Malware Analysis Report

2025-03-14 22:51

Sample ID 240406-1ephwabe9v
Target 5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4
SHA256 5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4

Threat Level: Shows suspicious behavior

The file 5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:33

Reported

2024-04-06 21:37

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\m00uc4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zwm5k5a4 = "C:\\Users\\Admin\\AppData\\Roaming\\m00uc4.exe" C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe

"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"

C:\Users\Admin\AppData\Roaming\m00uc4.exe

C:\Users\Admin\AppData\Roaming\m00uc4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lcogum.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 lcogum.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 34.41.229.245:80 ow5dirasuek.com tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\m00uc4.exe

MD5 1b0073367042e96feae864aaf4784f4d
SHA1 50d23c9b6c6191694d247cb623ba3fbaf7b53e69
SHA256 e41d313942ed013cc25c9e465ba71bf079b5671c6179091cc11bfbbd183cd5c6
SHA512 38075f8ac0de4ae90ad8a2164cff65a94f8d6f746c89764c91748baf6b400be28f53cb089e3598b19d2160fe90adb92e2ef602204c4431764feee61948bc5e06

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:33

Reported

2024-04-06 21:36

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\rbjiqos4 = "C:\\Users\\Admin\\AppData\\Roaming\\fnh05pjgdw.exe" C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe

"C:\Users\Admin\AppData\Local\Temp\5f9a326f7ff5c0e84f61affe659978947af52a6f6cf9b7b6db1c8a1528b5cba4.exe"

C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe

C:\Users\Admin\AppData\Roaming\fnh05pjgdw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lcogum.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 34.41.229.245:80 ow5dirasuek.com tcp

Files

\Users\Admin\AppData\Roaming\fnh05pjgdw.exe

MD5 8192b0595c809d40071996dafc5b7fd0
SHA1 d02dd9f079b7d8fd879d8b049f8614cb1b077c87
SHA256 d4585f3090675053a7427d2222c5ae00dd159f709ee1fc8ce416eec2ab630918
SHA512 08101bdb911260d2e454a0f38b5f30228abb195422bf13ddeb1f61ef80bf1a8842af62c7b42e17e884d9750705432b6fbe3240fda25c0dfeb2cde75b70093edc