Malware Analysis Report

2025-04-03 12:17

Sample ID 241109-29sdpathrr
Target d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N
SHA256 d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217

Threat Level: Shows suspicious behavior

The file d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:17

Reported

2024-11-09 23:19

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2056-10-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

MD5 569457bbcb17d66e889c771feed83f20
SHA1 0d00687239a3921327d56f8c936a0efe02760740
SHA256 eb7c33e9d417c902c44d55ae15cf7b0bff41de2651b7978e31e4232fce9f6063
SHA512 2f3f60b5c328dd9279837bd8633522c6ba01eff2d08742a6db864248fcfb764a0edebc8f87062e3dfead0562ed5c9628b66d6df9535579f2a02f5115e3578ef8

memory/2056-11-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2056-16-0x00000000001E0000-0x000000000021F000-memory.dmp

memory/2108-8-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2056-17-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:17

Reported

2024-11-09 23:19

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

"C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 396

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1200-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d4db2361234991fbaa986b93f475468e6f343b5cf35bb193e27c7a360adcc217N.exe

MD5 0afda532c1634b9355ac08fc388c346e
SHA1 15532e223061969e93c3a756638d5d5f5e0b4e0c
SHA256 ea63cd6bc9144b9c3c5970feee7d2efbdaff30fe39fd232f91d1f3bad59ed48e
SHA512 831ab184257c0ac116386ed101fe4309de6e1939dc08db4abc09a6ce6cf123e49ef265f1228c43f07a8e3592c8837d3e373f50e8c68b29239bf6f1189ddc13fe

memory/4544-6-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1200-7-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4544-13-0x00000000014A0000-0x00000000014DF000-memory.dmp

memory/4544-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4544-14-0x0000000000400000-0x000000000043F000-memory.dmp