Malware Analysis Report

2024-09-09 12:19

Sample ID 240630-tvnsystfjn
Target 43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017
SHA256 43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017
Tags
bootkit oss_ak persistence upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017

Threat Level: Likely malicious

The file 43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017 was found to be: Likely malicious.

Malicious Activity Summary

bootkit oss_ak persistence upx

detect oss ak

UPX packed file

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-30 16:22

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 16:22

Reported

2024-06-30 16:25

Platform

win10v2004-20240508-en

Max time kernel

54s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe

"C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe"

Network

Country Destination Domain Proto
CN 122.51.207.195:9010 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 122.51.207.195:9010 tcp

Files

memory/1224-0-0x00000000006F3000-0x00000000006F4000-memory.dmp

memory/1224-33-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-35-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-31-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-43-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-41-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-39-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-37-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-27-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-25-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-23-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-21-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-45-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1224-19-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-17-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-15-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-46-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1224-13-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-47-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1224-11-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-9-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-48-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1224-7-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-5-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-3-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-2-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-1-0x0000000002A60000-0x0000000002A9E000-memory.dmp

memory/1224-29-0x0000000002A60000-0x0000000002A9E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 16:22

Reported

2024-06-30 16:25

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe

"C:\Users\Admin\AppData\Local\Temp\43f7709a6c3408eca55af1a45a829b8ed72d37480fe21afa6470c5c45f079017.exe"

Network

Country Destination Domain Proto
CN 122.51.207.195:9010 tcp
CN 122.51.207.195:9010 tcp

Files

memory/2140-0-0x00000000006F3000-0x00000000006F4000-memory.dmp

memory/2140-3-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-2-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-1-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-44-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-42-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-46-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2140-40-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-38-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-36-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-34-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-47-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2140-32-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-30-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-28-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-48-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2140-26-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-24-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-49-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2140-22-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-20-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-50-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2140-18-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-16-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-14-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-12-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-10-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-8-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-5-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2140-6-0x0000000000400000-0x0000000000D1B000-memory.dmp