Analysis Overview
SHA256
9d451e048ca401bc0213e962f33e8dd986649aa61b820d295284d10f13439ac2
Threat Level: Shows suspicious behavior
The file node_exporter-Agent-Linux.7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks hardware identifiers (DMI)
Reads hardware information
Reads CPU attributes
Reads runtime system information
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 07:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 07:14
Reported
2024-06-28 07:35
Platform
win7-20240221-en
Max time kernel
846s
Max time network
850s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 07:14
Reported
2024-06-28 07:35
Platform
win10v2004-20240508-en
Max time kernel
451s
Max time network
1170s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\LICENSE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-28 07:14
Reported
2024-06-28 07:35
Platform
win7-20240221-en
Max time kernel
841s
Max time network
845s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-28 07:14
Reported
2024-06-28 07:35
Platform
win10v2004-20240611-en
Max time kernel
450s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\node_exporter-Agent-Linux\NOTICE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-28 07:14
Reported
2024-06-28 07:20
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
240s
Max time network
182s
Command Line
Signatures
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/bios_vendor | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/product_name | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/sys_vendor | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_serial | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/product_sku | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/chassis_vendor | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/bios_version | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/chassis_type | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/product_uuid | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/chassis_asset_tag | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/bios_release | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/chassis_serial | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/chassis_version | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/product_family | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/product_version | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id/bios_date | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/isolated | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
| File opened for reading | /sys/class/dmi/id | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/node_exporter-Agent-Linux/node_exporter | N/A |
Processes
/tmp/node_exporter-Agent-Linux/node_exporter
[/tmp/node_exporter-Agent-Linux/node_exporter]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.54:443 | api.snapcraft.io | tcp |
| US | 8.8.8.8:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |