Malware Analysis Report

2024-10-10 07:51

Sample ID 240615-rsf9zsxeqq
Target Malaka_Executor_V4.2.rar
SHA256 2f78e9f4886465f1abd7e6d24781ee927a8691639d51d77388a43d465c5291a3
Tags
themida
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2f78e9f4886465f1abd7e6d24781ee927a8691639d51d77388a43d465c5291a3

Threat Level: Shows suspicious behavior

The file Malaka_Executor_V4.2.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

themida

Themida packer

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 14:27

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 14:27

Reported

2024-06-15 14:30

Platform

win11-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe

"C:\Users\Admin\AppData\Local\Temp\Malaka Executor (2).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1444-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

memory/1444-1-0x000002E128D10000-0x000002E128DAA000-memory.dmp

memory/1444-2-0x000002E129460000-0x000002E12949E000-memory.dmp

memory/1444-3-0x000002E1294A0000-0x000002E1294A6000-memory.dmp

memory/1444-4-0x000002E143640000-0x000002E143802000-memory.dmp

memory/1444-5-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/1444-6-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 14:27

Reported

2024-06-15 14:30

Platform

win11-20240508-en

Max time kernel

131s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Readme.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 1448 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Readme.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 14:27

Reported

2024-06-15 14:30

Platform

win11-20240508-en

Max time kernel

98s

Max time network

110s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Malaka_Executor_V4.2.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 4284 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1208 wrote to memory of 4284 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Malaka_Executor_V4.2.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Malaka_Executor_V4.2.rar"

Network

Country Destination Domain Proto
GB 88.221.135.16:443 tcp
GB 95.101.143.219:443 tcp
GB 88.221.135.11:443 tcp
GB 88.221.135.27:443 tcp
GB 88.221.134.249:443 tcp

Files

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 7fa148995311365735f6833f7c2ece08
SHA1 aa5b41b83798245a6cbdf07030baf5a2f6c19786
SHA256 494cc65065d6e4e0faf7590319aab632c9920918001da72234203c8249be068b
SHA512 397a3ddd255bbe14932a0370fc8366dc70ea4376fffc65a8f7339b1b4559347219c0c4e29c4fa31b3ea8d0a17aee1852993054d2e2745b79b6b1f4e823fe65f8

memory/4284-24-0x00007FFB84C40000-0x00007FFB84C74000-memory.dmp

memory/4284-23-0x00007FF69FCF0000-0x00007FF69FDE8000-memory.dmp

memory/4284-25-0x00007FFB72D80000-0x00007FFB73036000-memory.dmp

memory/4284-26-0x00007FFB71AA0000-0x00007FFB72B50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 14:27

Reported

2024-06-15 14:30

Platform

win11-20240508-en

Max time kernel

145s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Malaka Api.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Malaka Api.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3252-0-0x0000000180000000-0x0000000180C44000-memory.dmp