Malware Analysis Report

2025-08-10 22:50

Sample ID 240108-etb1fabhe3
Target 4a68e03ee1cfc5f1286cb5df49daba14
SHA256 16e5226713f696f2349a47666206a0ccf5b2e55c68a9523941a35d6ad0e7ac3c
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

16e5226713f696f2349a47666206a0ccf5b2e55c68a9523941a35d6ad0e7ac3c

Threat Level: Shows suspicious behavior

The file 4a68e03ee1cfc5f1286cb5df49daba14 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 04:13

Reported

2024-01-08 04:16

Platform

win7-20231215-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe
PID 1980 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe

"C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe"

C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe

C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe

Network

N/A

Files

memory/1980-1-0x0000000001100000-0x0000000001306000-memory.dmp

memory/1980-2-0x0000000000350000-0x0000000000352000-memory.dmp

memory/1980-0-0x0000000000400000-0x0000000000606000-memory.dmp

\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\ijtmp_21706FB3-A78F-4255-8497-FDF3DA90123C\4a68e03ee1cfc5f1286cb5df49daba14.exe

MD5 4a68e03ee1cfc5f1286cb5df49daba14
SHA1 3f36dec45c66c6dd2aef63d7c12e3d4627e44888
SHA256 16e5226713f696f2349a47666206a0ccf5b2e55c68a9523941a35d6ad0e7ac3c
SHA512 1ba2bdbf0c96de5701d95be3325b066921ece002a305b21701983d6445f9934b1379d6247a4b2d5add4f493ed33e91d2bb11bfe1a40f67e2dab11c33f8da38da

memory/2128-14-0x0000000000D60000-0x0000000000F66000-memory.dmp

memory/2128-15-0x0000000000D60000-0x0000000000F66000-memory.dmp

memory/1980-13-0x0000000003310000-0x0000000003516000-memory.dmp

memory/2128-16-0x0000000000D60000-0x0000000000F66000-memory.dmp

memory/2128-19-0x0000000000400000-0x0000000000606000-memory.dmp

memory/1980-23-0x0000000000400000-0x0000000000606000-memory.dmp

\Users\Admin\AppData\Local\Temp\twapi-dlls-1.1.5\twapi.dll

MD5 19f53fb243ad97ee855e6ecf0d12cc39
SHA1 ef56ef5320c622571ae5db69a66e592f32077411
SHA256 d88c5401e55d66bf7b8c42650644567ff27b35c6178c197af9fea941c8820301
SHA512 94acf9b6b2cae0cc49717fb8c5e5808facd9eca4e7409d695337d16e997bcbbcb110741307f689505465b395cc1b9b945d1518470c44d048fe6ed31c62879935

memory/2128-27-0x0000000002790000-0x00000000027F7000-memory.dmp

\Users\Admin\AppData\Local\Temp\twapi-dlls-1.1.5\twapicallback.dll

MD5 5c9bdfd0977db0bb36c968045d95051b
SHA1 7b8a733ff048f17508a5a93cc95e4fc777be13f8
SHA256 6d6461d5b3cb5dd1f07611f2bb36766ad414d3883ad92c6bb3d8817f3f06c0bc
SHA512 fb3f3a7cd1bd7e3930cf4682c13103846561345023a9e9c750cebfd30f5a0a0abd19fffa78a0184a74e9d274be91bb7fffc662210411d6c42d78db8bcebee0bd

memory/2128-17-0x0000000000370000-0x0000000000372000-memory.dmp

memory/2128-29-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-30-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-31-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-32-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-33-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-34-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-35-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-36-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-37-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-38-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-39-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-40-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-41-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2128-42-0x0000000000400000-0x0000000000606000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 04:13

Reported

2024-01-08 04:16

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe

"C:\Users\Admin\AppData\Local\Temp\4a68e03ee1cfc5f1286cb5df49daba14.exe"

C:\Users\Admin\AppData\Local\Temp\ijtmp_BE115195-099D-4329-A71E-F039431F75F1\4a68e03ee1cfc5f1286cb5df49daba14.exe

C:\Users\Admin\AppData\Local\Temp\ijtmp_BE115195-099D-4329-A71E-F039431F75F1\4a68e03ee1cfc5f1286cb5df49daba14.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp

Files

memory/2856-0-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2856-1-0x00000000001A0000-0x00000000001A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ijtmp_BE115195-099D-4329-A71E-F039431F75F1\4a68e03ee1cfc5f1286cb5df49daba14.exe

MD5 9edf3cdd1bbaf1a3a9704125635ef92c
SHA1 93c0f6ac5b667dfd69962b7fc68c181169b53840
SHA256 5a35359cb2ebf1742f11ec3dbce3e46f8799dd1a360c44444dc7da706d185a4a
SHA512 5f0591751dab3ec8c3cbf56080635c92df0828c962f4c7286675cdc6fe46027b0b779badf745c45ad432fe0acc6c3f250ae1d54c0ecde71124ef8b470e471e95

memory/2264-8-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2856-16-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-20-0x00000000029F0000-0x0000000002A57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\twapi-dlls-1.1.5\twapicallback.dll

MD5 5c9bdfd0977db0bb36c968045d95051b
SHA1 7b8a733ff048f17508a5a93cc95e4fc777be13f8
SHA256 6d6461d5b3cb5dd1f07611f2bb36766ad414d3883ad92c6bb3d8817f3f06c0bc
SHA512 fb3f3a7cd1bd7e3930cf4682c13103846561345023a9e9c750cebfd30f5a0a0abd19fffa78a0184a74e9d274be91bb7fffc662210411d6c42d78db8bcebee0bd

memory/2264-7-0x0000000000400000-0x0000000000606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ijtmp_BE115195-099D-4329-A71E-F039431F75F1\4a68e03ee1cfc5f1286cb5df49daba14.exe

MD5 412ade4fdc82b45e73b2ed2f3a834ae2
SHA1 b3d099ddaafa44e22b695ff5c205c299508e7a8b
SHA256 e397f17ee06dadc2fc10e8e1f2cea5750b254d030ca15e6f608b47d59ac42e30
SHA512 3f892e52f38078abbde5a0bd30470839923f8c4b115d50fe622b6e77ad47c3ccca260412eb5abc872902ab3f73a29e29894aaa9ca4c631c5e595b4f3d3046bda

memory/2264-23-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-24-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-25-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2264-26-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-27-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-28-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-29-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-30-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-31-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-32-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-33-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-34-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-35-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-36-0x0000000000400000-0x0000000000606000-memory.dmp

memory/2264-37-0x0000000000400000-0x0000000000606000-memory.dmp