Malware Analysis Report

2024-12-07 16:51

Sample ID 241113-d8js6awdkj
Target e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267
SHA256 e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267
Tags
defense_evasion discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267

Threat Level: Likely malicious

The file e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion

Sets file to hidden

Deletes itself

Checks computer location settings

Executes dropped EXE

Indicator Removal: File Deletion

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:40

Reported

2024-11-13 03:43

Platform

win7-20241023-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\zskhost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\zskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\zskhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\zskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe

"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E53BDC~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:443 www.baidu.com tcp
US 8.8.8.8:53 G35yLgUWLS.nnnn.eu.org udp
US 8.8.8.8:53 qkG9cexd4g.nnnn.eu.org udp
US 8.8.8.8:53 QwxLN8xlou.nnnn.eu.org udp
US 8.8.8.8:53 0cfWe5Rt2c.nnnn.eu.org udp
US 8.8.8.8:53 aIqiP3uVmp.nnnn.eu.org udp

Files

C:\Windows\Debug\zskhost.exe

MD5 46416814fb52be25d0767e6ad564c1db
SHA1 7a417bccaca29e7b34379eff889e4b52de985063
SHA256 b27963c7052fcd49820d436ccdd934db446042e983af4062360a1b034ba7170e
SHA512 7b6a49a3ddac24d233e94008a1594653d15f804fdb1cde9dbf00f363714f1fa807d8bf8a8a991eae918cb4ad9f0f42dec30fca9b4f00a50b9c3df472c3d9cb55

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 03:40

Reported

2024-11-13 03:43

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\guehost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\guehost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\guehost.exe C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A
File opened for modification C:\Windows\Debug\guehost.exe C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\guehost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\guehost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\guehost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe

"C:\Users\Admin\AppData\Local\Temp\e53bdc9eed991455f44022720ed122734677fa3032974c234c38777e82fa3267.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\guehost.exe

C:\Windows\Debug\guehost.exe

C:\Windows\Debug\guehost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E53BDC~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:443 www.baidu.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 188.47.235.103.in-addr.arpa udp
US 8.8.8.8:53 DDxNyLHj1c.nnnn.eu.org udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 nteYFJHrlq.nnnn.eu.org udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 NZLkWnlyVY.nnnn.eu.org udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xGWvIlEaEm.nnnn.eu.org udp
US 8.8.8.8:53 XwE6ZFiiy0.nnnn.eu.org udp

Files

C:\Windows\debug\guehost.exe

MD5 dea7cdca568ec35982918b5dafabe5a5
SHA1 d5315d1776b4f332c1af85c763fbd828aae3c67e
SHA256 f4bb62e5f0fd7054721daa56c796e99094d617ffc6f73b9c89f50c2b84e0767b
SHA512 210b65902dbf0098d9ce30e698b2470c30cd55a416e686bb7686ccf4d9c417c71fa0d378eb7615f45d118e84ca8c4056038a4352a94c1b16570decbac86ea142