Analysis Overview
SHA256
36e18f8741f4044d0306d57437dbc377c0bb7ded63bc7039817d6048de460b35
Threat Level: Shows suspicious behavior
The file b25672510d00721c43a202fe2a296100 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 14:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 14:16
Reported
2024-03-04 14:18
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\b25672510d00721c43a202fe2a296100 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b25672510d00721c43a202fe2a296100.exe" | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 1660 wrote to memory of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 1660 wrote to memory of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files\Internet Explorer\iexplore.exe |
| PID 1660 wrote to memory of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files\Internet Explorer\iexplore.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe
"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
Network
Files
memory/1660-0-0x0000000000400000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\t3st.bmp
| MD5 | e9837ceed39ecb8a686f996b8f766fad |
| SHA1 | 937a91b1965241fdb147eafcc42d1d310125a43f |
| SHA256 | 40c16bb7b99ff49f157e6dab18cc024c799f35140388760bd2bf03f87f0b2810 |
| SHA512 | 86263d53e644b8ccb64844e33fd9aed62b948918fb4d838918e5c6f8bdec5c673ffc9e05d57b8d2565410a0116be1aeac43b1ceb1b5c945635814ebfed644164 |
memory/1660-4-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1660-5-0x0000000010000000-0x0000000010007000-memory.dmp
memory/1660-6-0x0000000010000000-0x0000000010007000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 14:16
Reported
2024-03-04 14:18
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b25672510d00721c43a202fe2a296100 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b25672510d00721c43a202fe2a296100.exe" | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 2924 wrote to memory of 4692 | N/A | C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe
"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/2924-0-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t3st.bmp
| MD5 | e9837ceed39ecb8a686f996b8f766fad |
| SHA1 | 937a91b1965241fdb147eafcc42d1d310125a43f |
| SHA256 | 40c16bb7b99ff49f157e6dab18cc024c799f35140388760bd2bf03f87f0b2810 |
| SHA512 | 86263d53e644b8ccb64844e33fd9aed62b948918fb4d838918e5c6f8bdec5c673ffc9e05d57b8d2565410a0116be1aeac43b1ceb1b5c945635814ebfed644164 |
memory/2924-5-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2924-6-0x0000000000400000-0x000000000040B000-memory.dmp