Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3crjszkdm
Target ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a
SHA256 ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a
Tags
defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a

Threat Level: Shows suspicious behavior

The file ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Indicator Removal: File Deletion

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:39

Reported

2024-11-10 01:42

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe N/A

Indicator Removal: File Deletion

defense_evasion

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe

"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe" >> NUL

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

\ProgramData\Update\wuauclt.exe

MD5 4965ceb9a2b8357efc11809dea7f9038
SHA1 0ba7e246d7d8da9206b31e9b7875db8e1bbac3b7
SHA256 c6c1038954847dfdd07204efb73fba838a2b2165114f65c0206c81a787b5242d
SHA512 fe0983149cd93765a697e0a9dbb5e210f23253d73ec03c9d532b01e8d42ec942c81875a8b897f3de2a25ebf7dfa5c529859e6b0050ccab6ae3f9d0cb2d2d7ff2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:39

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe

"C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\ad782a33f1fe98a5a5d75bd19e8a3b5e699e20932af5972e75634951670ca90a.exe" >> NUL

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\Update\wuauclt.exe

MD5 1aab322529410bb409300f5a6b8f0287
SHA1 a9a124adcbe19ad6b76cdb1c1c90a70d898ea419
SHA256 a37a07e88c7833f19e9ae63eb534e7ea7bb4cf86e619b07ef93522ca6abc79fb
SHA512 604fa4f4b89a87314035c63ab5bece23c2386f879eec8e308e93deb34d693432a4b61b55c63c2272748e091241daa5b2cee994c3f588abdadad0d812410d8d33