Malware Analysis Report

2024-11-15 05:45

Sample ID 240614-b9w4rsvbnn
Target 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616
SHA256 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616

Threat Level: Shows suspicious behavior

The file 9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

Deletes itself

UPX packed file

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:51

Reported

2024-06-14 01:53

Platform

win7-20240221-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\evdhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\evdhost.exe C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A
File opened for modification C:\Windows\Debug\evdhost.exe C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\evdhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\evdhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe

"C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"

C:\Windows\Debug\evdhost.exe

C:\Windows\Debug\evdhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9C658D~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.103:80 www.baidu.com tcp
US 8.8.8.8:53 HTm3nEk9UC.ping.aspx.ga udp
US 8.8.8.8:53 t6OePqMk7o.ping.aspx.ga udp
US 8.8.8.8:53 lxGWHiEcyg.ping.aspx.ga udp

Files

memory/2176-0-0x0000000010000000-0x000000001000E000-memory.dmp

memory/2176-5-0x0000000010000000-0x000000001000E000-memory.dmp

C:\Windows\debug\evdhost.exe

MD5 b86e4f5991c54837a94e797d8baf42df
SHA1 11a148059b0899ea423a9452dbc55e75cdf37c4c
SHA256 b89a9d8dc5c408bd725bd34e979c8d94e5dd20712e22db07396199dee6f706b8
SHA512 cf65ca266aefd5058ba9bb879f05309eee744d939af40f23fa51b1ec71ef1b4024d84cd9a9330a99db897fb0dd71789dbedd736c6b66710bbb69affbd6040ba9

memory/1840-11-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-12-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-14-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-16-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-17-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-19-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1840-21-0x0000000010000000-0x000000001000E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:51

Reported

2024-06-14 01:53

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\ctbhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\ctbhost.exe C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A
File opened for modification C:\Windows\Debug\ctbhost.exe C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\ctbhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\ctbhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe

"C:\Users\Admin\AppData\Local\Temp\9c658d451b2a7ba29c3c104c205967ad19c8b820271304fdfc97c2d3df0d4616.exe"

C:\Windows\Debug\ctbhost.exe

C:\Windows\Debug\ctbhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9C658D~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.40:80 www.baidu.com tcp
US 8.8.8.8:53 40.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 am6L7X4RnV.ping.aspx.ga udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 iuDTEfBZvd.ping.aspx.ga udp
US 8.8.8.8:53 bn7M8Y5SoW.ping.aspx.ga udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/1420-0-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1420-3-0x0000000010000000-0x000000001000E000-memory.dmp

C:\Windows\debug\ctbhost.exe

MD5 3edf91b30a77cd2b561e188f6aea39ce
SHA1 5ab027b0965ffa83149d839ad41dbf96fa872ab8
SHA256 72812ccb83396b3c5f0fc8c9af4fb652969b30843a92b9c04f0a92190708e919
SHA512 a65eb425ccdc26d0112935aca6f171a1b86e17bba8ee1c48f71b5817e46683fd1692d2e8c0d2a41af08f1a822b8379d67e6e023d40e4dcccb8f55067f79d3d04

memory/3100-11-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-12-0x0000000010000000-0x000000001000E000-memory.dmp

memory/1420-14-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-15-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-17-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-18-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-20-0x0000000010000000-0x000000001000E000-memory.dmp

memory/3100-22-0x0000000010000000-0x000000001000E000-memory.dmp