Malware Analysis Report

2025-06-16 07:09

Sample ID 240602-bdqbcadh64
Target a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f
SHA256 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f

Threat Level: Known bad

The file a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f was found to be: Known bad.

Malicious Activity Summary

persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:01

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:01

Reported

2024-06-02 01:04

Platform

win10v2004-20240426-en

Max time kernel

31s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
File opened for modification C:\Windows\dev379A.tmp C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
File opened for modification C:\Windows\dev379A.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 1076 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 1076 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 1076 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 1076 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 1076 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3640 wrote to memory of 3088 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 3640 wrote to memory of 3088 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 3640 wrote to memory of 3960 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3640 wrote to memory of 3960 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3640 wrote to memory of 3960 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev379A.tmp!C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe! !

C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev379A.tmp!C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
US 8.8.8.8:53 255.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 10.127.1.255:78 udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1076-1-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 7953ee2765fd7f56ef2cbc7181d1149d
SHA1 c649e183ef7ea9d5f758e061432c2707f7591b6f
SHA256 79d8f0ced4322e8274ed093c31cc3685048212c192d549c8d31a19f16b1d6da9
SHA512 351b443e4145ddaccef9de847b142b240fb44594d6bee7b7fbe16a865df6dccd93559b437b254093f0f790bb3b66d0972d879b931c8f2e9ed9fdd4c931dbe7b7

memory/4560-12-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev379A.tmp

MD5 b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA1 8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA256 7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA512 5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

memory/3640-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1076-7-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe

MD5 60ba1219b473263a4471e8e25118e4cf
SHA1 9b7ec1b278cb87a3b684820f23784e605eada716
SHA256 b0d78983ee9bd9e9bd629225d1449e8c735e752aaf7ab8eb888fea47eb2142fa
SHA512 6b606b201ef10f4df76e982b6415901e235a1a4881277e6de7c6da72baa9dc2dd8c2fec59291af837791916049ff4b73f79db0370f5a76203e175b23c7288af3

memory/3960-20-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe

MD5 84a75736d5fddf6bf97d86a11b47d1ab
SHA1 b1845ee95269b0f10068edb4a0e70260ca074d8a
SHA256 a6a2d36c3371533edc725244e3eaa8f9ac0f16408117909c524b79df898d7bb7
SHA512 bec6c2131452b5faab5cae51940110a6858e60da17939f5846a180ded5aa3889635fedcf7b543462bcdc4ae9c0f219079afa9d2709bc2f327b7cae0c9b3bb931

memory/3640-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4560-25-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:01

Reported

2024-06-02 01:04

Platform

win7-20240215-en

Max time kernel

17s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A
File opened for modification C:\Windows\dev164E.tmp C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 3020 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe C:\WINDOWS\MSWDM.EXE
PID 2992 wrote to memory of 2564 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 2992 wrote to memory of 2564 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 2992 wrote to memory of 2564 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 2992 wrote to memory of 2564 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE
PID 2992 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2992 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2992 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2992 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe

"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev164E.tmp!C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe! !

C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev164E.tmp!C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/3020-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 7953ee2765fd7f56ef2cbc7181d1149d
SHA1 c649e183ef7ea9d5f758e061432c2707f7591b6f
SHA256 79d8f0ced4322e8274ed093c31cc3685048212c192d549c8d31a19f16b1d6da9
SHA512 351b443e4145ddaccef9de847b142b240fb44594d6bee7b7fbe16a865df6dccd93559b437b254093f0f790bb3b66d0972d879b931c8f2e9ed9fdd4c931dbe7b7

C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe

MD5 b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA1 8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA256 7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA512 5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

memory/2992-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2608-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2992-24-0x00000000003E0000-0x00000000003FB000-memory.dmp

memory/1524-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2992-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3020-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1524-31-0x0000000000400000-0x000000000041B000-memory.dmp