Malware Analysis Report

2024-09-09 12:17

Sample ID 240625-2gnvssxfpg
Target 63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2
SHA256 63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2
Tags
upx bootkit oss_ak persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2

Threat Level: Likely malicious

The file 63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2 was found to be: Likely malicious.

Malicious Activity Summary

upx bootkit oss_ak persistence

detect oss ak

Loads dropped DLL

UPX packed file

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-25 22:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 22:33

Reported

2024-06-25 22:35

Platform

win7-20240221-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

"C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe"

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E7%A9%BA%E9%97%B4%E8%AE%BF%E5%AE%A2%E7%9B%91%E6%8E%A7%E6%8F%90%20

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.gutousoft.com udp
CN 120.24.75.226:80 d.gutousoft.com tcp
US 8.8.8.8:53 d8.gutou.link udp
CN 120.24.75.226:80 d8.gutou.link tcp
US 8.8.8.8:53 vip.gutou.cc udp
US 8.8.8.8:53 y.gutousoft.com udp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 y.gutousoft.com tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
US 8.8.8.8:53 vip2.gutou.cc udp
CN 120.24.75.226:80 vip2.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp

Files

memory/1912-0-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-1-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-4-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-37-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-53-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-52-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-49-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-47-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-45-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-42-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-40-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-34-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-54-0x0000000002600000-0x0000000002672000-memory.dmp

memory/1912-55-0x0000000002600000-0x0000000002672000-memory.dmp

memory/1912-31-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-29-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-25-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-24-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-22-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-19-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-17-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-15-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-10-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-11-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-8-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-3-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-2-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-58-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-60-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1912-62-0x0000000002600000-0x0000000002672000-memory.dmp

memory/1912-64-0x0000000000400000-0x0000000000838200-memory.dmp

\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll

MD5 7fdb3cf6274195df5710ee4d4b8a79cd
SHA1 3066dd0d224310f2fb611bcb859830507d34bf29
SHA256 c02a8a03e0e9ea75d6d125afb2480b2d18df3aa6b01c4676b9e47c16a26e6fe2
SHA512 2fb62592a872a0e344fa6c7b73eafa393bd5c638b881bd38e087921adc42032a59b837826b5dea670124e7e9e877dc83d18645404fec146abda3afb56fc708df

memory/1912-72-0x0000000004A40000-0x0000000004A78000-memory.dmp

memory/1600-79-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1912-78-0x0000000004A40000-0x0000000004A78000-memory.dmp

memory/1600-96-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

MD5 5f6e15c1e9e6f5692e131222cc026a91
SHA1 9ebde1096802864802a53ea64269e2c000fbf624
SHA256 79249b50cb8da364ad4f0b76394ad587e6c45da314ee72c98057bf070afb61bc
SHA512 d9b12ce4df8c35e53233cc526d450f9bb9265d28129209247e891751b4ea51290572f35a393a1f811f18062bf2c136f9d971589873d9176169b14fd13dac1255

C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

MD5 6f9cbd7ce5b4f59737a3f10ed8fb632b
SHA1 bd592062b4bb145efaddcf164da6f64ad9b75844
SHA256 69d885a370e7311c792a4f56f341190be0ce19dc39eaee7f0f294ff717af4603
SHA512 7362014c048dc3b92c983fb3dc93fa8dd0938aea8a057aae6f93645de603cfe7d349cee16ef7d2e82548024157f1786f9758576385baf47533c5e454b6b1dd90

memory/1912-102-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-107-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-116-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-121-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-130-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-134-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-135-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-136-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-137-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1912-138-0x0000000000400000-0x0000000000838200-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 22:33

Reported

2024-06-25 22:35

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524766.dll N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

"C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe"

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524766.dll

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524766.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E7%A9%BA%E9%97%B4%E8%AE%BF%E5%AE%A2%E7%9B%91%E6%8E%A7%E6%8F%90%20

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.gutousoft.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CN 120.24.75.226:80 d.gutousoft.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 d8.gutou.link udp
CN 120.24.75.226:80 d8.gutou.link tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 y.gutousoft.com udp
US 8.8.8.8:53 vip.gutou.cc udp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 y.gutousoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 203.195.236.181:80 vip.gutou.cc tcp
US 8.8.8.8:53 vip2.gutou.cc udp
CN 120.24.75.226:80 vip2.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp
US 52.111.227.13:443 tcp
CN 203.195.236.181:80 vip.gutou.cc tcp
CN 120.24.75.226:80 vip2.gutou.cc tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1568-0-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-2-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-1-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-43-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-44-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-45-0x00000000029F0000-0x0000000002A62000-memory.dmp

memory/1568-46-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-41-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-38-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-36-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-34-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-32-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-26-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-24-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-20-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-18-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-49-0x00000000029F0000-0x0000000002A62000-memory.dmp

memory/1568-12-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-10-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-8-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-6-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-3-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-4-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-30-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-28-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-22-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-16-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-14-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1568-50-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-52-0x00000000029F0000-0x0000000002A62000-memory.dmp

memory/1568-54-0x0000000000400000-0x0000000000838200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524766.dll

MD5 e3105546c42d458f5e948fafe709e2d6
SHA1 4b5c829757958c1fbf4e04aa3480e23b88c5e487
SHA256 f3dd5612e47e4ace9795322f3c3bde17d11f02df9fdd2a2f474607728c2f13c1
SHA512 c09add59aee3146df488409a1fc078dc26e675cff102e7f928ebaf4bb8d5bf87c7866caa1d8208a4c67c4c5d236a4853b90e936735eec7534ffd0d44d4b513d0

memory/372-63-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

MD5 0f3c9acdab0663bb10b483412e2204dc
SHA1 f5f5348aec1279e68c09d405daa7f428dd491421
SHA256 1fec17599f37beb5f1338e6fafcafca8048c745253d12f7ddc8e69044d28776a
SHA512 99f7e8e3b4d8436b44e82c75c4d00a50f2e09ef1a17167c1a4d54d5a2f88788052c78d1b0f234b89dd572721c9c0e0fcdf8a3a20633d11d5172f45f043284e23

C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

MD5 fdf8fb8cbbfbb87d9ac44966ba53678a
SHA1 fd306c570e8c02a66c731d6e054e941a60f64d45
SHA256 0ee6fba0f70dd3be82a7398b5c2564baaf2a346287fe45c79324cab92f62fb9c
SHA512 c37243d5c4d370a041f03b3e54d4111c9d300fff63db7397cae066ec2a86cd829b9e2f41af45a1ecf6701f337068fcf8af45706add719ca13630c478701cf92f

memory/372-80-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1568-82-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-91-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-100-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-105-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-114-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-118-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-119-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-120-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-121-0x0000000000400000-0x0000000000838200-memory.dmp

memory/1568-122-0x0000000000400000-0x0000000000838200-memory.dmp