Malware Analysis Report

2025-03-14 23:56

Sample ID 240603-gflntseg45
Target f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f
SHA256 f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f

Threat Level: Known bad

The file f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f was found to be: Known bad.

Malicious Activity Summary

persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:44

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:44

Reported

2024-06-03 05:47

Platform

win7-20240508-en

Max time kernel

19s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
File opened for modification C:\Windows\dev22FB.tmp C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
File opened for modification C:\Windows\dev22FB.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 2132 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 1816 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1816 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1816 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1816 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1816 wrote to memory of 2760 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1816 wrote to memory of 2760 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1816 wrote to memory of 2760 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1816 wrote to memory of 2760 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe

"C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev22FB.tmp!C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe! !

C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev22FB.tmp!C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/2132-1-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev22FB.tmp

MD5 977e405c109268909fd24a94cc23d4f0
SHA1 af5d032c2b6caa2164cf298e95b09060665c4188
SHA256 cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA512 12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

C:\WINDOWS\MSWDM.EXE

MD5 c06d2bf4e02efc8301ffdee923381cfd
SHA1 5ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA256 3e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA512 0f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6

memory/1824-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1816-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2132-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1816-31-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE

MD5 554d94d73191bf6f1cc238ea0a788f03
SHA1 26ff50e8fbe8a951ef32167f82fbec06812e0b57
SHA256 8f250fe85defde3e8d8c32c3cda627987dba5d54ac9b05691a718f3d1968e8a9
SHA512 a1d45f05e04895dc3f6e366e38d6480b49d89dedb3d63bef1c17a0d8e71d15ce6831a58ada4eabd5595d8f64d7f98d88bdfb28a55e3fcba5d1af7d88c99a9f8f

memory/2760-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1824-32-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:44

Reported

2024-06-03 05:47

Platform

win10v2004-20240508-en

Max time kernel

21s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
File opened for modification C:\Windows\dev56EA.tmp C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe N/A
File opened for modification C:\Windows\dev56EA.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 932 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 932 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 932 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 932 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 932 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe C:\WINDOWS\MSWDM.EXE
PID 1268 wrote to memory of 852 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1268 wrote to memory of 852 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE
PID 1268 wrote to memory of 3360 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1268 wrote to memory of 3360 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1268 wrote to memory of 3360 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe

"C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev56EA.tmp!C:\Users\Admin\AppData\Local\Temp\f9f01a74a891edaf7a7753992f12dccab85d88c0f5c5ee4203fa4bdda621e32f.exe! !

C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev56EA.tmp!C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/932-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 c06d2bf4e02efc8301ffdee923381cfd
SHA1 5ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA256 3e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA512 0f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6

C:\Windows\dev56EA.tmp

MD5 977e405c109268909fd24a94cc23d4f0
SHA1 af5d032c2b6caa2164cf298e95b09060665c4188
SHA256 cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA512 12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

memory/932-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1268-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3224-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3360-21-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9F01A74A891EDAF7A7753992F12DCCAB85D88C0F5C5EE4203FA4BDDA621E32F.EXE

MD5 5fc98b85cef86ea19cf281688e7f6a6e
SHA1 35dfddd4e196d448a1d9f135ebbe2ba35cba1480
SHA256 255b1c1bdd15f4744dd6a05299204ef6e71cc7a0232de6b9edf568193f09ce4b
SHA512 4177b045bc0f20b6ea5bdfc0d6d374f5d7a3d8e1d99f2ee4a8c7b5e3e61b34e51367ff887b649338ab98b877e0460e920aea46b93e43fa8e67464c82de4caef7

memory/1268-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3224-25-0x0000000000400000-0x000000000041B000-memory.dmp