Malware Analysis Report

2024-12-01 02:48

Sample ID 241110-btc1yswjbs
Target 8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N
SHA256 8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031

Threat Level: Shows suspicious behavior

The file 8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:25

Reported

2024-11-10 01:27

Platform

win7-20240903-en

Max time kernel

36s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\edur.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edur.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe

"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"

C:\Users\Admin\AppData\Local\Temp\edur.exe

"C:\Users\Admin\AppData\Local\Temp\edur.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thenoblelaw.com udp
US 104.26.3.206:443 thenoblelaw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2840-1-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2840-0-0x0000000000290000-0x0000000000296000-memory.dmp

memory/2840-7-0x0000000000290000-0x0000000000296000-memory.dmp

\Users\Admin\AppData\Local\Temp\edur.exe

MD5 f15167d3ca43016df589e1afe9324418
SHA1 124a7bec9f8fa41d367144191321cf376ed8c30d
SHA256 7b40152214aec3fcf393098a0b8ab5ef95e31296f928cc5d7de1a94335a0600c
SHA512 939d08a1da8aeb831c1c4477f7591a22b6abcd9187b47ef1875f5eaf3347d86fc6b8992e943bdba93e175851d866ee475d2faccb5e955190f1b4215124dc0f30

memory/2896-18-0x00000000003F0000-0x00000000003F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:25

Reported

2024-11-10 01:27

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\edur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\edur.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edur.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe

"C:\Users\Admin\AppData\Local\Temp\8f6936bf9913700da5e2486d162e8c11804bb7e7505c56ca2b2324f39f104031N.exe"

C:\Users\Admin\AppData\Local\Temp\edur.exe

"C:\Users\Admin\AppData\Local\Temp\edur.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 thenoblelaw.com udp
US 104.26.3.206:443 thenoblelaw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 206.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3048-0-0x00000000021C0000-0x00000000021C6000-memory.dmp

memory/3048-1-0x00000000021C0000-0x00000000021C6000-memory.dmp

memory/3048-2-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edur.exe

MD5 f15167d3ca43016df589e1afe9324418
SHA1 124a7bec9f8fa41d367144191321cf376ed8c30d
SHA256 7b40152214aec3fcf393098a0b8ab5ef95e31296f928cc5d7de1a94335a0600c
SHA512 939d08a1da8aeb831c1c4477f7591a22b6abcd9187b47ef1875f5eaf3347d86fc6b8992e943bdba93e175851d866ee475d2faccb5e955190f1b4215124dc0f30

memory/952-23-0x0000000002020000-0x0000000002026000-memory.dmp