Malware Analysis Report

2024-12-01 01:50

Sample ID 241110-bvcrkswgqf
Target a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54
SHA256 a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54

Threat Level: Shows suspicious behavior

The file a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:30

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

"C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe"

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

Network

N/A

Files

memory/1704-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2108-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2108-17-0x0000000000180000-0x00000000001B8000-memory.dmp

memory/2108-11-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

MD5 2405e255451ec0f8483bb392df699e79
SHA1 6bd301537b70f4f95fc3996040c71101d8912e91
SHA256 9a64a20818c85c270f18138847b51ca1e5b7db2ecdfe2d6a3b0f04e7decf17dd
SHA512 60ac12db2624eff66e85492af1ecc5b3507a72d32787561240279c485325de9169eb32ad9f142181f8240b949224c673fdbdd5fedfdeb98ecd6631c7f5b1baff

memory/1704-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2108-18-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:30

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

"C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 396

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 372

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1116-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a8570bd61079d62c5ac716c56a5be4e23b9bc09c5ff26c67a3032afc42347c54.exe

MD5 78e74e273bf010989e856461160a7196
SHA1 37b21e9e1cc16f792b7cc5998a56d1a6f3034761
SHA256 16a8527072eb220e8a4a1d2dfa7aa96a70ed84f616edcf1b721ef41723a785ff
SHA512 90115d3cbf3f1f2b9342d2b556a82df6a97ef4d037d112524f454dc8311bb561bcc50a32ba6093561af92a0ab1c602670c336b76b9886a477de08d38f8938ff1

memory/4292-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1116-6-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4292-13-0x00000000014C0000-0x00000000014F8000-memory.dmp

memory/4292-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1116-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4292-15-0x0000000000400000-0x0000000000438000-memory.dmp