Malware Analysis Report

2025-01-22 13:05

Sample ID 240626-ev4rvavbjg
Target 36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb
SHA256 36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb
Tags
bootkit persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb

Threat Level: Shows suspicious behavior

The file 36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence vmprotect

VMProtect packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 04:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 04:16

Reported

2024-06-26 04:19

Platform

win7-20240611-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe

"C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic BaseBoard get SerialNumber

Network

Country Destination Domain Proto
US 8.8.8.8:53 zhuyan.diyidongli.com udp
CN 101.132.187.26:80 zhuyan.diyidongli.com tcp

Files

memory/1720-0-0x0000000000814000-0x0000000000B7E000-memory.dmp

memory/1720-10-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1720-8-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1720-6-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1720-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1720-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1720-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1720-11-0x0000000000400000-0x00000000013D9000-memory.dmp

memory/1720-14-0x0000000000400000-0x00000000013D9000-memory.dmp

memory/1720-15-0x0000000000400000-0x00000000013D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

MD5 7568384741228f507442fcbfd2ba4d0b
SHA1 e4aa3772f6022bad7f4d1936be60f7266086cc5e
SHA256 1a90ed1033b4efd63299b389af948cc209531ce29de204b24552de59251a8fdf
SHA512 f4a911b6b91a1162554dc43d038c369d85ae4eec7cdc7e0b5faca00f4f94862ae10414c4797300ac8d61904eb4afcc1126304de2e296291d4db4f79203d4fc1b

\Users\Admin\AppData\Local\Temp\data.dll

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240

memory/1720-24-0x00000000744A0000-0x00000000747CD000-memory.dmp

C:\zmtdz.ini

MD5 cf7fab9988a0b28e33174253589f9249
SHA1 a1b428cc3c9a913fb3273609058636ea8b2d9e13
SHA256 7f3326915b480f8c994e3773573ced2b3ebeac66958983c9c9e52e04b9f5de74
SHA512 48147621a20eeb1d31afaf8be7406e77eb4fa9ea25bd5636ada67c08a1ae4009c54f6bc5767a8c7079dd851f1d40484202ec841cf8a870e520478859d936ac2d

memory/1720-34-0x0000000000814000-0x0000000000B7E000-memory.dmp

memory/1720-35-0x0000000000400000-0x00000000013D9000-memory.dmp

memory/1720-36-0x0000000000400000-0x00000000013D9000-memory.dmp

memory/1720-37-0x0000000000400000-0x00000000013D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 04:16

Reported

2024-06-26 04:19

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe

"C:\Users\Admin\AppData\Local\Temp\36c863666fc9244818c17cd0986c04a193a1638c6e3b886da5320e7d54b736eb.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic BaseBoard get SerialNumber

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 zhuyan.diyidongli.com udp
CN 101.132.187.26:80 zhuyan.diyidongli.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.187.132.101.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2536-0-0x0000000000814000-0x0000000000B7E000-memory.dmp

memory/2536-2-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

memory/2536-1-0x0000000001990000-0x0000000001991000-memory.dmp

memory/2536-3-0x0000000000400000-0x00000000013D9000-memory.dmp

memory/2536-10-0x0000000000400000-0x00000000013D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

MD5 7568384741228f507442fcbfd2ba4d0b
SHA1 e4aa3772f6022bad7f4d1936be60f7266086cc5e
SHA256 1a90ed1033b4efd63299b389af948cc209531ce29de204b24552de59251a8fdf
SHA512 f4a911b6b91a1162554dc43d038c369d85ae4eec7cdc7e0b5faca00f4f94862ae10414c4797300ac8d61904eb4afcc1126304de2e296291d4db4f79203d4fc1b

C:\Users\Admin\AppData\Local\Temp\data.dll

MD5 22ec14d2b15f50d872a9befc5fdf4ad4
SHA1 f4347c8222b62b152608baeebe54776ad9cde997
SHA256 b9c15cc65e80aa0f4332c86e8323f2a2a6840ad46a784dd6391a124a6f792590
SHA512 28a59bb59ee66b93b1792177f9eaef13e9696b4b4c6e5427e98608e28cd1fb56a5765dd07ccfc30651eaf79d24610b79e12d1454ef50a79ef30a0074aa5f5240

memory/2536-18-0x0000000074390000-0x00000000746BD000-memory.dmp

memory/2536-27-0x0000000000814000-0x0000000000B7E000-memory.dmp

memory/2536-28-0x0000000000400000-0x00000000013D9000-memory.dmp