Malware Analysis Report

2025-06-16 06:39

Sample ID 240825-l658da1akm
Target 3e5165aeda9ff532d44c0b2a85da72c0N.exe
SHA256 56217fbcfcdcddb213a05093c6b65587a98f96dd46ea819273dcf1db50bfba89
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

56217fbcfcdcddb213a05093c6b65587a98f96dd46ea819273dcf1db50bfba89

Threat Level: Shows suspicious behavior

The file 3e5165aeda9ff532d44c0b2a85da72c0N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:11

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp

Files

memory/2396-0-0x0000000000400000-0x00000000004ED000-memory.dmp

\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

MD5 6a06b5a3c823a63cc9db02f22d961501
SHA1 4e5cb3409cb6249d2f564db18f10fede528f5aeb
SHA256 1d4dedcdc2778ced3a98923749ed79092210a4240376f0481ef4d3cd20cb2d08
SHA512 ae5c7e20666a0161ab39b1a788f136a37ff5c08504be4d9b18f9af73e419eca63dc1b767bab469e86a3fcf278a94e3be98090c7314f887c1620c2dd612b018a9

memory/2396-6-0x0000000002E90000-0x0000000002F7D000-memory.dmp

memory/2872-10-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2396-8-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2872-12-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2872-17-0x0000000002CF0000-0x0000000002DDD000-memory.dmp

memory/2872-33-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2872-39-0x00000000066D0000-0x0000000006773000-memory.dmp

memory/2872-40-0x0000000000400000-0x00000000004ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:11

Platform

win10v2004-20240802-en

Max time kernel

104s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

"C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 344

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 1536

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3300-0-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/3300-7-0x0000000000400000-0x00000000004ED000-memory.dmp

memory/2012-6-0x0000000000400000-0x00000000004ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e5165aeda9ff532d44c0b2a85da72c0N.exe

MD5 6312d7d1f0874f3510bbeb6a899a234f
SHA1 c0b475a68085b10c49023b0ea6fd3bdc607333b4
SHA256 59d38bcc7fa2cd36c052cae065762fad69a4f35a58d74dfa8dc8e96348251b7d
SHA512 3db7c8a55444f6dda61e22cc15465813a88dbf214437b8cf08f64f090089b32b0da72bfe6ddc0d2552740830507a015e9894986121e85cc6b767f6bebd68916c

memory/2012-8-0x0000000004E70000-0x0000000004F5D000-memory.dmp

memory/2012-9-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2012-21-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2012-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

memory/2012-28-0x0000000000400000-0x00000000004ED000-memory.dmp