Malware Analysis Report

2025-03-14 23:55

Sample ID 240603-fr6mpsce4v
Target eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be
SHA256 eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be

Threat Level: Shows suspicious behavior

The file eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:07

Reported

2024-06-03 05:09

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1728 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1728 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1728 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2740 wrote to memory of 2824 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2824 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2824 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2740 wrote to memory of 2824 N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2380 wrote to memory of 2812 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe

"C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 88

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 88

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/1728-8-0x0000000000423000-0x0000000000727000-memory.dmp

memory/1728-6-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/1728-9-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/1728-5-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1728-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1728-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1728-10-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

MD5 3b5a31b20d94b2292b1227ed4de902e4
SHA1 055b0896c51e94d2e7f5cd0ca181bab42778d12e
SHA256 52438b29ebae01cb11c6578fc3d0c00599b14490a7f5f155bd839ef5722a62e8
SHA512 d92e6b22c8adca04d8bb446e3659e70fa000147250c028c8c3842bc4fc9b206fe35f1364fdfc6880f6989db2cffe407fa755db2bb52770b8c7c9aa9b178aa85b

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 3a7c4f50ac6b9a6e068d4027c1c01bcf
SHA1 7101750d25a06dee2dc9f6acadee7ee94a8ae4aa
SHA256 560ed83cdc04c8b6e6dcd468f81c3576f4d24c7bcb6bfe31328aab3f6bee91c0
SHA512 f0a7b6559aa74f71500045ef742cc4dbb8057bca264bbeb599def9035328d772082a90fd036d6b4f5c8cd9691f95b2de5d980b350bd449a1e134d0af2dfd3dd3

memory/1728-37-0x0000000000423000-0x0000000000727000-memory.dmp

memory/1728-33-0x0000000004D10000-0x00000000055C4000-memory.dmp

memory/1728-32-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/1728-30-0x0000000004D10000-0x00000000055C4000-memory.dmp

memory/2740-43-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/2740-45-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/2380-53-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/2380-51-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/2380-50-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-48-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2740-62-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/2380-63-0x0000000000400000-0x0000000000CB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:07

Reported

2024-06-03 05:09

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\common files\java\java update\jusched.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe

"C:\Users\Admin\AppData\Local\Temp\eab89a0913e5808dbf53be1de71db896f617c4238b4baa95941fef090ac765be.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/60-0-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/60-2-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/60-4-0x0000000000423000-0x0000000000727000-memory.dmp

memory/60-1-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/60-5-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/60-6-0x0000000010000000-0x0000000010010000-memory.dmp

memory/60-13-0x0000000000400000-0x0000000000CB4000-memory.dmp

memory/60-14-0x0000000000423000-0x0000000000727000-memory.dmp