Malware Analysis Report

2025-03-15 01:15

Sample ID 240614-cpvwmsvhml
Target a283db04904b9d8eae5c34026a062ce0.bin
SHA256 026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa

Threat Level: Likely malicious

The file a283db04904b9d8eae5c34026a062ce0.bin was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:15

Reported

2024-06-14 02:18

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"

Signatures

Modifies AppInit DLL entries

persistence

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\qanhllaok.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qanhllao.dll C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A
File created C:\Windows\SysWOW64\qanhllaok.exe C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A
File opened for modification C:\Windows\SysWOW64\qanhllaok.exe C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe

"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"

C:\Windows\SysWOW64\qanhllaok.exe

C:\Windows\system32\qanhllaok.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat

Network

N/A

Files

\Windows\SysWOW64\qanhllaok.exe

MD5 a283db04904b9d8eae5c34026a062ce0
SHA1 3b4aa391b874eff540aa6c4e0e8c723e9b898bfd
SHA256 026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
SHA512 2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600

C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat

MD5 4e86e0288408cefe8566776a5f434f7d
SHA1 7b98b6172199ce8a488b3c90adbf831237f14b7e
SHA256 81a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044
SHA512 54c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:15

Reported

2024-06-14 02:18

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\qanhllaok.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\qanhllao.dll C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A
File created C:\Windows\SysWOW64\qanhllaok.exe C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A
File opened for modification C:\Windows\SysWOW64\qanhllaok.exe C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe

"C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe"

C:\Windows\SysWOW64\qanhllaok.exe

C:\Windows\system32\qanhllaok.exe ˜‰

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 17.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

C:\Windows\SysWOW64\qanhllaok.exe

MD5 a283db04904b9d8eae5c34026a062ce0
SHA1 3b4aa391b874eff540aa6c4e0e8c723e9b898bfd
SHA256 026c43d29fbbe2635acb6815ae80a223174b5aba93f7d2c01f16745782101bfa
SHA512 2a405cbf9a073360dd0be2cdd8a783f37aa3fccff0d7a0e6688cf3f4a806b79f74d8177dbbef6f484ed4213195f75635af227ad20b702b155f35dde54909b600

C:\Users\Admin\AppData\Local\Temp\a283db04904b9d8eae5c34026a062ce0.exe.bat

MD5 4e86e0288408cefe8566776a5f434f7d
SHA1 7b98b6172199ce8a488b3c90adbf831237f14b7e
SHA256 81a5199a6bcea60e07a05466e28c16ebce91815d9a6924b7c2fd6fae15893044
SHA512 54c1b9b20ccc28a5a8bd365bfbe2b79b2ef6f219e804f965fcb70cfba13975bad44140f7554b3771b815cc63d88805a0c322d29f6cff6c77eb4733b804e7518c