Malware Analysis Report

2024-11-13 18:00

Sample ID 241110-byq4dazjdm
Target 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
SHA256 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
Tags
discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd

Threat Level: Shows suspicious behavior

The file 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence upx

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:36

Platform

win7-20241010-en

Max time kernel

106s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fihspepz = "C:\\Program Files (x86)\\rvsolbevkh\\pdcosw.exe" C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\rvsolbevkh\pdcosw.exe C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
File opened for modification C:\Program Files (x86)\rvsolbevkh\pdcosw.exe C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Synaptics.7z C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A
File opened for modification C:\Windows\Synaptics.rs C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A
File created C:\Windows\Synaptics.7z C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
File created C:\Windows\Synaptics.rs C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rvsolbevkh\pdcosw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2864 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rvsolbevkh\pdcosw.exe
PID 2864 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rvsolbevkh\pdcosw.exe
PID 2864 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rvsolbevkh\pdcosw.exe
PID 2864 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\rvsolbevkh\pdcosw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe

"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\update.bat

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 2

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3

C:\Program Files (x86)\rvsolbevkh\pdcosw.exe

"C:\Program Files (x86)\rvsolbevkh\pdcosw.exe"

Network

N/A

Files

memory/2904-0-0x0000000000260000-0x000000000026B000-memory.dmp

memory/2904-1-0x0000000000260000-0x000000000026B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.bat

MD5 755ae2509932ae47b07c7b96b3ea41bf
SHA1 8b27354184939c4483d0c07bc0b067af13617e9f
SHA256 e326773bedbc28e66842933901c9a277960dbf17e4cdf40465bbd39e14701b0f
SHA512 e4cbff4b674d3e72efdd3e949b1ddff681b60c9f9999f3767101fb189e349fbf2b3fd9c2c5242090863257c441294127f12615a49353f2ff551ee61366f69ad5

\Program Files (x86)\rvsolbevkh\pdcosw.exe

MD5 e547e76f0f4d9826d52b97c35ef3322f
SHA1 40598d7df8245c5ee9842003bb6761b4254ac8af
SHA256 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
SHA512 33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9

C:\Windows\Synaptics.rs

MD5 ea29a928121503e9659a143a41bcc81a
SHA1 bb39d03bbd600d6ffdb9b763797493eaccd61f64
SHA256 e90a70e3fd28c4b44e1e3c5e2fd6993e31f1821cefd305a227393c9fb9013a13
SHA512 52119eb71742b63f215443389d3e39148131ca5ba0b3675b27c7ecf297fabb5b0ac80bc8a5f609482afb30778e5ffc7ce590815500e1c752eee807446e25c399

memory/2840-22-0x0000000000350000-0x000000000035B000-memory.dmp

C:\Windows\Synaptics.7z

MD5 3ce00833d4427d727d98f8f4105ad476
SHA1 119e9267eb9e33346fd3344024619c9edc42c43d
SHA256 0188fec66b72b38273b934e4f3c91b9e713d21f6aaac1ca012a69e956e5b1cc8
SHA512 913e1207043a4e46261d9de697d2e10580ad276b1b17ddd166ece0583e6f251607e59881006afbe43795b68ea0bb2c967b4b78797ce195d21d28491a733aeea1

memory/2840-18-0x0000000000350000-0x000000000035B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\dxxmuvdll\pfsgc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\skqyealh = "C:\\Windows\\dxxmuvdll\\pfsgc.exe" C:\Windows\dxxmuvdll\pfsgc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\dxxmuvdll\pfsgc.exe C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
File opened for modification C:\Windows\Synaptics.7z C:\Windows\dxxmuvdll\pfsgc.exe N/A
File opened for modification C:\Windows\Synaptics.rs C:\Windows\dxxmuvdll\pfsgc.exe N/A
File created C:\Windows\Synaptics.7z C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
File created C:\Windows\Synaptics.rs C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
File created C:\Windows\dxxmuvdll\pfsgc.exe C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\dxxmuvdll\pfsgc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe

"C:\Users\Admin\AppData\Local\Temp\7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 2

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3

C:\Windows\dxxmuvdll\pfsgc.exe

"C:\Windows\dxxmuvdll\pfsgc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/1384-0-0x00000000025E0000-0x00000000025EB000-memory.dmp

memory/1384-1-0x00000000025E0000-0x00000000025EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.bat

MD5 152003139841d58f909f8ca56fda521a
SHA1 96bfbe5604145b2fe44b46157779f57ca291ab31
SHA256 bdb7479d8dcc715a82e7dda74a7f9679dc876eb1952fc58df6598be6be7f3a7b
SHA512 c387d8cc4fa834bf72f2326794947ec22918e04cdcaab0c59291819d4398adcd25d2b0eb5895f47de6fd090e1d2fa02164cadcc22f23cdd0cd5b23a5f9b4a158

C:\Windows\dxxmuvdll\pfsgc.exe

MD5 e547e76f0f4d9826d52b97c35ef3322f
SHA1 40598d7df8245c5ee9842003bb6761b4254ac8af
SHA256 7b59c5e4a3ff85115e96d6848136a8a9f31b4c9b5c94be6478893f291ea522dd
SHA512 33128f802bee7c0fb98ba4fdd194bc418ee17a83c5ae37ab4d02b39ac448fba776cd51c2e8ec2ba1fd947bb1e23724c3cf7f5615fd24e5a4abe8d4cddaa2e3b9

C:\Windows\Synaptics.rs

MD5 04d02ca8fb5a9059fb3f67f95529ff20
SHA1 387900e985fae707bd81af35b91aabf6ada7b956
SHA256 ed7af1f4475ff6498b936e0b92f69c2d5c127c2eaf4e4e4d9d5c706406016340
SHA512 3004f939bd4ba8d87b116521c94298be9041b41ae9fc8929ca3ccc32a05b4aa969b5537c6364ffa8724b5e271dab298f626370437e3a43cf9dd951d7723b1c1f

memory/440-16-0x0000000000A50000-0x0000000000A5B000-memory.dmp

memory/440-12-0x0000000000A50000-0x0000000000A5B000-memory.dmp