Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-aa45nafe85
Target a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1
SHA256 a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1

Threat Level: Shows suspicious behavior

The file a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Unsigned PE

Runs .reg file with regedit

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:01

Reported

2024-04-07 00:04

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscsvc = "C:\\Users\\Admin\\AppData\\Local\\wscsvc.exe" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe

"C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2916-1-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2916-3-0x0000000000020000-0x0000000000028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

MD5 5b70d696d5cf6dc97150c200262d95cf
SHA1 374eeb8811bb6d0cfa31b70974d9fce39cf5a90e
SHA256 ebb66003c71a7b1a9e1dfcbb2e9791e87fd7b57b53b2795e21419828cbee95e7
SHA512 371b96751b4b2ff785c44042f0b579f903a42594e2e32c1271f0fab7393a70bc1ea02396596ed8a8959266ce045df578a7bc634c77cd2c04a81784e058cd5bac

C:\Users\Admin\AppData\Local\RCX1B9D.tmp

MD5 b0dab109cb6bebaeaedd87a430a9cf97
SHA1 32574dfef7946bdd551fb29511444c1cd816e85e
SHA256 0a6de028b0956ced750c7283105aabaf8db111ec650d48980ded7a4e3f293bdb
SHA512 27103cbda01ffe2eee413be350145fdd6bc8d94066e14eae21a074839576dc7f880711d5dfdf5dc48096b00c64663e2aaa0ad54838b39a9ca5506f80053fa93f

memory/2916-12-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:01

Reported

2024-04-07 00:04

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe

"C:\Users\Admin\AppData\Local\Temp\a52f49a474e12be266b78b90e88362d7bcc9dcdee65237c597ab3129e88555b1.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3944-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

MD5 f44153ef26be29552cf320325ad8b72e
SHA1 74ac72ba2ff0f871e59b11c95ad707372662370c
SHA256 767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f
SHA512 1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

C:\Users\Admin\AppData\Local\WinHttp.exe

MD5 2de3865ba25d55c391339d603758c613
SHA1 b826f7cc8e9f3b9f88e7b809c173653ce1b9b3ee
SHA256 ef3a2c82f10d533d56b785ca9712e6cdf8bb02f148aa91f8d42bc45a19a98c03
SHA512 57a28ea9b32a344abb8e1233fc10f48dd9642f912e036e86535a4023f8ada53985ae23d69a5fc1bc55242851f5c6ebc169889184c2e2f4ea5e851027ae159c7a

memory/3944-10-0x0000000000400000-0x0000000000408000-memory.dmp