Analysis Overview
SHA256
fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5
Threat Level: Likely benign
The file fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5 was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe
"C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
Network
Files
memory/2228-0-0x0000000000400000-0x0000000000EC8000-memory.dmp
memory/2228-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2228-8-0x0000000000400000-0x0000000000EC8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe
"C:\Users\Admin\AppData\Local\Temp\fdb4e10d1f83e739b67a66405db7a7faecbe0732084ff142b32ddda11384f5a5.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
memory/1816-0-0x0000000000400000-0x0000000000EC8000-memory.dmp
memory/1816-1-0x0000000002C60000-0x0000000002C61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com
| MD5 | 74ea83a987cf7e29fe79b16b15b4bbed |
| SHA1 | 452a79ee1211fad2efdfaf203e4b092f937208fc |
| SHA256 | 9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d |
| SHA512 | 35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355 |
memory/1816-6-0x0000000000400000-0x0000000000EC8000-memory.dmp