Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-t7f9msfg48
Target dc1cc6b5421b4c3f9192530bb66e0ded
SHA256 9f0e89d56ed5137b21cb1d3fd1394d8804ec38c62230b6d5858c26a0a2dab27d
Tags
adware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9f0e89d56ed5137b21cb1d3fd1394d8804ec38c62230b6d5858c26a0a2dab27d

Threat Level: Shows suspicious behavior

The file dc1cc6b5421b4c3f9192530bb66e0ded was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer upx

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Installs/modifies Browser Helper Object

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 16:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 16:41

Reported

2024-03-21 16:44

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62DBC446-CA78-410E-9978-C0EECF203876} C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DBC446-CA78-410E-9978-C0EECF203876}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DBC446-CA78-410E-9978-C0EECF203876}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DBC446-CA78-410E-9978-C0EECF203876} C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62DBC446-CA78-410E-9978-C0EECF203876}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-security-base-l1-1-.dll" C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe

"C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe"

Network

N/A

Files

memory/2184-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2184-1-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2184-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2184-3-0x0000000000400000-0x0000000000424000-memory.dmp

\Windows\SysWOW64\api-ms-win-security-base-l1-1-.dll

MD5 ab4501e174fea108890af1305841c097
SHA1 9947c765771e63e65366501fa54c969f6cdbf7af
SHA256 61b2c490450af57002dc379df9a32b2568d2d72c8534c5eba6b37c16067d5e80
SHA512 a6cf867e243f8fc3a07d91182e5e501fef21a59f8f32a7b4409ee3d5fa8e90a5a871f55484811ae657f85a3695663989e35981202711f4865d199b73ceb35cb2

memory/2184-6-0x0000000000220000-0x000000000025C000-memory.dmp

memory/2184-7-0x0000000000220000-0x000000000025C000-memory.dmp

memory/2184-9-0x0000000000220000-0x000000000025C000-memory.dmp

memory/2184-8-0x0000000000400000-0x0000000000424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 16:41

Reported

2024-03-21 16:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B35B87F0-F2B0-49AF-A95E-366753C2F78F} C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B35B87F0-F2B0-49AF-A95E-366753C2F78F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B35B87F0-F2B0-49AF-A95E-366753C2F78F} C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B35B87F0-F2B0-49AF-A95E-366753C2F78F}\InprocServer32\ = "C:\\Windows\\SysWow64\\AuditNativeSnapI.dll" C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B35B87F0-F2B0-49AF-A95E-366753C2F78F}\InprocServer32\ThreadingModel = "apartment" C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe

"C:\Users\Admin\AppData\Local\Temp\dc1cc6b5421b4c3f9192530bb66e0ded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/2452-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2452-1-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2452-2-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2452-3-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\SysWOW64\AuditNativeSnapI.dll

MD5 ab4501e174fea108890af1305841c097
SHA1 9947c765771e63e65366501fa54c969f6cdbf7af
SHA256 61b2c490450af57002dc379df9a32b2568d2d72c8534c5eba6b37c16067d5e80
SHA512 a6cf867e243f8fc3a07d91182e5e501fef21a59f8f32a7b4409ee3d5fa8e90a5a871f55484811ae657f85a3695663989e35981202711f4865d199b73ceb35cb2

memory/2452-7-0x0000000000430000-0x000000000046C000-memory.dmp

memory/2452-8-0x0000000000430000-0x000000000046C000-memory.dmp

memory/2452-9-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2452-10-0x0000000000430000-0x000000000046C000-memory.dmp