Malware Analysis Report

2024-12-07 17:05

Sample ID 241113-ggzxvazmgl
Target 385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe
SHA256 07a5f03b0302518df8f02b2cc355f7d3e6b39a8fe92469b3c546de72b7e3a0a7
Tags
defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

07a5f03b0302518df8f02b2cc355f7d3e6b39a8fe92469b3c546de72b7e3a0a7

Threat Level: Shows suspicious behavior

The file 385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Indicator Removal: File Deletion

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 05:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 05:47

Reported

2024-11-13 05:49

Platform

win7-20241023-en

Max time kernel

88s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe

"C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe" >> NUL

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

\ProgramData\Update\wuauclt.exe

MD5 847392671ab80975a443e6794257869b
SHA1 98ca706b8bd13d4ca6dcf587c5af689084a5e888
SHA256 6ef15f2e04bf668295b5ef419b775d168554d47ea5c7d42fa0226cc21a1d47fb
SHA512 2eefdbdf9de09ca63bb7509c83d1d501acd8ea581ef275eb9f02877e4474003c61d5f8866910aff1ecdc9a88f2346e06a58895add595e8e1648eb39df3cfd8ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 05:47

Reported

2024-11-13 05:49

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe

"C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\385a7685a529b9901b25a2de66e7013796b5477756cf3d991530cb4b6c49ce20N.exe" >> NUL

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\ProgramData\Update\wuauclt.exe

MD5 9d60f342bb3c923cc3e7cdf4c94d227f
SHA1 2525f7013d2eca54810b5c3f35b10233d8e09336
SHA256 43068139b71cd4b9db56ab17f7e3ecaeae7d664e4454c7158c2ca15f7c473e05
SHA512 5a23955bf0e926111e0ff9572b4b46fbab73850052f24bd2f3fd5cf8d63c2882d534febdb40df149c8bddf7149e1931936172291fa54b8247cfa38d99c08ec8c