Malware Analysis Report

2025-08-05 16:32

Sample ID 240611-cxngja1frq
Target b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48
SHA256 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48

Threat Level: Known bad

The file b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48 was found to be: Known bad.

Malicious Activity Summary

persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 02:27

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 02:27

Reported

2024-06-11 02:30

Platform

win7-20240419-en

Max time kernel

19s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
File opened for modification C:\Windows\dev15C2.tmp C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 2024 wrote to memory of 2772 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2024 wrote to memory of 2772 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2024 wrote to memory of 2772 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2024 wrote to memory of 2772 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2024 wrote to memory of 2728 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2024 wrote to memory of 2728 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2024 wrote to memory of 2728 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2024 wrote to memory of 2728 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe

"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev15C2.tmp!C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe! !

C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev15C2.tmp!C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/1392-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1392-12-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Windows\MSWDM.EXE

MD5 8281630c34398a6569e720407a61ca05
SHA1 d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0
SHA256 8f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0
SHA512 483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187

memory/2024-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2260-29-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 02:27

Reported

2024-06-11 02:30

Platform

win10v2004-20240426-en

Max time kernel

30s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
File opened for modification C:\Windows\dev632E.tmp C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe N/A
File opened for modification C:\Windows\dev632E.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe C:\WINDOWS\MSWDM.EXE
PID 2788 wrote to memory of 800 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2788 wrote to memory of 800 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE
PID 2788 wrote to memory of 5040 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2788 wrote to memory of 5040 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2788 wrote to memory of 5040 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe

"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev632E.tmp!C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe! !

C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev632E.tmp!C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
US 8.8.8.8:53 255.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
N/A 10.127.1.255:78 udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/404-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 8281630c34398a6569e720407a61ca05
SHA1 d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0
SHA256 8f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0
SHA512 483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187

memory/404-9-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev632E.tmp

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/2788-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3456-10-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe

MD5 5761559e4f8a3b6eb23b19adaa77ce03
SHA1 9b7497876f209b9e74df687c52e346dbf25b0e84
SHA256 a8c2949e0198a3c0a3b8672774a7abd7bbee08e4c937e4eea636bf8c9fe67ca2
SHA512 db91f61871f868fb9be38481d043d7bfb645b62322cf33b6f2c17b9de4830b1df48cfd554e9f1ca8ddadaeb9747342a371145df440a756c7c62212272a34f562

memory/5040-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2788-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3456-25-0x0000000000400000-0x000000000041B000-memory.dmp