Malware Analysis Report

2025-08-05 09:42

Sample ID 240611-bqz2bayhll
Target a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08
SHA256 a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08

Threat Level: Known bad

The file a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08 was found to be: Known bad.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:21

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:21

Reported

2024-06-11 01:24

Platform

win7-20240220-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe

"C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"

Network

N/A

Files

memory/2368-0-0x0000000000400000-0x0000000000854000-memory.dmp

\Users\Admin\AppData\Local\Temp\wrdf760078.~lk\0.mdd

MD5 e9ac480b94efda969c718471736b2709
SHA1 2ef07c2d084cc5ce3c9cd786e3edd1edfbbba6a7
SHA256 faf91da49435b41dba357e90f991543d6845ad56afa150a233386ac08c07b37a
SHA512 9c3c3e04604e7cb0220cbff931876e8321cc397009f6d7d3a89376ac9af4914a5bd7c92738eb7a26feca2c6a25eb2c60b62c503146ce5aadab0f4158e3ae32be

memory/2368-9-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2368-8-0x00000000027A0000-0x0000000002B4E000-memory.dmp

memory/2368-4-0x00000000027A0000-0x0000000002B4E000-memory.dmp

memory/2368-18-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

memory/2368-17-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/2368-16-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2368-15-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2368-14-0x0000000002700000-0x0000000002701000-memory.dmp

memory/2368-13-0x0000000002710000-0x0000000002711000-memory.dmp

memory/2368-12-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2368-11-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2368-10-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/2368-22-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2368-25-0x0000000005BB0000-0x0000000006004000-memory.dmp

memory/2368-26-0x0000000005BB0000-0x0000000006004000-memory.dmp

memory/2368-27-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/2368-31-0x00000000027A0000-0x0000000002B4E000-memory.dmp

memory/2368-32-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2368-33-0x0000000005BB0000-0x0000000006004000-memory.dmp

memory/2368-34-0x0000000005BB0000-0x0000000006004000-memory.dmp

memory/2368-35-0x0000000000400000-0x0000000000854000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:21

Reported

2024-06-11 01:24

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe

"C:\Users\Admin\AppData\Local\Temp\a2c2f1af77167fa63571f489ed6e1f0ad7b75cd80674f9f878e5d2aaf5ca8a08.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3440-0-0x0000000000400000-0x0000000000854000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wrde571c08.~lk\0.mdd

MD5 e9ac480b94efda969c718471736b2709
SHA1 2ef07c2d084cc5ce3c9cd786e3edd1edfbbba6a7
SHA256 faf91da49435b41dba357e90f991543d6845ad56afa150a233386ac08c07b37a
SHA512 9c3c3e04604e7cb0220cbff931876e8321cc397009f6d7d3a89376ac9af4914a5bd7c92738eb7a26feca2c6a25eb2c60b62c503146ce5aadab0f4158e3ae32be

memory/3440-5-0x00000000028F0000-0x0000000002C9E000-memory.dmp

memory/3440-6-0x00000000028F0000-0x0000000002C9E000-memory.dmp

memory/3440-8-0x0000000002810000-0x0000000002811000-memory.dmp

memory/3440-11-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3440-19-0x0000000005560000-0x0000000005561000-memory.dmp

memory/3440-24-0x0000000002800000-0x0000000002801000-memory.dmp

memory/3440-23-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/3440-18-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/3440-17-0x0000000005550000-0x0000000005551000-memory.dmp

memory/3440-16-0x0000000002770000-0x0000000002771000-memory.dmp

memory/3440-15-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/3440-14-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/3440-13-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/3440-27-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/3440-31-0x0000000000400000-0x0000000000854000-memory.dmp

memory/3440-32-0x0000000000400000-0x0000000000854000-memory.dmp

memory/3440-33-0x00000000028F0000-0x0000000002C9E000-memory.dmp