Malware Analysis Report

2025-01-18 21:11

Sample ID 240325-avd4zadh8y
Target c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070
SHA256 c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070

Threat Level: Known bad

The file c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Modifies WinLogon

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 00:31

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 00:31

Reported

2024-03-25 00:34

Platform

win7-20240221-en

Max time kernel

142s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ftpdll.dll C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe

"C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.tonysbilvard.com udp
US 8.8.8.8:53 vvsecurity.cn udp
US 8.8.8.8:53 winupdate.cn udp

Files

memory/1784-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\ftpdll.dll

MD5 91d31d186f3bbd935946697f8b34d5a0
SHA1 78eccbde63c6913759adf819622ebc3508840f94
SHA256 1767b9108ac9ba4e5d0a7bb104a3462ec4dd5076d3245ad58d25fd1a972fecd0
SHA512 16bdd3bbf2f51b585617a9d398ce1fa8b997e8dbb92ca2d441cab833733255d364537f1ecf9fa020014af759dc6baf4e1f60bfcdb510062c9ecb01ac64c05db4

memory/1784-5-0x0000000010000000-0x000000001010B000-memory.dmp

C:\Users\Admin\AppData\Local\cftmon.exe

MD5 38b3a4bf1b88bc3316fc7e7dbf0e1c29
SHA1 24fdb7ba082c69b444adc6f5aa6c7ece0b87e8a1
SHA256 4bf64a27b984a88688ad0a7471f37abac83f8fc9d38eae126f4df9a225325882
SHA512 72e2595962a9a8d0faa2c25c21f8ec139252292002291b731502118111252d1689f811cba323d57331cb50d578cc5705ee3e43c90790d27e8e72da13485a6678

memory/1784-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1784-13-0x0000000010000000-0x000000001010B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 00:31

Reported

2024-03-25 00:34

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ftpdll.dll C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe

"C:\Users\Admin\AppData\Local\Temp\c98aaf3267fcfb8b2aa45b86f6a8b8b16ac4da282d2fba6eb33ad43ef7324070.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.tonysbilvard.com udp
US 8.8.8.8:53 vvsecurity.cn udp
US 8.8.8.8:53 winupdate.cn udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/1628-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\ftpdll.dll

MD5 91d31d186f3bbd935946697f8b34d5a0
SHA1 78eccbde63c6913759adf819622ebc3508840f94
SHA256 1767b9108ac9ba4e5d0a7bb104a3462ec4dd5076d3245ad58d25fd1a972fecd0
SHA512 16bdd3bbf2f51b585617a9d398ce1fa8b997e8dbb92ca2d441cab833733255d364537f1ecf9fa020014af759dc6baf4e1f60bfcdb510062c9ecb01ac64c05db4

memory/1628-6-0x0000000010000000-0x000000001010B000-memory.dmp

C:\Users\Admin\AppData\Local\cftmon.exe

MD5 6bacdc1eb8d8360790ec15cb31a35241
SHA1 a2f2e6f561e95d5bc7e9be5595791994d84dc00c
SHA256 59cb80fe9ec6bd5fe81321ad0d204b295868877634602b76c59a6b328a349e5e
SHA512 a62edd01cb28966d47e4f7b532e90444ecadd8d66244ecbc87e7b91760ee5fdf06711b20f579f751d81f17f3660ccd071efd8d42455e4653323c4ce1e615ad29

memory/1628-13-0x0000000000400000-0x0000000000433000-memory.dmp