Malware Analysis Report

2025-01-06 12:11

Sample ID 240614-flc37szcqp
Target ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95
SHA256 ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95
Tags
upx evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95

Threat Level: Known bad

The file ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95 was found to be: Known bad.

Malicious Activity Summary

upx evasion

Detects Windows executables referencing non-Windows User-Agents

UPX dump on OEP (original entry point)

Detects Windows executables referencing non-Windows User-Agents

UPX dump on OEP (original entry point)

Sets file to hidden

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:57

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:57

Reported

2024-06-14 04:59

Platform

win7-20240611-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\rwmhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe

"C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DDBA03~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 ucLwUjkDQy.nnnn.eu.org udp
US 8.8.8.8:53 XffF82Q8T2.nnnn.eu.org udp
US 8.8.8.8:53 7LqRtWtjhk.nnnn.eu.org udp
US 8.8.8.8:53 hXXcUNrQy.nnnn.eu.org udp
US 8.8.8.8:53 HEEHvyMzg.nnnn.eu.org udp

Files

memory/1440-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\Debug\rwmhost.exe

MD5 db20c7a9550f389bbba29296b651f4bd
SHA1 885a216a674fff5050fd4a23ac989e634382f0c4
SHA256 21f5c765679c59ccd0ecd04ab4a6cf15ac7860ca87ec556145cd813479f7f461
SHA512 bfd85c2409a0326ca20e625dedea1388d3c94df0625a90a2efaf4e170482b57896a3f647a9d4af41e9a73a4171870b91514a3843b671af8c806876126dd42c89

memory/1880-5-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1880-19-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:57

Reported

2024-06-14 04:59

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe"

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\lyghost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\lyghost.exe C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A
File opened for modification C:\Windows\Debug\lyghost.exe C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A
File opened for modification C:\Windows\Debug\lyghost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe

"C:\Users\Admin\AppData\Local\Temp\ddba039d2e645602626e09ac9b6a305edadd56464966419d09f33d3b0a793d95.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\lyghost.exe

C:\Windows\Debug\lyghost.exe

C:\Windows\Debug\lyghost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DDBA03~1.EXE > nul

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3368,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 ucLwUjkDQy.nnnn.eu.org udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 UpW8lDDL9g.nnnn.eu.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4VEJ2hxtu.nnnn.eu.org udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 hXXcUNrQy.nnnn.eu.org udp
US 8.8.8.8:53 HEEHvyMzg.nnnn.eu.org udp

Files

memory/220-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\Debug\lyghost.exe

MD5 db20c7a9550f389bbba29296b651f4bd
SHA1 885a216a674fff5050fd4a23ac989e634382f0c4
SHA256 21f5c765679c59ccd0ecd04ab4a6cf15ac7860ca87ec556145cd813479f7f461
SHA512 bfd85c2409a0326ca20e625dedea1388d3c94df0625a90a2efaf4e170482b57896a3f647a9d4af41e9a73a4171870b91514a3843b671af8c806876126dd42c89

memory/220-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1532-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1532-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1532-13-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1532-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1532-18-0x0000000000400000-0x0000000000414000-memory.dmp