Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-fh99ja1ckl
Target c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a
SHA256 c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a
Tags
upx defense_evasion discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a

Threat Level: Shows suspicious behavior

The file c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx defense_evasion discovery persistence

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Indicator Removal: File Deletion

Adds Run key to start application

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 04:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 04:53

Reported

2024-10-31 04:56

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe

"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe" >> NUL

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2448-0-0x0000000000820000-0x0000000000848000-memory.dmp

\ProgramData\Update\wuauclt.exe

MD5 1b9ccdef36529713682b9ee3230cfe2a
SHA1 5b944671c115135a15a83dd8e42901626945cabf
SHA256 a61a8d8d05074a9e1fbf251a7acb6311a32ebc8f9fefdfb7a8e1e12a70783b3e
SHA512 2756fb8dd8487e7f26bc89f0fa7beb854d9fda56f2f4f9eec00f7613bcfa88d9c9dd265dc8e4b2f4647662e44b47537bdef074f6816149795dbede442dbab362

memory/2448-5-0x0000000000140000-0x0000000000168000-memory.dmp

memory/2748-7-0x0000000000A60000-0x0000000000A88000-memory.dmp

memory/2448-8-0x0000000000820000-0x0000000000848000-memory.dmp

memory/2448-9-0x0000000000140000-0x0000000000168000-memory.dmp

memory/2748-10-0x0000000000A60000-0x0000000000A88000-memory.dmp

memory/2448-11-0x0000000000820000-0x0000000000848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 04:53

Reported

2024-10-31 04:56

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\wuauclt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Update\wuauclt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe

"C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe"

C:\ProgramData\Update\wuauclt.exe

"C:\ProgramData\Update\wuauclt.exe" /run

C:\windows\SysWOW64\cmd.exe

"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\c7558a103ce1f39442d0755e04450f76d17aefa2a4c1c7ca1c375fa873754f0a.exe" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1240-0-0x0000000000E40000-0x0000000000E68000-memory.dmp

C:\ProgramData\Update\wuauclt.exe

MD5 eace89df76bdc5bc490b62009552f42f
SHA1 65b8faac3c1f7db64114282759fcf6cb761ec60b
SHA256 0d00408b8fa7258e55f47ac27be87358e59185527de8d79c68b884a71aaf52f4
SHA512 9a9adabb590d43cbba6a7b89d0a95b2b8261991b69c131c1ce9d2b6dadc730bf47df9502b2b463fc388dce1aa7dc545541b75b28990959043ace045e44d7f096

memory/2028-4-0x0000000000990000-0x00000000009B8000-memory.dmp

memory/1240-6-0x0000000000E40000-0x0000000000E68000-memory.dmp

memory/2028-7-0x0000000000990000-0x00000000009B8000-memory.dmp

memory/1240-8-0x0000000000E40000-0x0000000000E68000-memory.dmp