Malware Analysis Report

2025-01-18 21:11

Sample ID 240325-dw63xshg3x
Target dd1d4e7f5b640fc3d968c8ac07f334c5
SHA256 e57d4b377ee0271136c016f994c84a8c08dae93f658a5d069d2552832895e18f
Tags
upx adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e57d4b377ee0271136c016f994c84a8c08dae93f658a5d069d2552832895e18f

Threat Level: Shows suspicious behavior

The file dd1d4e7f5b640fc3d968c8ac07f334c5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware stealer

Checks computer location settings

UPX packed file

Installs/modifies Browser Helper Object

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:22

Reported

2024-03-25 03:25

Platform

win7-20240221-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF5137B5-C506-4D9B-8682-E0BE4675B899} C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF5137B5-C506-4D9B-8682-E0BE4675B899}\ C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\OJHMUHLIOIM C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
File created C:\Windows\pmspl.dll C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
File opened for modification C:\Windows\pmspl.dll C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe

"C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\pmspl.dll

Network

N/A

Files

memory/1524-0-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1524-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Windows\pmspl.dll

MD5 99404cd500609f705b28631e25535241
SHA1 5ebbf13c3afed4135e5c3c6355571d3699f88a81
SHA256 55acf2d68de3021def3ae2c591e7985c9e3fd050f6e2bdd2f328b64eb2b415ca
SHA512 88417ce7a533b5a2692b78bfde2aaa865456ff082b68d2bf9cb4fe3e7a01cc254b5f4f1f7a6aea18f30f4f7ad1cbb29bc9ef4398b0f700bc387c34f7ce1b5e3a

memory/1524-8-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1524-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 03:22

Reported

2024-03-25 03:25

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF5137B5-C506-4D9B-8682-E0BE4675B899} C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF5137B5-C506-4D9B-8682-E0BE4675B899}\ C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MJUIOHUOHHJ C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
File created C:\Windows\pmspl.dll C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A
File opened for modification C:\Windows\pmspl.dll C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe

"C:\Users\Admin\AppData\Local\Temp\dd1d4e7f5b640fc3d968c8ac07f334c5.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\pmspl.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4124-0-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4124-1-0x00000000009A0000-0x00000000009A1000-memory.dmp

C:\Windows\MJUIOHUOHHJ

MD5 99404cd500609f705b28631e25535241
SHA1 5ebbf13c3afed4135e5c3c6355571d3699f88a81
SHA256 55acf2d68de3021def3ae2c591e7985c9e3fd050f6e2bdd2f328b64eb2b415ca
SHA512 88417ce7a533b5a2692b78bfde2aaa865456ff082b68d2bf9cb4fe3e7a01cc254b5f4f1f7a6aea18f30f4f7ad1cbb29bc9ef4398b0f700bc387c34f7ce1b5e3a

memory/4124-9-0x0000000000400000-0x000000000048C000-memory.dmp

memory/4124-11-0x00000000009A0000-0x00000000009A1000-memory.dmp