Malware Analysis Report

2025-08-10 22:12

Sample ID 240614-blv7kashrm
Target 445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe
SHA256 445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0

Threat Level: Likely benign

The file 445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe was found to be: Likely benign.

Malicious Activity Summary


Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:14

Reported

2024-06-14 01:17

Platform

win7-20240611-en

Max time kernel

150s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2100 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe C:\Windows\SysWOW64\svchost.exe
PID 2128 set thread context of 1268 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2128 set thread context of 2968 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\write.exe
PID 2968 set thread context of 1268 N/A C:\Windows\SysWOW64\write.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe

"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"

C:\Windows\SysWOW64\write.exe

"C:\Windows\SysWOW64\write.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 db6785e9322897354fe19bf85d0ac3d4
SHA1 40a149185c562422409a323009dde774174be772
SHA256 4cd0ce24b2b2e0bca5066c5469ecba0a84dbebc4f49f27f15abba3e8e49d3cfb
SHA512 e6e803398d25093b291f29908c6588a8f096a2e12645489ac52d2d1a52d56d482ef9d3952b80fe4b8d19472d774bc240b5e9a3c18b500ef8613a1b5d1e506077

memory/2100-11-0x0000000000150000-0x0000000000154000-memory.dmp

memory/2128-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2128-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2128-14-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

memory/2128-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2128-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2128-17-0x00000000001E0000-0x0000000000204000-memory.dmp

memory/1268-18-0x0000000008D20000-0x0000000009635000-memory.dmp

memory/2968-19-0x00000000000C0000-0x00000000000FF000-memory.dmp

memory/2968-20-0x00000000000C0000-0x00000000000FF000-memory.dmp

memory/2128-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2128-22-0x00000000001E0000-0x0000000000204000-memory.dmp

memory/2968-23-0x0000000002070000-0x0000000002373000-memory.dmp

memory/2968-24-0x00000000000C0000-0x00000000000FF000-memory.dmp

memory/2968-25-0x00000000007F0000-0x0000000000893000-memory.dmp

memory/1268-26-0x0000000008D20000-0x0000000009635000-memory.dmp

memory/2968-27-0x00000000000C0000-0x00000000000FF000-memory.dmp

memory/2968-28-0x00000000007F0000-0x0000000000893000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:14

Reported

2024-06-14 01:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 416 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe C:\Windows\SysWOW64\svchost.exe
PID 1924 set thread context of 3400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1924 set thread context of 3620 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\write.exe
PID 3620 set thread context of 3400 N/A C:\Windows\SysWOW64\write.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A
N/A N/A C:\Windows\SysWOW64\write.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe

"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0.exe"

C:\Windows\SysWOW64\write.exe

"C:\Windows\SysWOW64\write.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.am1-728585.com udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 www.witoharmuth.com udp
US 8.8.8.8:53 www.magnoliahairandco.com udp
US 8.8.8.8:53 www.binpvae.lol udp
US 8.8.8.8:53 www.duzane.com udp

Files

C:\Users\Admin\AppData\Local\Temp\aut4BBE.tmp

MD5 db6785e9322897354fe19bf85d0ac3d4
SHA1 40a149185c562422409a323009dde774174be772
SHA256 4cd0ce24b2b2e0bca5066c5469ecba0a84dbebc4f49f27f15abba3e8e49d3cfb
SHA512 e6e803398d25093b291f29908c6588a8f096a2e12645489ac52d2d1a52d56d482ef9d3952b80fe4b8d19472d774bc240b5e9a3c18b500ef8613a1b5d1e506077

memory/416-12-0x0000000001F90000-0x0000000001F94000-memory.dmp

memory/1924-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1924-14-0x0000000000E00000-0x000000000114A000-memory.dmp

memory/1924-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1924-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1924-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1924-18-0x0000000002960000-0x0000000002984000-memory.dmp

memory/3400-19-0x000000000E220000-0x000000000F9B1000-memory.dmp

memory/3620-20-0x0000000000530000-0x000000000056F000-memory.dmp

memory/3620-21-0x0000000000530000-0x000000000056F000-memory.dmp

memory/1924-23-0x0000000002960000-0x0000000002984000-memory.dmp

memory/1924-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3620-24-0x0000000002630000-0x000000000297A000-memory.dmp

memory/3620-25-0x0000000000530000-0x000000000056F000-memory.dmp

memory/3620-26-0x0000000002530000-0x00000000025D3000-memory.dmp

memory/3400-27-0x000000000E220000-0x000000000F9B1000-memory.dmp

memory/3620-28-0x0000000000530000-0x000000000056F000-memory.dmp

memory/3400-30-0x0000000002F60000-0x0000000003058000-memory.dmp

memory/3400-31-0x0000000002F60000-0x0000000003058000-memory.dmp