Malware Analysis Report

2025-03-14 23:13

Sample ID 240407-w7fdfsbd96
Target 0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae
SHA256 0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae

Threat Level: Known bad

The file 0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae was found to be: Known bad.

Malicious Activity Summary

persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:33

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:33

Reported

2024-04-07 18:36

Platform

win7-20240221-en

Max time kernel

16s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
File opened for modification C:\Windows\dev8AA3.tmp C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
File opened for modification C:\Windows\dev8AA3.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 2268 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe C:\WINDOWS\MSWDM.EXE
PID 1636 wrote to memory of 2676 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1636 wrote to memory of 2676 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1636 wrote to memory of 2676 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1636 wrote to memory of 2676 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe

"C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev8AA3.tmp!C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe! !

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev8AA3.tmp!C:\Users\Admin\AppData\Local\Temp\0D200FD9E3CCEFC70242D6FE40293E15EB33CD773DDA72F3A36EE43838F2D6AE.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/2268-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev8AA3.tmp

MD5 2df10238793f8b68bbe05d074a04169d
SHA1 400e14a8efaff6eb637751f7f516f992b21c704c
SHA256 6601e886c1dac5446a9e69b5bed4fa4456c11d5e67536d71d4c0b66766462434
SHA512 ab53124b88b8407e5528e1659050605440524a1548376a9f4bc69ab3f876f4ef4aadcb58cf49b1c32c926545c60e88dc670b99e40c65f5ba1832631d4d3cc00a

C:\WINDOWS\MSWDM.EXE

MD5 947c398d0c1b38741f7db3894a291c35
SHA1 7bfa7a783208b5685aa0ab2f9ca431e50d50bf5d
SHA256 a01f90bfe174bc68cfdc53f18388870e1be131765c3bbf1a445cdae4f57c70e4
SHA512 95965150161faa47c98ed0eaa419690694bb59c767e8babcc77da5a3802b7aef805b3e414a441fd281454b2422daa87f0aeeeee68dcfc60aae6d0b30aceed8ca

memory/2268-13-0x0000000000220000-0x000000000023B000-memory.dmp

memory/2268-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2984-17-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1636-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1636-26-0x0000000000330000-0x000000000034B000-memory.dmp

memory/2676-25-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0D200FD9E3CCEFC70242D6FE40293E15EB33CD773DDA72F3A36EE43838F2D6AE.EXE

MD5 34526d6a7798e82f4fa72b05c4198620
SHA1 a63fdb08cf493ae2388a46a5f3469e1650a7b0ac
SHA256 cb37b618a4f85224e2ffdfe336043560d85ccc012b9f2845b1628fc15a79650b
SHA512 757c778677d6d5bb46f9497e07cc46d870624e4636783b14d8cd36d8388dd11b3854dec70fe41d34d3049dca38afb99758d774ed841a4a20a941f69d83ee05a5

memory/1636-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2984-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2268-31-0x0000000000220000-0x000000000023B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:33

Reported

2024-04-07 18:36

Platform

win10v2004-20240226-en

Max time kernel

24s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
File opened for modification C:\Windows\dev6745.tmp C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe N/A
File opened for modification C:\Windows\dev6745.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe

"C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev6745.tmp!C:\Users\Admin\AppData\Local\Temp\0d200fd9e3ccefc70242d6fe40293e15eb33cd773dda72f3a36ee43838f2d6ae.exe! !

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev6745.tmp!C:\Users\Admin\AppData\Local\Temp\0D200FD9E3CCEFC70242D6FE40293E15EB33CD773DDA72F3A36EE43838F2D6AE.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

memory/4392-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\WINDOWS\MSWDM.EXE

MD5 947c398d0c1b38741f7db3894a291c35
SHA1 7bfa7a783208b5685aa0ab2f9ca431e50d50bf5d
SHA256 a01f90bfe174bc68cfdc53f18388870e1be131765c3bbf1a445cdae4f57c70e4
SHA512 95965150161faa47c98ed0eaa419690694bb59c767e8babcc77da5a3802b7aef805b3e414a441fd281454b2422daa87f0aeeeee68dcfc60aae6d0b30aceed8ca

memory/4392-8-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5000-10-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev6745.tmp

MD5 2df10238793f8b68bbe05d074a04169d
SHA1 400e14a8efaff6eb637751f7f516f992b21c704c
SHA256 6601e886c1dac5446a9e69b5bed4fa4456c11d5e67536d71d4c0b66766462434
SHA512 ab53124b88b8407e5528e1659050605440524a1548376a9f4bc69ab3f876f4ef4aadcb58cf49b1c32c926545c60e88dc670b99e40c65f5ba1832631d4d3cc00a

C:\Users\Admin\AppData\Local\Temp\0D200FD9E3CCEFC70242D6FE40293E15EB33CD773DDA72F3A36EE43838F2D6AE.EXE

MD5 cedd0a906b89c42c54b389f4088404eb
SHA1 84ae5910baa74139f0fe26676a9ef52b72245f2e
SHA256 705984999439d32391cd1a9b798dad97dabc002af3176859c5d388c181b33a61
SHA512 1efd38c59f1db6dc034c62d489e7760e5d9659affe4885f1533ed4b8dfd0e4c1436353936f2e5d0f58dee1e6e4ca2ad32bc791e2365a27b264c85e3fe641c303

memory/2556-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5000-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4888-21-0x0000000000400000-0x000000000041B000-memory.dmp