Malware Analysis Report

2024-12-07 11:32

Sample ID 241113-w5df3szqaq
Target ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe
SHA256 ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61

Threat Level: Likely malicious

The file ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Adds policy Run key to start application

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 18:29

Reported

2024-11-13 18:31

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\livevideo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ErrorReportSent = "C:\\Users\\Admin\\AppData\\Roaming\\livevideo.exe" C:\Users\Admin\AppData\Roaming\livevideo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\livevideo.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\livevideo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe

"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"

C:\Users\Admin\AppData\Roaming\livevideo.exe

C:\Users\Admin\AppData\Roaming\livevideo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c UNISTA~1.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\livevideo.exe

MD5 422ad7ce96f9d01aae2abc6094fc3ca0
SHA1 fbcb866a91f550f0b5401a74cccc90e1ae1445b6
SHA256 d3f00a555dfa2b57f226ce3f22c05b2d7ea768716e110ae98cfec2c9a87eb473
SHA512 b84742ca2682dbe4962359219c7c7dd6e4858232b30738d1829e2e318e3b6fb0c027634bfda8b166bc5705ca0f012ea1218726af3ec10289f0d4f0dec14f5244

C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

MD5 f34869f5ab7d17ef52c916bd8c33598c
SHA1 98a0ac28be477c3478c7170bf1ef964875fe2aad
SHA256 8c2be2d52b12d583c8958d6b7feb5a3c2f831c5891c4044a92421ba11df0e038
SHA512 5d65d59a217f5e30d88fb595441810465e68c4f544354a6ee771c41d38c333b00bf4290ed4a73a559cf5a6cc00c05a85ae954ec05042b4b403483df6612e14f8

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:29

Reported

2024-11-13 18:31

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\livevideo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ErrorReportSent = "C:\\Users\\Admin\\AppData\\Roaming\\livevideo.exe" C:\Users\Admin\AppData\Roaming\livevideo.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\livevideo.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\livevideo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe

"C:\Users\Admin\AppData\Local\Temp\ee414e7ae8d980c1eccd7b85402d932403dc4e795ebd1fc5286a8c45f9b7ee61N.exe"

C:\Users\Admin\AppData\Roaming\livevideo.exe

C:\Users\Admin\AppData\Roaming\livevideo.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c UNISTA~1.BAT

Network

N/A

Files

\Users\Admin\AppData\Roaming\livevideo.exe

MD5 f165cd40f56b2f0a5e2d3c319cf2ae48
SHA1 bfd9fe52870671eb06e19b748be807273a0ee67d
SHA256 2a50e0bb47aa824e02fd151467db6e1e08a6e9d6bad220ead601f5cbbc7aa4f6
SHA512 55824e1b956acb2a9f106b41cf3a8678bd9a9ad53b89de493abdb0ce793d9f81cc7ae517c6e8e59eccef9ae216d1f321ab2b0733a954a0bcab2393cf465f7fdc

C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

MD5 f34869f5ab7d17ef52c916bd8c33598c
SHA1 98a0ac28be477c3478c7170bf1ef964875fe2aad
SHA256 8c2be2d52b12d583c8958d6b7feb5a3c2f831c5891c4044a92421ba11df0e038
SHA512 5d65d59a217f5e30d88fb595441810465e68c4f544354a6ee771c41d38c333b00bf4290ed4a73a559cf5a6cc00c05a85ae954ec05042b4b403483df6612e14f8