Malware Analysis Report

2024-12-07 16:49

Sample ID 241113-fv5vkszleq
Target 15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe
SHA256 15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29
Tags
defense_evasion discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29

Threat Level: Likely malicious

The file 15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion

Sets file to hidden

Checks computer location settings

Executes dropped EXE

Deletes itself

Indicator Removal: File Deletion

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 05:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 05:12

Reported

2024-11-13 05:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\rwmhost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
File opened for modification C:\Windows\Debug\rwmhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\rwmhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\rwmhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\rwmhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe

"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\Debug\rwmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\15A41E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 nc5NCFdJxM.nnnn.eu.org udp
US 8.8.8.8:53 NImZxD7Qa.nnnn.eu.org udp

Files

C:\Windows\Debug\rwmhost.exe

MD5 7c473a6a757fb3ffcde134494144cd06
SHA1 b37348d9ebad3ae6a5cbbfc3601c7a48d8ce9246
SHA256 06d372947bbc93675b7b9fe16cce04f105e5f101003798ef66ed5d1c2e3cb2fd
SHA512 935cefe1bdc781b24c4f9cd971ea455e1e1c49f4d092c82941359739e717061b7e0b8b416946f073ea41c9f2800a199b04bef7bc11c8a2997726c7fa76e28f61

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 05:12

Reported

2024-11-13 05:14

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\foohost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\foohost.exe C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
File opened for modification C:\Windows\Debug\foohost.exe C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
File opened for modification C:\Windows\Debug\foohost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\foohost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\foohost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\foohost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe

"C:\Users\Admin\AppData\Local\Temp\15a41ebd61c5cbc32a8666e91faa8b662f8294bf54f02df7262d8aa02790dc29N.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\foohost.exe

C:\Windows\Debug\foohost.exe

C:\Windows\Debug\foohost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\15A41E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 96.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 rzDzYaq5lC.nnnn.eu.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 RfuKYJDVQ.nnnn.eu.org udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\debug\foohost.exe

MD5 4f45f972a271b31c30141c5455dba894
SHA1 67d23364d5350f5461b6db9c77b9f7ee54a54ca5
SHA256 2969b182cc0f8a41c621240efaa6318fa9632a16b2899fb2d706f14a143bd741
SHA512 94148375d12211416063114c7fb685290b6af3660fcbffe712e878ea7ea475ba0bfba246f84262a1009138b62a8df520cdce54ceedc8a6f45becd37b49959964