Malware Analysis Report

2025-01-18 21:15

Sample ID 240323-3sv9paed49
Target aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628
SHA256 aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628

Threat Level: Known bad

The file aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Adds Run key to start application

Installs/modifies Browser Helper Object

Modifies WinLogon

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 23:47

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 23:47

Reported

2024-03-23 23:49

Platform

win7-20240215-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\winupdat.exe C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\winupdat.exe C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\explores.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\explores.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe

"C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
RU 89.223.13.242:80 tcp
RU 89.223.13.242:80 tcp

Files

memory/2356-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\explores.exe

MD5 d3912c99d8dd92ca77f57caa0f30cf0d
SHA1 8712e7c7bccc7ed906f5b28a62238b875d1e86ec
SHA256 4d910b1cff6ebf6bfc57102e15c172caa3c58f6e9a101a603770feff63a48389
SHA512 b51ff3223466cb20eae5ae55405fa82b5eaafe04fb997fe50bec9c9040d49bb3b1efcc4dcec66a0083ddd71ee9cbfd6f2f97e91a7526b04c46a962cdc41a6f14

memory/2356-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2356-11-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 23:47

Reported

2024-03-23 23:49

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\winupdat.exe C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
File created C:\Windows\SysWOW64\drivers\winupdat.exe C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\explores.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\winupdat.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\explores.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe

"C:\Users\Admin\AppData\Local\Temp\aeee5dd4338d9e5a4632763b77144f3603b3b4bff78884b002cad20c35c8f628.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 89.223.13.242:80 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/224-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\explores.exe

MD5 2186f4572063933791bde070ea83820c
SHA1 76f9ae518d7a6aa8c55730a95bfca82abe627e6f
SHA256 b01894596797f56d13927e23cbbb8418db7708d2b0119dd541762e5c00e679a6
SHA512 0f8ab96e4bd4a1b21f7f6a33e43756aaae231c669186b7195064fcd1c3585830549b5280663fa8a4d7f9ae8e99ff3860e1b6349a0783fdc6fe645cdd7b165bf3

memory/224-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/224-9-0x0000000000400000-0x0000000000414000-memory.dmp