Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mnpncaahd9
Target 5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102
SHA256 5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102

Threat Level: No (potentially) malicious behavior was detected

The file 5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102 was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:36

Reported

2022-11-01 10:40

Platform

win7-20220901-en

Max time kernel

44s

Max time network

50s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

Network

N/A

Files

memory/1528-54-0x0000000000000000-mapping.dmp

memory/1528-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

memory/1528-56-0x0000000001D60000-0x00000000033FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 10:36

Reported

2022-11-01 10:40

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3360 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d11b009391ffab30cc00ae878a915c7bcbd2c486c2dd125a3d43fcd06e36102.dll,#1

Network

Country Destination Domain Proto
JP 13.78.111.198:443 tcp
BE 8.238.110.126:80 tcp
NL 88.221.25.155:80 tcp
NL 88.221.25.155:80 tcp
BE 8.238.110.126:80 tcp
US 8.247.211.254:80 tcp
US 204.79.197.203:80 tcp

Files

memory/388-132-0x0000000000000000-mapping.dmp

memory/388-133-0x0000000001F20000-0x00000000035BC000-memory.dmp