Malware Analysis Report

2024-10-16 05:30

Sample ID 240628-h25jhazejk
Target node_exporter-Agent-Linux.7z
SHA256 9d451e048ca401bc0213e962f33e8dd986649aa61b820d295284d10f13439ac2
Tags
antivm
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9d451e048ca401bc0213e962f33e8dd986649aa61b820d295284d10f13439ac2

Threat Level: Shows suspicious behavior

The file node_exporter-Agent-Linux.7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Checks hardware identifiers (DMI)

Reads hardware information

Reads CPU attributes

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 07:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 07:14

Reported

2024-06-28 07:35

Platform

win7-20240221-en

Max time kernel

846s

Max time network

850s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 07:14

Reported

2024-06-28 07:35

Platform

win10v2004-20240508-en

Max time kernel

451s

Max time network

1170s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 07:14

Reported

2024-06-28 07:35

Platform

win7-20240221-en

Max time kernel

841s

Max time network

845s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-28 07:14

Reported

2024-06-28 07:35

Platform

win10v2004-20240611-en

Max time kernel

450s

Max time network

1173s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-28 07:14

Reported

2024-06-28 07:20

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

240s

Max time network

182s

Command Line

[/tmp/node_exporter-Agent-Linux/node_exporter]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/bios_vendor /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/product_name /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/sys_vendor /tmp/node_exporter-Agent-Linux/node_exporter N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_serial /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/product_sku /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/chassis_vendor /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/bios_version /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/chassis_type /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/product_uuid /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/chassis_asset_tag /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/bios_release /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/chassis_serial /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/chassis_version /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/product_family /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/product_version /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id/bios_date /tmp/node_exporter-Agent-Linux/node_exporter N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/isolated /tmp/node_exporter-Agent-Linux/node_exporter N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/node_exporter-Agent-Linux/node_exporter N/A
File opened for reading /sys/class/dmi/id /tmp/node_exporter-Agent-Linux/node_exporter N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/net/core/somaxconn /tmp/node_exporter-Agent-Linux/node_exporter N/A

Processes

/tmp/node_exporter-Agent-Linux/node_exporter

[/tmp/node_exporter-Agent-Linux/node_exporter]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.snapcraft.io udp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.54:443 api.snapcraft.io tcp
US 8.8.8.8:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp

Files

N/A