Analysis Overview
SHA256
4219ad1aba06e67dc8f4978dc32cdf1da817a360798256f907b813be201580ec
Threat Level: Likely benign
The file MentalMentor.exe was found to be: Likely benign.
Malicious Activity Summary
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 01:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 01:52
Reported
2024-04-08 02:02
Platform
win10-20240404-en
Max time kernel
362s
Max time network
318s
Command Line
Signatures
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp |
| PID 4144 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp |
| PID 4144 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe | C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe
"C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe"
C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp" /SL5="$300E0,2483841,845312,C:\Users\Admin\AppData\Local\Temp\MentalMentor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | web.mymentalmentor.net | udp |
| NL | 51.158.210.166:443 | web.mymentalmentor.net | tcp |
| US | 8.8.8.8:53 | 166.210.158.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4144-0-0x0000000000400000-0x00000000004DC000-memory.dmp
memory/4144-2-0x0000000000400000-0x00000000004DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QREME.tmp\MentalMentor.tmp
| MD5 | 0d041f22d598f3a63bdf0e66c448bdab |
| SHA1 | 591fc72ec32e7efe2e641dba38c3cd7b6d415450 |
| SHA256 | e6b54015c403e3016b848b18fc488d4d281a752bc9ab2a3324ba4d8efb642563 |
| SHA512 | 5dd3af37f06f308f348213c0305acab38cf279556c12a9b14d0343072b1f431778c75129715a2b04abcf219baaeba665faa08fcb4692d2ede36b2511178de210 |
memory/3108-6-0x0000000002790000-0x0000000002791000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1PDS7.tmp\idp.dll
| MD5 | 59fd376f6e67cf49bfb0ac6724140e72 |
| SHA1 | e02a4185b9272ae6a3b5eaa4333905fc989698e2 |
| SHA256 | 88d2da3783c9ef9b2c9f20224a399fe3607581f338daea94f68606a760cc06d5 |
| SHA512 | 9510b201f43cb9a2362842dd382dd3be794b439227241f97f89c1f15246888099094c91b96905b55c1e490ef7dc26aff06382c2c69971d4506ad5f8a66a811eb |
memory/3108-13-0x0000000002570000-0x00000000026B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1PDS7.tmp\mentor-inno-lib.dll
| MD5 | 8e8f2104c9a175fb576cdb208a08e6a3 |
| SHA1 | 77f937b7ca2450c71db6075bfe71df266fd1854d |
| SHA256 | 784ca2a85f535658d4b914943a4b82cce8658b80fb75158e357aa3a2308fe2be |
| SHA512 | e83521476a1d5ff1ef900c727d2f49e0c175f8c82cc7f23373a8f088d1db4fe1205297883e5be23c5081706faad2f21c5e5e7681a362d83e73395a28f1d5cfb6 |
memory/3108-14-0x0000000002570000-0x00000000026B0000-memory.dmp
memory/4144-19-0x0000000000400000-0x00000000004DC000-memory.dmp
memory/3108-20-0x0000000000400000-0x0000000000717000-memory.dmp
memory/3108-23-0x0000000002790000-0x0000000002791000-memory.dmp