Malware Analysis Report

2025-01-03 09:07

Sample ID 240620-l7yvpawdlk
Target 553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59
SHA256 553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59
Tags
bootkit persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59

Threat Level: Shows suspicious behavior

The file 553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence spyware stealer

Reads user/profile data of web browsers

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:11

Reported

2024-06-20 10:13

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe

"C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 stats.securebrowser.com udp
US 8.8.8.8:53 stats.securebrowser.com udp
US 8.8.8.8:53 stats.securebrowser.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\jsis.dll

MD5 2027121c3cdeb1a1f8a5f539d1fe2e28
SHA1 bcf79f49f8fc4c6049f33748ded21ec3471002c2
SHA256 1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1
SHA512 5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\nsJSON.dll

MD5 f840a9ddd319ee8c3da5190257abde5b
SHA1 3e868939239a5c6ef9acae10e1af721e4f99f24b
SHA256 ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a
SHA512 8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\JsisPlugins.dll

MD5 d21ae3f86fc69c1580175b7177484fa7
SHA1 2ed2c1f5c92ff6daa5ea785a44a6085a105ae822
SHA256 a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450
SHA512 eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\StdUtils.dll

MD5 34939c7b38bffedbf9b9ed444d689bc9
SHA1 81d844048f7b11cafd7561b7242af56e92825697
SHA256 b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0
SHA512 bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

C:\Users\Admin\AppData\Local\Temp\{AD14893C-6B83-4ACF-928D-67D8D22F8718}\scrt.dll

MD5 f36f05628b515262db197b15c7065b40
SHA1 74a8005379f26dd0de952acab4e3fc5459cde243
SHA256 67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512 280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\thirdparty.dll

MD5 7b4bd3b8ad6e913952f8ed1ceef40cd4
SHA1 b15c0b90247a5066bd06d094fa41a73f0f931cb8
SHA256 a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754
SHA512 d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\Midex.dll

MD5 2597a829e06eb9616af49fcd8052b8bd
SHA1 871801aba3a75f95b10701f31303de705cb0bc5a
SHA256 7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87
SHA512 8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\CR.History.tmp

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\FF.places.tmp

MD5 8893dfa5ec4242a611d84e73ae9b1285
SHA1 db5c47e24f359fe7fbfa83cf2547ee7d4a78cb32
SHA256 631b7211917f7d40aff81bbe5cbb383c1570198fec51d29cabb827f006bd94ff
SHA512 ad1a66132aae4066649dc20e6ba046ee1dda3f2251052783ff39e0f7bee02c4c5d606a727c68a2ba58d309454e8ac91f96317d08b94fc4072891a3d979d415ef

C:\Users\Admin\AppData\Local\Temp\nsz448D.tmp\CR.History.tmp

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:11

Reported

2024-06-20 10:13

Platform

win11-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe

"C:\Users\Admin\AppData\Local\Temp\553d54c9e19d3cf794bb974a20a01a431b59fc3abce77235a9a7f8bf617d5a59.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.securebrowser.com udp
US 104.20.87.8:443 stats.securebrowser.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.87.20.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\jsis.dll

MD5 2027121c3cdeb1a1f8a5f539d1fe2e28
SHA1 bcf79f49f8fc4c6049f33748ded21ec3471002c2
SHA256 1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1
SHA512 5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\nsJSON.dll

MD5 f840a9ddd319ee8c3da5190257abde5b
SHA1 3e868939239a5c6ef9acae10e1af721e4f99f24b
SHA256 ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a
SHA512 8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\JsisPlugins.dll

MD5 d21ae3f86fc69c1580175b7177484fa7
SHA1 2ed2c1f5c92ff6daa5ea785a44a6085a105ae822
SHA256 a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450
SHA512 eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\StdUtils.dll

MD5 34939c7b38bffedbf9b9ed444d689bc9
SHA1 81d844048f7b11cafd7561b7242af56e92825697
SHA256 b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0
SHA512 bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

C:\Users\Admin\AppData\Local\Temp\{101CC715-568B-4026-A80E-5C03A13E2221}\scrt.dll

MD5 f36f05628b515262db197b15c7065b40
SHA1 74a8005379f26dd0de952acab4e3fc5459cde243
SHA256 67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31
SHA512 280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\thirdparty.dll

MD5 7b4bd3b8ad6e913952f8ed1ceef40cd4
SHA1 b15c0b90247a5066bd06d094fa41a73f0f931cb8
SHA256 a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754
SHA512 d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\Midex.dll

MD5 2597a829e06eb9616af49fcd8052b8bd
SHA1 871801aba3a75f95b10701f31303de705cb0bc5a
SHA256 7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87
SHA512 8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\CR.History.tmp

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\FF.places.tmp

MD5 1b27d385f918c09cbaaa8e66a75ed1c0
SHA1 b1042be485cf2070becca5ec541a8254b8e19ede
SHA256 4f09c927663ea12d15ebd872788d257730fb27fb40ee6c94e6e6d75f47158fb1
SHA512 0e1f2917123ae41397021c5afa0f74e70955510e0009d6e35ca11a4dc9295fe2602fb7b89d31ed2ebd632c4b896b58e621dee24cf3be8ad27dce42a19698d811

C:\Users\Admin\AppData\Local\Temp\nsi6870.tmp\CR.History.tmp

MD5 4e2922249bf476fb3067795f2fa5e794
SHA1 d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256 c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA512 8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da