Malware Analysis Report

2024-12-07 11:33

Sample ID 241113-vsbahsweqm
Target 44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe
SHA256 44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2

Threat Level: Shows suspicious behavior

The file 44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:14

Reported

2024-11-13 17:16

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wnsapicc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WNST = "C:\\Windows\\system32\\wnsapicc.exe" C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wnsapicc.exe C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PurityScan\PuritySCAN.exe C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnsapicc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe

"C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe"

C:\Windows\SysWOW64\wnsapicc.exe

"C:\Windows\system32\wnsapicc.exe" /no_ads

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.clickspring.net udp
US 104.168.142.204:80 www.clickspring.net tcp
US 104.168.142.204:80 www.clickspring.net tcp
US 8.8.8.8:53 clickspring.net udp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp

Files

C:\Windows\SysWOW64\wnsapicc.exe

MD5 da05c32ea6cbca81053f243e40a9e53c
SHA1 4a8713301e628486753021098f8067b6b198dc6f
SHA256 3e101911339128d72e8529175dccb9ce37aaf89d5d0d72202aa7dd902673b137
SHA512 a97ed8b23c035b9e473274717fb56f2d84efc2b7217dff56237d734061513f737a4e1c34581676fd1d72d2914b1bb9620724ff04df4706f1723350e8d3f9c93c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:14

Reported

2024-11-13 17:16

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wnscpsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WNSI = "C:\\Windows\\system32\\wnscpsv.exe" C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wnscpsv.exe C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PurityScan\PuritySCAN.exe C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wnscpsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe

"C:\Users\Admin\AppData\Local\Temp\44a85921cd06e2a745a86fe8f399af2e36e70d2a24a686036ee5687577ed67c2N.exe"

C:\Windows\SysWOW64\wnscpsv.exe

"C:\Windows\system32\wnscpsv.exe" /no_ads

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.clickspring.net udp
US 104.168.142.204:80 www.clickspring.net tcp
US 104.168.142.204:80 www.clickspring.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 204.142.168.104.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 clickspring.net udp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 104.168.142.204:443 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:80 clickspring.net tcp
US 104.168.142.204:443 clickspring.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\wnscpsv.exe

MD5 97ae9da213fbe2dd77d21543e5fb00bc
SHA1 f546375367a850f55b301dfe6fb3fe848b4eb36c
SHA256 a20c650bcf6232fd7d7a723c0c870f17dee4c2461e8da3be0e9a144b74584b53
SHA512 1f72018464c8e88d6fa35b190e4f5a1c9a7039fb7271934489ee8e9532b2d2160e90c3e6724f46c4f94e219f3ba299488eda751bd55fa0fa116c44659fa7f2a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F867501CCBEA009A04631CD634A13D5F

MD5 8fd2f52199e51568adb5d91cbc98e9f0
SHA1 f19c16de1fd2bb6b6f0190331ac56033a1043e6b
SHA256 2b283b261234ebcf96fc306ff35cb07afcd8e68ebe5432b646eb2e57ec889122
SHA512 4ed912a13c6a2fe88a14ce6effb9ab9eaeeb0005e994510015cd33742892550c9e898cd2812318e4af16c3254ab5feae18efc94484ea3de57ac87a42fab824bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F867501CCBEA009A04631CD634A13D5F

MD5 718480e058abfb2a3667e18f1bd57e65
SHA1 392375de1a5529a0aa63efaa0dd04ca8270e8996
SHA256 b26b768f5fff732b31344c322e644c3a88c7d795c5df6ef393ef55979d506180
SHA512 d6715b73785418a2b36e359062e96681c897e5da85f48d0877fa34dca56b568c9967935f5e3402d77ef5ff14cb7abb333cc0469fc439aad15117333c1d06580f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 2dd058f204cec614daca5deeb21e92e6
SHA1 4c5192d539fa29de69da0dd83fefef812099b6a6
SHA256 5ec2d4e1bfabc36f8ad78c53bddf303ba5b8fa9f91e613287deeb8f233a72bf4
SHA512 37be32ce150356d4c74c052ef34be5c99c6e9b564052581292f561cb06396473fb3be82a457fef01d0867d8b46a9078e13ddcd2bb7a82932f4714f1378ea6d90