Malware Analysis Report

2024-12-07 16:58

Sample ID 241113-cv1n3sxrgk
Target 03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN
SHA256 03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6c
Tags
defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6c

Threat Level: Shows suspicious behavior

The file 03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Indicator Removal: File Deletion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:24

Reported

2024-11-13 02:26

Platform

win7-20241010-en

Max time kernel

81s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Graphics\guifx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run" C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Graphics\guifx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe

"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"

C:\ProgramData\Graphics\guifx.exe

"C:\ProgramData\Graphics\guifx.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe" >> NUL

Network

Country Destination Domain Proto
KR 165.194.123.67:443 tcp
KR 165.194.123.67:443 tcp

Files

\ProgramData\Graphics\guifx.exe

MD5 63290cb42842747694ee188892fc9f11
SHA1 b4a2ca0d670ea721e581a8bc5755701f399512b9
SHA256 5597b2853fe6e79614ba0f855c5f9402411e8b6aa9e0fec35df9fddc2e7c7af9
SHA512 6cb3d6bb5d8372c8921e154f20a32a4709e20b326b9757e05903e114b759addcf87571782bda44c3e4b503308a0d48dcf886226f050b7b520ee30671dd358300

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:24

Reported

2024-11-13 02:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Graphics\guifx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run" C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Graphics\guifx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe

"C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe"

C:\ProgramData\Graphics\guifx.exe

"C:\ProgramData\Graphics\guifx.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\03663294d3037bb2bb84a2bde70c5cd503e1c26a82d958d3c925f50654b40f6cN.exe" >> NUL

Network

Country Destination Domain Proto
KR 165.194.123.67:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 165.194.123.67:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\ProgramData\Graphics\guifx.exe

MD5 b984e80a9b1dacb5a72c964fac5dc9d7
SHA1 6dff49909f6b9ba0b63395ce8935a2a37022f8a5
SHA256 5185718249aeeeb74f5ad2de8b56cc624f86836e51eeb01d904e2e57025ac039
SHA512 d947f16eb5cc5803fb96389091bd9ef0a5c5e1ebd3212825f2f2f004168f7c369f1ed106d9ec60b1d1c7207646bd375c61360299000e8b501ad99ab2e0595c33