Malware Analysis Report

2025-04-03 13:57

Sample ID 241109-194laatdqa
Target 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219
SHA256 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219

Threat Level: Shows suspicious behavior

The file 54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:21

Reported

2024-11-09 22:24

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2748 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe

"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\ime\333.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\905\a905.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\905\905.bat" "

Network

N/A

Files

C:\Windows\IME\333.bat

MD5 bf85d58b5f8c87407c68d4479c08397d
SHA1 e5ef875b5e00d45b544f2b2cdc9c7dc45de2d29a
SHA256 0e27eb46977ef3837953d1adefeaf7d52ea03d5743368710eda7999aaba28afd
SHA512 702f91fa62bea645e04d6468f1cd299f07c8b3e21caca78cb27f90a4d0b21a9a934ab5636553414187181c1082654eb39fbcf1af3cc9ab2f651cafdf005c4985

C:\905\a905.vbs

MD5 d4e4d2395f0ae37c8f74469887420c42
SHA1 6aac31f197f2173591c7c3c131b811339763ba6a
SHA256 8dc70d5200420fcac09b1fbe93c1bc2ee6cb27d22812bd3e5f7a70edd84a7845
SHA512 b1ff3496fe98ddc34d0bfb4f661f24f3bd6df2a40d3174167f4d6a96f3cf8a400da00de9f0b57d6f04e7014228c597bcf377c8e055378421bbd2f50a4560d774

C:\905\905.bat

MD5 491bdc8435bff0c077992159aeec3686
SHA1 afb5fe597cd0850a0f907f70f36ee951c01edae9
SHA256 f1e74a0c392bad5b5a8bb0b1c808592dca7f2f9f7dbc7f08f6d3f089436a9be2
SHA512 a330510e193c26d9363c9d1930765c62a72eebeb43bc3f7e17efa4ee7038ac8663c72ccf240e9a30c2ae803ffe7630aa0e30a2dfa555b85e9f99a4df4ec9ffff

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:21

Reported

2024-11-09 22:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe

"C:\Users\Admin\AppData\Local\Temp\54eca35b907cd6919e61b6d26c24ab59923115684b55f302b1ffb580b3e11219.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ime\333.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\905\a905.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\905\905.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\windows\ime\333.bat

MD5 bf85d58b5f8c87407c68d4479c08397d
SHA1 e5ef875b5e00d45b544f2b2cdc9c7dc45de2d29a
SHA256 0e27eb46977ef3837953d1adefeaf7d52ea03d5743368710eda7999aaba28afd
SHA512 702f91fa62bea645e04d6468f1cd299f07c8b3e21caca78cb27f90a4d0b21a9a934ab5636553414187181c1082654eb39fbcf1af3cc9ab2f651cafdf005c4985

C:\905\a905.vbs

MD5 d4e4d2395f0ae37c8f74469887420c42
SHA1 6aac31f197f2173591c7c3c131b811339763ba6a
SHA256 8dc70d5200420fcac09b1fbe93c1bc2ee6cb27d22812bd3e5f7a70edd84a7845
SHA512 b1ff3496fe98ddc34d0bfb4f661f24f3bd6df2a40d3174167f4d6a96f3cf8a400da00de9f0b57d6f04e7014228c597bcf377c8e055378421bbd2f50a4560d774

C:\905\905.bat

MD5 491bdc8435bff0c077992159aeec3686
SHA1 afb5fe597cd0850a0f907f70f36ee951c01edae9
SHA256 f1e74a0c392bad5b5a8bb0b1c808592dca7f2f9f7dbc7f08f6d3f089436a9be2
SHA512 a330510e193c26d9363c9d1930765c62a72eebeb43bc3f7e17efa4ee7038ac8663c72ccf240e9a30c2ae803ffe7630aa0e30a2dfa555b85e9f99a4df4ec9ffff