Malware Analysis Report

2025-08-10 11:58

Sample ID 240505-zjph1add71
Target xterm_fun.bin
SHA256 5706a78e802e699883b3973b918ca31d27da71a8bcc018ba3be13b7e314258b0
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

5706a78e802e699883b3973b918ca31d27da71a8bcc018ba3be13b7e314258b0

Threat Level: Likely benign

The file xterm_fun.bin was found to be: Likely benign.

Malicious Activity Summary


Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 20:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 20:45

Reported

2024-05-05 20:46

Platform

win7-20240221-en

Max time kernel

15s

Max time network

19s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3036 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3036 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 20:45

Reported

2024-05-05 20:46

Platform

win10v2004-20240419-en

Max time kernel

35s

Max time network

34s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\xterm_fun.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A