Malware Analysis Report

2024-09-23 11:49

Sample ID 240614-q2qdkswhqp
Target 90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d
SHA256 90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d
Tags
bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d

Threat Level: Likely malicious

The file 90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:45

Reported

2024-06-14 13:48

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\1718372767_0\360TS_Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
N/A N/A C:\Program Files (x86)\1718372767_0\360TS_Setup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\1718372767_0\360TS_Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\1718372767_0\360TS_Setup.exe C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
File opened for modification C:\Program Files (x86)\1718372767_0\360TS_Setup.exe C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
N/A N/A C:\Program Files (x86)\1718372767_0\360TS_Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe

"C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe"

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Program Files (x86)\1718372767_0\360TS_Setup.exe

"C:\Program Files (x86)\1718372767_0\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 st.p.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
DE 18.184.178.29:80 s.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 151.236.71.147:80 iup.360safe.com tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 29.178.184.18.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 147.71.236.151.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.22.237:443 g.bing.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
NL 23.62.61.194:443 www.bing.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
US 8.8.8.8:53 237.22.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
GB 13.224.81.32:80 int.down.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 18.165.158.200:80 sd.p.360safe.com tcp
US 8.8.8.8:53 127.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 104.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 32.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 45.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 200.158.165.18.in-addr.arpa udp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
US 8.8.8.8:53 orion.ts.360.com udp
NL 82.145.215.156:443 orion.ts.360.com tcp
US 8.8.8.8:53 156.215.145.82.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 ocsp.crlocsp.cn udp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
US 8.8.8.8:53 5.193.198.101.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{C2B9B434-6E2E-42e1-875B-E64FD88B8BAB}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

memory/4484-9-0x0000000003370000-0x0000000003371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 ccc8d9de176911a3194584246c9911a6
SHA1 9c3ef9a68250929819a742ea3c476740fd2f230b
SHA256 907dc39171aa7b9ab602b113ffd240b2ceef8df590296337242f275edded096e
SHA512 1563e6083a9467e56d93d8fdb4c35d25380d7a4695589af4fed94ef9e3bfe2c05b96e3f5082a261da432c0a3a40ee13e0181f5394aeec8108182953b6a432dae

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 9762da1629c6f6e76282d00a0ecb3e23
SHA1 ed5600013e3d8c29f1ed85e4dca58795b868f44e
SHA256 e00b52797737e088c6213742a4e42e8da58eb0a30decbc219e09ee1ec2576df4
SHA512 58d3c304766ed09aaffd2d986f9eb26152e442062f18329ff031b5da0c5008f5ab926ea4ea2a1698a9aa3501baff01ce336f4a8fa7642a1e04cab9c24d34dadc

C:\Users\Admin\AppData\Local\Temp\{68D0794A-951F-4840-89D9-13A52BF9AD93}.tmp

MD5 b1ddd3b1895d9a3013b843b3702ac2bd
SHA1 71349f5c577a3ae8acb5fbce27b18a203bf04ede
SHA256 46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c
SHA512 93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

C:\Users\Admin\AppData\Local\Temp\1718372766_00000000_base\360base.dll

MD5 b192f34d99421dc3207f2328ffe62bd0
SHA1 e4bbbba20d05515678922371ea787b39f064cd2c
SHA256 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA512 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

memory/4484-85-0x0000000003370000-0x0000000003371000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:45

Reported

2024-06-14 13:48

Platform

win11-20240611-en

Max time kernel

118s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
N/A N/A C:\Program Files (x86)\1718372768_0\360TS_Setup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\1718372768_0\360TS_Setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\1718372768_0\360TS_Setup.exe C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
File opened for modification C:\Program Files (x86)\1718372768_0\360TS_Setup.exe C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe N/A
N/A N/A C:\Program Files (x86)\1718372768_0\360TS_Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe

"C:\Users\Admin\AppData\Local\Temp\90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d.exe"

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Program Files (x86)\1718372768_0\360TS_Setup.exe

"C:\Program Files (x86)\1718372768_0\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 st.p.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 151.236.71.147:80 iup.360safe.com tcp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 151.236.71.147:80 iup.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 18.165.158.188:80 sd.p.360safe.com tcp
US 8.8.8.8:53 188.158.165.18.in-addr.arpa udp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
GB 13.224.81.45:80 int.down.360safe.com tcp
GB 13.224.81.32:80 int.down.360safe.com tcp
GB 13.224.81.104:80 int.down.360safe.com tcp
GB 13.224.81.127:80 int.down.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
DE 18.184.178.29:80 s.360safe.com tcp
NL 82.145.215.156:443 orion.ts.360.com tcp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
CN 106.63.24.37:80 crl.crlocsp.cn tcp
CN 101.198.2.196:80 crl.crlocsp.cn tcp
US 52.111.227.13:443 tcp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp

Files

C:\Users\Admin\AppData\Local\Temp\{FB78EF75-1FB2-43f2-BBFC-54190EE6706B}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

memory/3508-10-0x0000000003540000-0x0000000003541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 9762da1629c6f6e76282d00a0ecb3e23
SHA1 ed5600013e3d8c29f1ed85e4dca58795b868f44e
SHA256 e00b52797737e088c6213742a4e42e8da58eb0a30decbc219e09ee1ec2576df4
SHA512 58d3c304766ed09aaffd2d986f9eb26152e442062f18329ff031b5da0c5008f5ab926ea4ea2a1698a9aa3501baff01ce336f4a8fa7642a1e04cab9c24d34dadc

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 ccc8d9de176911a3194584246c9911a6
SHA1 9c3ef9a68250929819a742ea3c476740fd2f230b
SHA256 907dc39171aa7b9ab602b113ffd240b2ceef8df590296337242f275edded096e
SHA512 1563e6083a9467e56d93d8fdb4c35d25380d7a4695589af4fed94ef9e3bfe2c05b96e3f5082a261da432c0a3a40ee13e0181f5394aeec8108182953b6a432dae

C:\Users\Admin\AppData\Local\Temp\{79BCF4E7-FCCC-40be-9FB9-AC614CCCBCD7}.tmp

MD5 b1ddd3b1895d9a3013b843b3702ac2bd
SHA1 71349f5c577a3ae8acb5fbce27b18a203bf04ede
SHA256 46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c
SHA512 93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

C:\Users\Admin\AppData\Local\Temp\1718372768_00000000_base\360base.dll

MD5 b192f34d99421dc3207f2328ffe62bd0
SHA1 e4bbbba20d05515678922371ea787b39f064cd2c
SHA256 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA512 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

memory/3508-72-0x0000000003540000-0x0000000003541000-memory.dmp