Malware Analysis Report

2024-12-07 16:49

Sample ID 241113-kd88wsycmg
Target ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe
SHA256 b76ae2d4a83fd94191cbe3cd5d2581c50062e8e8471fc4cb783ce72ed62f5c81
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b76ae2d4a83fd94191cbe3cd5d2581c50062e8e8471fc4cb783ce72ed62f5c81

Threat Level: Shows suspicious behavior

The file ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Loads dropped DLL

Deletes itself

Executes dropped EXE

Indicator Removal: File Deletion

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 08:30

Reported

2024-11-13 08:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A

Indicator Removal: File Deletion

defense_evasion

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe
PID 2348 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe
PID 2348 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe
PID 2348 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe
PID 2348 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe

"C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe"

C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe

C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe 5

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\csqeqe.temp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 www.yzqie.com udp
CN 121.40.237.209:80 tcp
CN 121.40.237.209:80 tcp

Files

memory/2348-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2348-0-0x0000000000400000-0x0000000000B26000-memory.dmp

memory/2348-2-0x0000000076650000-0x0000000076697000-memory.dmp

memory/2348-503-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-506-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-508-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-512-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-516-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-522-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-520-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-518-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-514-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-510-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-504-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-524-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-526-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-537-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-530-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-534-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-540-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-538-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-564-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-562-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-560-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-558-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-556-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-554-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-552-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-550-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-548-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-547-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-544-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-542-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-532-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-528-0x0000000002AA0000-0x0000000002BB1000-memory.dmp

memory/2348-8027-0x0000000000400000-0x0000000000B26000-memory.dmp

\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe

MD5 708f11cc842da08700580124d796f2d6
SHA1 c007a3eb791921f3f856c10ee8e4ad475934793a
SHA256 5aef039368bccf95703459b3ae48e169687b8dfd46ab8598e2ebb73150398bf7
SHA512 05557164826cef53b27e445da3c1a00e898cff5d0272ba2dd3054bdc3e1aa2122dea6b532c404cf1957fb503c9a2c480fa98b1c6db738e23e043f0bfff9cda40

memory/2348-8029-0x0000000003A20000-0x0000000004146000-memory.dmp

memory/1864-8034-0x0000000000400000-0x0000000000B26000-memory.dmp

memory/2348-8033-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1864-16780-0x0000000000400000-0x0000000000B26000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 08:30

Reported

2024-11-13 08:32

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe

"C:\Users\Admin\AppData\Local\Temp\ea7cf9ad74693bea113e2a06cab4905772788c8358fbf4b8ee9530b6fa204703N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2164-0-0x0000000000400000-0x0000000000B26000-memory.dmp

memory/2164-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/2164-2-0x0000000075910000-0x0000000075B25000-memory.dmp

memory/2164-3274-0x0000000000400000-0x0000000000B26000-memory.dmp