In the previous blog, we explored fundamental malware analysis using Microsoft 365 Defender. Thanks to Microsoft 365 Defender, we obtained essential insights into the malware file and accurately identified its type. Ultimately, we revealed the malware's dropped files and IPs by leveraging deep analysis.
Now, I'm excited to cover a much deeper exploration of deep analysis and PE analysis, leveraging the capabilities of third-party tools.
Note
If you missed the chance to read Malware Analysis Part 1, here is Day11-MalwareAnalysis-Insights-part1.md.
After deep analysis unpacked the PE file in a cloud-based sandbox environment in MDE and provided a comprehensive report, I highlighted suspicious activities from the results. Concerning Command and Control (C2C) , we can observe that the Type A malware [supr.exe] attempts to access an external IP [40.9.74.80] via an HTTP request. While [13.107.4.50] appears to be a legitimate access point, it was flagged in VirusTotal. This suggests that the IP might be used as a legitimate remote access tool.
In terms of persistence, Type A [supr.exe] can create [oneet.exe] and set up a scheduled task to run [oneet.exe] every 1 minute. Additionally, [oneet.exe] initiates [cmd.exe] to control access to specific files and directories.
Any.Run is a tool that helps cybersecurity experts and researchers safely test and study malicious software (malware). It lets them see what the malware does without harming real computers. They can upload suspicious files or links, and Any.Run shows how the malware behaves in a safe environment, helping experts learn how to protect against it.
Thanks to Any.Run and the Deep Analysis results, we can clearly see and understand how Type A [supr.exe] behaves during runtime. While we might have already gathered some insights from the Deep Analysis, Any.Run helps us visualize the logic of malware activities, such as the process tree. It allows us to sync each process with the process tree, especially in the case of C2C activities.
ANY.RUN - Type A [supr.exe] process tree
ANY.RUN - C2C activities
Pestudio is a software tool used for analyzing and inspecting executable files (programs). It provides information about these files, including details about their structure, imported and exported functions, embedded strings, and resources, among other aspects. In the cybersecurity field, Pestudio is utilized for static analysis, examining PE files without executing them.
Based on PeStudio output, it appears that obfuscation techniques were used in the PE file. This includes the presence of a base64 string and the use of some suspicious APIs such as MemoryStream and CheckRemoteDebuggerPresent.
Through Pestudio, I managed to gather insights about the content within the PE file that might not have been fully covered by MDE. While I didn't delve into every detail, the static analysis of PE file revealed signs of obfuscation and other interesting elements.
Pestudio - Suspicous values from strings
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.