Malware Analysis Report

2025-08-05 15:57

Sample ID 240612-fjqxaa1eqp
Target d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505
SHA256 d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505

Threat Level: Shows suspicious behavior

The file d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:54

Reported

2024-06-12 04:56

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\codecupdate.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe

"C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"

C:\Users\Admin\AppData\Local\Temp\codecupdate.exe

"C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 architectureschoolswiki.com udp
US 8.8.8.8:53 gwentpressurewashers.co.uk udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 91.237.32.212.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 ww1.gwentpressurewashers.co.uk udp
US 8.8.8.8:53 g.bing.com udp
US 199.59.243.226:80 ww1.gwentpressurewashers.co.uk tcp
US 204.79.197.237:443 g.bing.com tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
BE 88.221.83.178:443 www.bing.com tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 architectureschoolswiki.com udp
NL 212.32.237.91:443 gwentpressurewashers.co.uk tcp

Files

memory/4932-1-0x0000000000501000-0x0000000000502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\codecupdate.exe

MD5 c75d13c161a2eeff6f81cb1d2eb61ce8
SHA1 f995b38f6ac0af26dff65e2b2e8ac6ef86ac0a17
SHA256 b2222f3a0a5c042279a2e49874acd23fbe042b7857b19d28232356867026701e
SHA512 471f9e7412883ab37ec9f202fcbc917169509a5ff333022701acd8ead1b2955db79b3c4a863d3e4781cfdc02a2dc7182e04c2be841ec18095e8b1c3941c86fdf

memory/2704-9-0x0000000000500000-0x0000000000507000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:54

Reported

2024-06-12 04:57

Platform

win7-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\codecupdate.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\codecupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\codecupdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe

"C:\Users\Admin\AppData\Local\Temp\d8526bf93c489c5e634cf3028d4b80a9f4c353364ba634748cfe618ebc01f505.exe"

C:\Users\Admin\AppData\Local\Temp\codecupdate.exe

"C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 architectureschoolswiki.com udp
US 8.8.8.8:53 gwentpressurewashers.co.uk udp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 8.8.8.8:53 ww1.gwentpressurewashers.co.uk udp
US 199.59.243.226:80 ww1.gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp
US 23.82.12.30:443 gwentpressurewashers.co.uk tcp

Files

memory/2440-1-0x0000000000501000-0x0000000000502000-memory.dmp

\Users\Admin\AppData\Local\Temp\codecupdate.exe

MD5 c75d13c161a2eeff6f81cb1d2eb61ce8
SHA1 f995b38f6ac0af26dff65e2b2e8ac6ef86ac0a17
SHA256 b2222f3a0a5c042279a2e49874acd23fbe042b7857b19d28232356867026701e
SHA512 471f9e7412883ab37ec9f202fcbc917169509a5ff333022701acd8ead1b2955db79b3c4a863d3e4781cfdc02a2dc7182e04c2be841ec18095e8b1c3941c86fdf

memory/2156-8-0x0000000000500000-0x0000000000507000-memory.dmp