.8.8.8:53 update.bskrt.com udp
US 8.8.8.8:53 update.bskrt.com udp
US 8.8.8.8:53 update.bskrt.com udp
US 8.8.8.8:53 update.bskrt.com udp

Files

memory/4132-0-0x0000000002450000-0x0000000002451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\beepdl.dll

MD5 1c53bf360dbcd74cca338e7c6314fa85
SHA1 48de107930fd584ffc0aa6c3164cb4a1b40a583e
SHA256 e91ec6095993a55bcf0ee1ff42f43b9b421334385b51e1013864aefcf2a93099
SHA512 1ba793a20099761b6d2c24e0cf8a976df5cbc448ef6d4119964e78dc7de6d639711dede68023b43b8658d4852ceb1ae245bf529f9f745b12bb8b5e38f2a8f0ac

memory/4132-24-0x0000000003420000-0x0000000003455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\libeay32.dll

MD5 767f239e5abb7d0038a738cf89ffc91b
SHA1 ab7a36d9de4773fa080a68f3d30b75d0058aaab9
SHA256 73568b7210fb233b871091781d61a582ba99b977837c0a8a1a24507531a3e74d
SHA512 560357e77351a52f4ac78d522d51c017012fc0fbd07fe4ac81a47ecec6a044f27395acdfcd7d15df89210b9e08b1e8b9f59697e157e13ed42d75b5988e670b3a

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\ssleay32.dll

MD5 f3f46ebf34d452129a13e7b54c179b52
SHA1 9c00d31dee46b49473f2ca7c76c07e880d08d7ef
SHA256 8f1e2a095f0542b42d634a14cc82849318cb0685949f6d10fc475f5469552a38
SHA512 e884455c0fdf24d967812a754017c09ff8ccd66966dba6286ea9358705d092e1dafc2c8f54d39da7959d2beed360b045a300c5954674b2162276521cfe6f483d

memory/4132-36-0x0000000003420000-0x0000000003455000-memory.dmp

memory/4132-35-0x0000000000400000-0x000000000054E000-memory.dmp

memory/4132-39-0x0000000002450000-0x0000000002451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\Ksicfg.dll

MD5 fe99097e6928edb3731e4c7d162cd9b5
SHA1 3a4779e36a41efcb7ac5ece34ee44ded35a3f3dc
SHA256 bfeb09e01563ce21aacdf5d83be184307de06be2a30177d60a8a605ecf851cf9
SHA512 ee17caa56925c8d377255564a522d5fcd8220486fe53c821aa0a4b2c42787838c24829c150bb7f00e0b09ec458b5309d14d260fb0903c362f9ee697a32e42ed3

memory/4132-44-0x0000000003900000-0x0000000003924000-memory.dmp

memory/4132-47-0x0000000003420000-0x0000000003455000-memory.dmp

memory/4132-48-0x0000000003900000-0x0000000003924000-memory.dmp

memory/4132-46-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UKVNC.tmp\webctrl.dll

MD5 d0372bedb70710aeff382818ad683f54
SHA1 f960deffdde9cd5cb5fd3608185a49a91d398f3e
SHA256 b3daff58c8e7ca8ce6fe155ca78c681a7d3144a538c3ed4c2913e91a1d2bd717
SHA512 4b24a990ba155b664bad58884810123898f99f3ffe3d9704662c9576d31d60f1889c7a368589af7c3c9559e5fb9921cf87bc4faf73b4b83d1262b50c9bb5f706

memory/4132-67-0x0000000000400000-0x000000000054E000-memory.dmp

memory/4132-69-0x0000000003900000-0x0000000003924000-memory.dmp

memory/4132-68-0x0000000003420000-0x0000000003455000-memory.dmp