Malware Analysis Report

2025-08-10 13:41

Sample ID 241107-m4tbgazqby
Target 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN
SHA256 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2a
Tags
upx discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2a

Threat Level: Shows suspicious behavior

The file 227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 11:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 11:01

Reported

2024-11-07 11:03

Platform

win7-20241023-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe

"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp

Files

memory/2064-0-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2064-15-0x0000000000560000-0x0000000000570000-memory.dmp

memory/2064-14-0x0000000000560000-0x0000000000570000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 69ee7fb4d9a6f974c0d93cfe8d00f231
SHA1 92b20fc3b6f992d8c62f2bc2431ad36ec07a0824
SHA256 202b09ce7b30895b4ab10a1503364769293dab7cbe42d946249d6306b9417873
SHA512 10920d416d1681b108aa7e9630e7fc85f2990bb85704017ab6b9e0ce11f7bb5eec0874566d689f9a3c9ffb725c730f278540850b27182a46f1ed01f18b1466c4

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 c021b067fbdde54e68c1b2d963ea52fe
SHA1 23d49e83d849e8b6e41d4b673eb8540ae3d7f5b9
SHA256 cb6b6496217c51f0a2e87b6230d239a44729d9f7e4355bb5544737a997374cf8
SHA512 28b2d9d97cb8e0d96134177da6e051686e0e63a672e52db28513028aec029e2cf8f6b6b5f1818d647fa313c079f95d73ab7742754030f7ece8b647406ec1f6c9

memory/2064-18-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2064-20-0x0000000000560000-0x0000000000570000-memory.dmp

memory/2064-19-0x0000000000560000-0x0000000000570000-memory.dmp

memory/2064-24-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2064-27-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2064-31-0x0000000000400000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 84f8f4fb96538c8eb808e2488a64871b
SHA1 533d741ba3f31b62b83a91baac5c75914e4a37af
SHA256 0636c5bb460f3c6d7c58656ea9805560cd2bd78c08b6b26a3a7aa13b43c22a3e
SHA512 e1f2b1ce21ca5755e9c353722ecb8190d51c951c46bd0929fd0a775280043dd51de2c6d0d50546ee777f68c23ceebecbf52ea60a152fda437547cdee5fe860e0

memory/2064-34-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2064-37-0x0000000000400000-0x0000000000551000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 11:01

Reported

2024-11-07 11:03

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe

"C:\Users\Admin\AppData\Local\Temp\227f4329652a68a26db28e292e84a1b979bd49558059598d9bf282e01d65da2aN.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 172.24.160.1:2016 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 172.24.160.1:2016 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
N/A 172.24.160.1:2016 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 172.24.160.1:2016 tcp
N/A 172.24.160.1:2016 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 172.24.160.1:2016 tcp

Files

memory/4768-0-0x0000000000400000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 c27bd09014639717f357e760798f2a31
SHA1 77ae1018eb892017944a30b372334ea7cb440c65
SHA256 072267782bb86bc6c9a08b8e621ef78c660ccd3a721d1a34982904d7a7e7286b
SHA512 d22945e746467e08391011a9aa404186d701326239dd77688457a690c0db23c5de219876773db5220ad0c45dbd4380e72f977445d1ef27b675f09ed849d7e720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 42b600ea78e0be80600584cb81f68896
SHA1 ec14dc3927f84df3e9eeae0828df483c19000c9e
SHA256 6aafb75bafbf8a9aa0ba9a67308ef5c817ec814fdf564cf87de304c6faba6fd2
SHA512 7caed924ce74a800802c6aca73f3438637a49c7628300cf9304728f9275aa38c828cf0260276ffee02721948c442456a5ba429ecc7bfce5d6649e390bd6beefb

memory/4768-17-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4768-20-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4768-23-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4768-27-0x0000000000400000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 84f8f4fb96538c8eb808e2488a64871b
SHA1 533d741ba3f31b62b83a91baac5c75914e4a37af
SHA256 0636c5bb460f3c6d7c58656ea9805560cd2bd78c08b6b26a3a7aa13b43c22a3e
SHA512 e1f2b1ce21ca5755e9c353722ecb8190d51c951c46bd0929fd0a775280043dd51de2c6d0d50546ee777f68c23ceebecbf52ea60a152fda437547cdee5fe860e0

memory/4768-30-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4768-33-0x0000000000400000-0x0000000000551000-memory.dmp