Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rlahvscb6z
Target b25672510d00721c43a202fe2a296100
SHA256 36e18f8741f4044d0306d57437dbc377c0bb7ded63bc7039817d6048de460b35
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36e18f8741f4044d0306d57437dbc377c0bb7ded63bc7039817d6048de460b35

Threat Level: Shows suspicious behavior

The file b25672510d00721c43a202fe2a296100 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:16

Reported

2024-03-04 14:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\b25672510d00721c43a202fe2a296100 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b25672510d00721c43a202fe2a296100.exe" C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe

"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

Network

N/A

Files

memory/1660-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\t3st.bmp

MD5 e9837ceed39ecb8a686f996b8f766fad
SHA1 937a91b1965241fdb147eafcc42d1d310125a43f
SHA256 40c16bb7b99ff49f157e6dab18cc024c799f35140388760bd2bf03f87f0b2810
SHA512 86263d53e644b8ccb64844e33fd9aed62b948918fb4d838918e5c6f8bdec5c673ffc9e05d57b8d2565410a0116be1aeac43b1ceb1b5c945635814ebfed644164

memory/1660-4-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1660-5-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1660-6-0x0000000010000000-0x0000000010007000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:16

Reported

2024-03-04 14:18

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b25672510d00721c43a202fe2a296100 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b25672510d00721c43a202fe2a296100.exe" C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe

"C:\Users\Admin\AppData\Local\Temp\b25672510d00721c43a202fe2a296100.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2924-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\t3st.bmp

MD5 e9837ceed39ecb8a686f996b8f766fad
SHA1 937a91b1965241fdb147eafcc42d1d310125a43f
SHA256 40c16bb7b99ff49f157e6dab18cc024c799f35140388760bd2bf03f87f0b2810
SHA512 86263d53e644b8ccb64844e33fd9aed62b948918fb4d838918e5c6f8bdec5c673ffc9e05d57b8d2565410a0116be1aeac43b1ceb1b5c945635814ebfed644164

memory/2924-5-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2924-6-0x0000000000400000-0x000000000040B000-memory.dmp