Malware Analysis Report

2024-12-07 16:48

Sample ID 241113-ztsy6sygpb
Target 32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1
SHA256 32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1
Tags
defense_evasion discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1

Threat Level: Likely malicious

The file 32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery evasion

Sets file to hidden

Executes dropped EXE

Deletes itself

Checks computer location settings

Indicator Removal: File Deletion

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:00

Reported

2024-11-13 21:03

Platform

win7-20240903-en

Max time kernel

141s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\iuyhost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\iuyhost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\iuyhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\iuyhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe

"C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\32CE59~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 2MuIomt0M.nnnn.eu.org udp
US 8.8.8.8:53 c3bU5ke0Da.nnnn.eu.org udp
US 8.8.8.8:53 CjIfri8cxI.nnnn.eu.org udp

Files

C:\Windows\debug\iuyhost.exe

MD5 455a55e03d173f9413dfb400de032b8c
SHA1 dd9244035b2b6569605deee4dd504317f905a4ab
SHA256 20f6b9d99d6ee1501e81cdd9342bbf80b3cdd15299bb1ebd84bfa72bbad47aa4
SHA512 51063cebbb80ac289b1758d79699bf077707c1a98a6d45a45f01e44e7e809f4a76b159f69cf4178e0dd5890ba3391528679b7370e831c9a8742933f5a3a934f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:00

Reported

2024-11-13 21:03

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\tuehost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\tuehost.exe C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A
File opened for modification C:\Windows\Debug\tuehost.exe C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A
File opened for modification C:\Windows\Debug\tuehost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\tuehost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\tuehost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\tuehost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe

"C:\Users\Admin\AppData\Local\Temp\32ce590bd0795f67d076efcb3b43b1fed109f8af7229469d331ddb778358deb1.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\tuehost.exe

C:\Windows\Debug\tuehost.exe

C:\Windows\Debug\tuehost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\32CE59~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 96.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 vab7mJtg.nnnn.eu.org udp
US 8.8.8.8:53 VqrlM5FR6O.nnnn.eu.org udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5WYwdZj3qc.nnnn.eu.org udp

Files

C:\Windows\debug\tuehost.exe

MD5 c64959b65afbaae56c9d3e77b5bd344e
SHA1 9521e31fc293c08f10d23966590f901732733683
SHA256 be60aa1dcf85ecedc36deb4286cdc7b4138760ddc9d34e2d656b4dfb15ff3798
SHA512 e886e6acdae673faf578b61d96f47e93a53aeb139a491b456ee591e92fd024c67f69a8e092b1b634c25b54ca847e4414bbd671ced5abd5e0b0de8e3dbaa12849