Malware Analysis Report

2025-05-06 00:40

Sample ID 241109-1fvfhssjbt
Target 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N
SHA256 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1

Threat Level: Shows suspicious behavior

The file 2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:35

Reported

2024-11-09 21:38

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8759.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8759.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe

"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"

C:\Users\Admin\AppData\Local\Temp\8759.tmp

"C:\Users\Admin\AppData\Local\Temp\8759.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe B2FDF4A9BC336CF73A5A9740013E82DE7A064F4726EE0DECFC463CA2B59F5D60AB86CE0282123F30FEDD32402F715BEB6E5D40635000D1127A7BAD22795D6545

Network

N/A

Files

memory/2124-0-0x0000000000400000-0x0000000000849000-memory.dmp

\Users\Admin\AppData\Local\Temp\8759.tmp

MD5 4a361c2133e7d08b7d9f50fba3807206
SHA1 b112f40e37606350d1147c8cf5eab0cfb45ff807
SHA256 6102479a7f626ac32b1c7537f1b2ea074c3b0a9e6de6ee08a1d3a6bc873bece1
SHA512 ce8281680e5715e469b782f16179daccdf6b1685921492a5b4e34636c1cfe44cf5510949d760931cb874b9e38edb324c020822e829dd5aa08b10df39df23d742

memory/2004-9-0x0000000000400000-0x0000000000849000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:35

Reported

2024-11-09 21:38

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ACB.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ACB.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ACB.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe

"C:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe"

C:\Users\Admin\AppData\Local\Temp\8ACB.tmp

"C:\Users\Admin\AppData\Local\Temp\8ACB.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2e151653fadb1064475b85ba48ecfa3809fe0475f5c11fcdd229d0a7c2a161d1N.exe 5801788DF0E758572BCA325F42B460B21612BBA1252C9A03704E3225F0AB93877132693E6C327102A2AF256AA3BE5913B860DB99B5E972D2EFA8F3B27A29ED0C

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1384-0-0x0000000000400000-0x0000000000849000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8ACB.tmp

MD5 43059ac88567bf5fa9d40eeb41d796a8
SHA1 f79376c5cefe73dbd824fd82dcf61dcc21daed93
SHA256 fd619d55766168fed7289775ba8f9865ce19d7a5128dcc7a6853ff06166ccd68
SHA512 3346cebde2d7348401cd36994d56214b64e72d3815f17bd450ab7dc1ae1950e1bb24b902cd24d33e72ca77fd41f00c0c6e1d745a193d1a1cf3211f4b49d68e81

memory/2544-5-0x0000000000400000-0x0000000000849000-memory.dmp