Malware Analysis Report

2025-05-28 18:05

Sample ID 241109-zrqe9svmem
Target 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117
SHA256 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117

Threat Level: Shows suspicious behavior

The file 2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Deletes itself

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:57

Reported

2024-11-09 20:59

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

Network

N/A

Files

memory/2132-0-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2476-12-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

MD5 ff60563cfb05887ea20ddbdb61521a89
SHA1 d90e3ca11c540ed7d7c2a5620d3294729a4f0942
SHA256 09b1701ef9e163324e8690a8fc1a184039599df3d218cd3d83a9ff9942f38d64
SHA512 c7e46063de41381c30ad9954679d86a68272a12e9d8eb0bd788dbea9e03d95191c2de1027bf14e85edc2e158d76eae26f39da2b74ea756aeaec145123fd85824

memory/2132-10-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2132-9-0x0000000000130000-0x0000000000172000-memory.dmp

memory/2476-18-0x0000000000130000-0x0000000000172000-memory.dmp

memory/2476-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2476-19-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:57

Reported

2024-11-09 20:59

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

"C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 396

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 3692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2916-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f630adb1a46ba087834343a7539856910f986ca35c2f717691b1f0142c58117.exe

MD5 575c192f028e3517cf5183da7f89b1a6
SHA1 0edfe6be93c52fcb5560c20cede61b9742c49271
SHA256 4887e86ec32ff5d838892b52c44bed85d5165f2d843de9ede314ce9e1ad40fdc
SHA512 f078c93505832ac03baf9147a77a72e7fe409c39f9794751c46441076068c853b5152bb731598782f5523e626d906365288691d0b2f384ce177acafed82b6162

memory/2916-8-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3692-7-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3692-14-0x00000000014E0000-0x0000000001522000-memory.dmp

memory/3692-9-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3692-15-0x0000000000400000-0x0000000000442000-memory.dmp