Malware Analysis Report

2025-08-05 17:23

Sample ID 221031-2sw1jsdhd7
Target 40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901
SHA256 40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901

Threat Level: Likely benign

The file 40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901 was found to be: Likely benign.

Malicious Activity Summary


Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:51

Reported

2022-10-31 22:53

Platform

win7-20220812-en

Max time kernel

43s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

Network

N/A

Files

memory/2012-54-0x0000000000000000-mapping.dmp

memory/2012-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:51

Reported

2022-10-31 22:53

Platform

win10v2004-20220901-en

Max time kernel

90s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 4904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40224b10f6543ea1a26bffadfe91c22233b2828118203cbd81b528c2fd592901.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 692

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
US 13.89.179.10:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp

Files

memory/4904-132-0x0000000000000000-mapping.dmp