Malware Analysis Report

2024-12-07 16:41

Sample ID 241113-3z92es1hqr
Target 1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe
SHA256 1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3
Tags
defense_evasion discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3

Threat Level: Likely malicious

The file 1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion

Sets file to hidden

Deletes itself

Checks computer location settings

Executes dropped EXE

Indicator Removal: File Deletion

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:58

Reported

2024-11-14 00:00

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\rwmhost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\rwmhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe

"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1EB072~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 fD4pa7lls.nnnn.eu.org udp
US 8.8.8.8:53 FtF0s5Ftct.nnnn.eu.org udp
US 8.8.8.8:53 pawCdZiUL7.nnnn.eu.org udp
US 8.8.8.8:53 Pm7NuXCc5L.nnnn.eu.org udp

Files

memory/1852-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\debug\rwmhost.exe

MD5 613e1c70cd6706b2c63c8be5682ec133
SHA1 34c9c9f29ab73384cbaeb4802b553d01234d2dfe
SHA256 c6cf4e38d188df766b46a79ee045da2bd15504d8ad56a38c3b982f015c9ff6cb
SHA512 a0e0d4f59aaa67d8a9511bd07d76e41bda68ea1f4dfbaaf04f7759601c5227787c75b80727d71e583edffa4c8958ae3ff38be9f790c981ab745fd42726473bce

memory/1852-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2936-6-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:58

Reported

2024-11-14 00:00

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\tuehost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\tuehost.exe C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
File opened for modification C:\Windows\Debug\tuehost.exe C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
File opened for modification C:\Windows\Debug\tuehost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\tuehost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe

"C:\Users\Admin\AppData\Local\Temp\1eb0722f2b98f3fbda9568174adec2f0593dc6801a790fdea23c2e326fa002d3.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\tuehost.exe

C:\Windows\Debug\tuehost.exe

C:\Windows\Debug\tuehost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1EB072~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 VeV17Px9.nnnn.eu.org udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 8hVI8vqnUD.nnnn.eu.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 iNCTQtKvER.nnnn.eu.org udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 I3tfhrJ3y9.nnnn.eu.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1208-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\debug\tuehost.exe

MD5 c52f07726bf21d1df1b250ffc1a40ea5
SHA1 92fdfe3d41a932a64b9ab5f3234cb00c149397a1
SHA256 b44bc3c9e4c23d7bf459a8cc675bd3f98f852d93212d8404b08feec2271cddce
SHA512 aa5ded977c03e306038c2ea4a36728392e06481e08f743a217a9d85716a25f64b67f1be5c3752dd86b7855dc18c823d84598aeb51cca809ea767ff24e3180f5b

memory/2820-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2820-6-0x0000000000400000-0x0000000000411000-memory.dmp