Malware Analysis Report

2025-05-06 01:12

Sample ID 241109-z5g12s1qb1
Target c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N
SHA256 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2

Threat Level: Shows suspicious behavior

The file c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:17

Reported

2024-11-09 21:19

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

"C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

Network

N/A

Files

memory/2204-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2204-1-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2204-9-0x0000000000140000-0x0000000000173000-memory.dmp

\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

MD5 e4c89dc028b820d4a44cb70d69d1e582
SHA1 7de95dd2cc625b980aa0fb5c8d19a21b02910c2b
SHA256 56eae82ae149ed712dcf7bbea1136013a7f892fff740712d75cb9231fdba881c
SHA512 9f213c577d2f948424eabf78558ff1382643ffe7f1e154af4e478c551014c59492abb51e9ac9d576e1baee430108c2060e68fb793947a5f88a202586f0b5fd57

memory/2204-12-0x0000000000230000-0x0000000000263000-memory.dmp

memory/2204-17-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1928-24-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1928-18-0x0000000000140000-0x0000000000173000-memory.dmp

memory/1928-29-0x00000000001B0000-0x00000000001CB000-memory.dmp

memory/1928-30-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:17

Reported

2024-11-09 21:19

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

"C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4784-1-0x0000000001440000-0x0000000001473000-memory.dmp

memory/4784-2-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4784-11-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe

MD5 363bc524dc7faeb181c78f09478d8d06
SHA1 2f616a00bc82f3f23782ea09c7f24e15e51becac
SHA256 1cce528acd7133fc3c8b9c10e66d66bad2a7b2a3179b6e51d6abad5e3f82ea75
SHA512 e741ca7756e5cf0b1ea1285edaaf074f74caf42bc25bdb15fe8b2fbdb88493bf913911fc7bd5810e0e966b7397c0a3a5850ec3bdc5c6848a6fc8ce08c7d158e5

memory/628-13-0x0000000000400000-0x0000000000433000-memory.dmp

memory/628-14-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/628-20-0x0000000000400000-0x000000000040E000-memory.dmp

memory/628-25-0x00000000014F0000-0x000000000150B000-memory.dmp

memory/628-26-0x0000000000400000-0x0000000000433000-memory.dmp