Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-ya9xxadfa7
Target adec6573d4a87df78f8ea430d653b6f7.exe
SHA256 75c2eae351fa0ea16b7213637ee0fcbe02f09504893a964906238a264e7f054a
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75c2eae351fa0ea16b7213637ee0fcbe02f09504893a964906238a264e7f054a

Threat Level: Shows suspicious behavior

The file adec6573d4a87df78f8ea430d653b6f7.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:38

Platform

win7-20231215-en

Max time kernel

5s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe

"C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe"

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 whos.amung.us udp
US 172.67.8.141:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.75.171:80 widgets.amung.us tcp
US 8.8.8.8:53 whos.amung.us udp
US 104.22.74.171:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.75.171:80 widgets.amung.us tcp
US 8.8.8.8:53 1a04z149emvl05s.directorio-w.com udp
US 8.8.8.8:53 www.qseach.com udp
US 52.86.6.113:80 www.qseach.com tcp
US 52.86.6.113:80 www.qseach.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.7.37:443 www.hugedomains.com tcp
US 104.26.7.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 cdn-cookieyes.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 static.hugedomains.com udp
US 8.8.8.8:53 use.typekit.net udp
US 8.8.8.8:53 www.google.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 104.26.1.70:443 cdn-cookieyes.com tcp
US 104.26.1.70:443 cdn-cookieyes.com tcp
GB 88.221.134.243:443 use.typekit.net tcp
GB 88.221.134.243:443 use.typekit.net tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 172.67.70.191:443 static.hugedomains.com tcp
US 8.8.8.8:53 log.cookieyes.com udp
IE 54.77.178.119:443 log.cookieyes.com tcp
GB 88.221.134.243:443 use.typekit.net tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
GB 52.84.137.125:80 ocsp.r2m02.amazontrust.com tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
GB 88.221.134.243:443 use.typekit.net tcp
GB 88.221.134.243:443 use.typekit.net tcp
GB 88.221.134.243:443 use.typekit.net tcp
US 8.8.8.8:53 www.youtube.com udp
US 104.26.7.37:443 static.hugedomains.com tcp
US 104.26.7.37:443 static.hugedomains.com tcp
US 104.26.7.37:443 static.hugedomains.com tcp
US 104.26.7.37:443 static.hugedomains.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 142.250.200.6:443 static.doubleclick.net tcp
GB 142.250.200.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.179.234:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.187.214:443 i.ytimg.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.200.33:443 yt3.ggpht.com tcp
GB 142.250.200.33:443 yt3.ggpht.com tcp
US 8.8.8.8:53 fe0.google.com udp
US 8.8.8.8:53 bit.ly udp
US 67.199.248.10:80 bit.ly tcp
US 67.199.248.10:80 bit.ly tcp
US 52.86.6.113:80 www.qseach.com tcp
US 52.86.6.113:80 www.qseach.com tcp
US 8.8.8.8:53 ztzuw7uf1g6.ipcheker.com udp
US 157.245.113.153:80 tcp
US 157.245.113.153:443 tcp
US 157.245.113.153:443 tcp
US 8.8.8.8:53 tinyurl.com udp
US 172.67.1.225:80 tinyurl.com tcp
US 172.67.1.225:80 tinyurl.com tcp
US 52.86.6.113:80 www.qseach.com tcp
US 52.86.6.113:80 www.qseach.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.ipcheker.com udp
US 8.8.8.8:53 goo.gl udp
GB 172.217.16.238:80 goo.gl tcp
GB 172.217.16.238:80 goo.gl tcp
US 107.178.223.183:80 www.ipcheker.com tcp
GB 172.217.16.238:443 goo.gl tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 157.245.113.153:80 tcp
US 8.8.8.8:53 8p9eypii749.ipcheker.com udp
US 107.178.223.183:80 8p9eypii749.ipcheker.com tcp
US 8.8.8.8:53 g2l05q360e6.ipgreat.com udp
US 8.8.8.8:53 x3cj6m02446.ipcheker.com udp
US 104.155.138.21:80 x3cj6m02446.ipcheker.com tcp
US 8.8.8.8:53 cpt77uc18um.ipgreat.com udp

Files

memory/1900-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1900-15-0x00000000027F0000-0x000000000283B000-memory.dmp

memory/2408-17-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1900-13-0x0000000000400000-0x000000000044B000-memory.dmp

\Users\Admin\E696D64614\winlogon.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2852-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-160-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2408-481-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2852-563-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2320-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2321-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2322-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2323-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2325-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2326-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:39

Platform

win10v2004-20231215-en

Max time kernel

12s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe

"C:\Users\Admin\AppData\Local\Temp\adec6573d4a87df78f8ea430d653b6f7.exe"

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 whos.amung.us udp
US 172.67.8.141:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 204.79.197.200:443 g.bing.com tcp
US 172.67.8.141:80 widgets.amung.us tcp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 141.8.67.172.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 whos.amung.us udp
US 104.22.75.171:80 whos.amung.us tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 96.17.178.62:80 tcp
US 204.79.197.200:443 g.bing.com tcp

Files

memory/4432-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4432-1-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1196-18-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4432-19-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2064-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-25-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-28-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1196-29-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2064-30-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-114-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-162-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\d[1]

