Malware Analysis Report

2024-09-23 11:28

Sample ID 240614-zh5tlaygkj
Target SecuriteInfo.com.FileRepMalware.1652.24439.exe
SHA256 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f

Threat Level: Shows suspicious behavior

The file SecuriteInfo.com.FileRepMalware.1652.24439.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:44

Reported

2024-06-14 20:46

Platform

win7-20240611-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup -qt=TXT dlSecuriteInfo.cps5.com

C:\Windows\SysWOW64\nslookup.exe

nslookup -qt=TXT dlwebSecuriteInfo.cps5.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.cps5.com udp
CN 106.55.172.132:9000 api.cps5.com tcp
CN 203.107.1.33:80 tcp
US 8.8.8.8:53 up.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
US 8.8.8.8:53 up.cps5.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dlSecuriteInfo.cps5.com udp
US 8.8.8.8:53 dlSecuriteInfo.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dlwebSecuriteInfo.cps5.com udp
US 8.8.8.8:53 dlwebSecuriteInfo.cps5.com udp
CN 106.55.172.132:9000 api.cps5.com tcp
CN 203.107.1.34:80 tcp
CN 203.107.1.65:80 tcp
CN 1.116.117.217:9000 tcp

Files

\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

MD5 50c266e46ccf9bc8956279f78d51f205
SHA1 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256 c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA512 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

memory/1440-0-0x0000000000400000-0x000000000104B000-memory.dmp

memory/1440-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-21-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-23-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-19-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-54-0x0000000075C20000-0x0000000075D20000-memory.dmp

memory/1440-53-0x0000000075C8F000-0x0000000075C90000-memory.dmp

memory/1440-59-0x0000000000400000-0x000000000104B000-memory.dmp

memory/1440-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1440-62-0x0000000075C8F000-0x0000000075C90000-memory.dmp

memory/1440-63-0x0000000075C20000-0x0000000075D20000-memory.dmp

memory/1440-65-0x0000000000400000-0x000000000104B000-memory.dmp

memory/1440-68-0x0000000000400000-0x000000000104B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:44

Reported

2024-06-14 20:46

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup -qt=TXT dlSecuriteInfo.cps5.com

C:\Windows\SysWOW64\nslookup.exe

nslookup -qt=TXT dlwebSecuriteInfo.cps5.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 api.cps5.com udp
CN 106.55.172.132:9000 api.cps5.com tcp
CN 203.107.1.33:80 tcp
US 8.8.8.8:53 up.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dlSecuriteInfo.cps5.com udp
FR 128.1.77.226:80 up.cps5.com tcp
US 8.8.8.8:53 dlSecuriteInfo.cps5.com udp
US 8.8.8.8:53 226.77.1.128.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dlwebSecuriteInfo.cps5.com udp
US 8.8.8.8:53 dlwebSecuriteInfo.cps5.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CN 106.55.172.132:9000 api.cps5.com tcp
CN 203.107.1.34:80 tcp
CN 203.107.1.65:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 1.116.117.217:9000 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/2548-0-0x0000000000400000-0x000000000104B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

MD5 50c266e46ccf9bc8956279f78d51f205
SHA1 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256 c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA512 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

memory/2548-6-0x0000000000400000-0x000000000104B000-memory.dmp

memory/2548-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-28-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-26-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-14-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-12-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-16-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-54-0x0000000000400000-0x000000000104B000-memory.dmp

memory/2548-56-0x0000000076A73000-0x0000000076A74000-memory.dmp

memory/2548-55-0x0000000000400000-0x000000000104B000-memory.dmp

memory/2548-61-0x0000000000400000-0x000000000104B000-memory.dmp

memory/2548-62-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2548-64-0x0000000076A73000-0x0000000076A74000-memory.dmp

memory/2548-69-0x0000000000400000-0x000000000104B000-memory.dmp