MD5 ef76c804c0bc0cb9a96e9b3200b50da5
SHA1 efadb4f24bc5ba2d66c9bf4d76ef71b1b0fde954
SHA256 30024e76936a08c73e918f80e327fff82ee1bd1a25f31f9fce88b4b4d546055d
SHA512 735b6470e4639e2d13d6b8247e948dbd6082650902a9441b439ceacc4dfce12cd6c9840ee4c4dcb8a8f1e22adb80968f63ace0c0051811a8d6d1afb2b3c68d74

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\js[1].js

MD5 5ab8b0238271bbbbaa535096da7e854d
SHA1 978c3acc5c1c23147bfaadeffc99e124f43cd6be
SHA256 f09f790f91807f1480f015b3130240afeef476417b412d670b5f9ed7748fc520
SHA512 f37b13403a308c41d251e3409391ad85f92d41e16b8b97d1b5b09a0c8ccb2a64891c2cd2a8a2e63ee6eba810e3a022a88b3e170e6c139b8edfd85342aeed97d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\analytics[1].js

MD5 575b5480531da4d14e7453e2016fe0bc
SHA1 e5c5f3134fe29e60b591c87ea85951f0aea36ee1
SHA256 de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd
SHA512 174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\counter[1].js

MD5 9e33acb5cab6802df44887bd6df31416
SHA1 f96f235aeccf43da8e795c291f3a3c1390d8f377
SHA256 ca02d1a91f43d6b8c5d8d127d04e95afb736ae1779577bde0a6f0641cc4f4893
SHA512 a6cd85df3e64c7b7b462dd07025563f5ccf4c8b98394ba0d31e9705fc933ee89e1c13874b11f428c090179ebc70bfbe2728a92a8b56fa5a58253cbb7793fe333

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\styles__ltr[1].css

MD5 eb4bc511f79f7a1573b45f5775b3a99b
SHA1 d910fb51ad7316aa54f055079374574698e74b35
SHA256 7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512 ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\script[1].js

MD5 defee0a43f53c0bd24b5420db2325418
SHA1 55e3fdbced6fb04f1a2a664209f6117110b206f3
SHA256 c1f8e55b298dc653477b557d4d9ef04951b3b8ba8362a836c54e2db10cda4d09
SHA512 33d1a6753a32ec06dcfc07637e9654af9321fe9fa2590efc70893eb58c8603505f2be69084fb2bcbf929218c4e7df9f7a8bc3f17a5b41ed38c4d8645296ebab5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\xUSKbXqocTPwo3RspD7uVldcgi_KkGuO0Izsc1rniEk[1].js

MD5 b476ff2653f6129fa32e065c886ef15f
SHA1 01856f5cf0476ffa135218ccbf7563210c4d585f
SHA256 c5448a6d7aa87133f0a3746ca43eee56575c822fca906b8ed08cec735ae78849
SHA512 112d5fcce59ab4ecee6fdb9fb91cd04bbba3ac76dd0ffd1d9d6e3a10a556af47fa2b6ab00542497403c0c4c08ec7619a7dd7dfdc2e5843516b4c8cbe7457442f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\webworker[1].js

MD5 74a981e3aaaa1f7200e5f87b03883703
SHA1 22cf9554c2d813a219b2982ae769695119ac1092
SHA256 55052d853a3f144505dc773ef237ac838af312c0180ff293f7cf1a3847345eab
SHA512 0e3190f7e3de1b0127001342b33bcd3f23ad1bf113fea94a97f9d4a59c9c6bfeec61a5889bb69fb0d16bded2656529dffd69e48d4a4b32e436346772d7d8fbf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\main[1].js

MD5 22d2bac8813c8f318869d1df91747b22
SHA1 bc3c6f50397f93c5ecc0a6c8bb8ec9e232359ab2
SHA256 1c85d4341343f71764a7c55a05ae353e7af3ab5adaddb0f702244c8b3eea8df1
SHA512 f46f09e8c2b1f100e6a990319184a8fb9cdfbee96b51ef5ad618fd707fe75e27295d121bde1ad061c6847b0a15b33bb46c045028d127484f32d529afd808434c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

MD5 4d99b85fa964307056c1410f78f51439
SHA1 f8e30a1a61011f1ee42435d7e18ba7e21d4ee894
SHA256 01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0
SHA512 13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

MD5 4d88404f733741eaacfda2e318840a98
SHA1 49e0f3d32666ac36205f84ac7457030ca0a9d95f
SHA256 b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1
SHA512 2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\KFOmCnqEu92Fr1Mu4mxP[1].ttf

MD5 372d0cc3288fe8e97df49742baefce90
SHA1 754d9eaa4a009c42e8d6d40c632a1dad6d44ec21
SHA256 466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f
SHA512 8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

memory/2064-259-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7M18SFQ7\photos.google[1].xml

MD5 3ff4d575d1d04c3b54f67a6310f2fc95
SHA1 1308937c1a46e6c331d5456bcd4b2182dc444040
SHA256 021a5868b6c9e8beba07848ba30586c693f87ac02ee2ccaa0f26b7163c0c6b44
SHA512 2b26501c4bf86ed66e941735c49ac445d683ad49ed94c5d87cc96228081ae2c8f4a8f44a2a5276b9f4b0962decfce6b9eeee38e42262ce8d865d5df0df7ec3d6

memory/2064-358-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-408-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-417-0x0000000000400000-0x0000000000428000-memory.dmp