Malware Analysis Report

2025-08-06 01:20

Sample ID 241107-sdk53awrhl
Target 24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N
SHA256 24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57
Tags
discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57

Threat Level: Likely malicious

The file 24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence upx

Boot or Logon Autostart Execution: Active Setup

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:00

Reported

2024-11-07 15:02

Platform

win7-20240903-en

Max time kernel

91s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msbyc32.exe" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msbyc32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1ACBD426-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 4f34f59ebc15d27431dbdd50dd02637a C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe

"C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

N/A

Files

memory/2500-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 ceb7740a33c31e25a78a6f809f7bdbc9
SHA1 694ba3138c789d04e14f8acd8d5dc3e443382523
SHA256 25d6b879e63f3f067363eacc67388b245d186c6e5f665f891972faa84a03d85f
SHA512 bcf0b6768cfb5c37972e92bd3f30c3a6823b0d35161207d93788c6f40f5894d5e75bde77b73b94322779f58e3c3f17b3aafb66c9a27fc5970c2de9d6fd367749

C:\Windows\svchost.exe

MD5 1122b7b3fee2d537675dd70615c337d7
SHA1 047c1ce8b4c235ca655517af4d51c2a6dc22cc91
SHA256 6bb05040f38bbe35a2063e8a038508ebb8eb4b1187aa2a4e503ec3e7f1267d9f
SHA512 c81b423f81cb292ff07aed92d23cf768693faedf3afece77b71b55701a12081522c18e104fc61d38a2348ee0d83b986ab5c8fb2649ab5ada9a611e0f81e50300

memory/2500-15-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2500-13-0x0000000001B60000-0x0000000001B99000-memory.dmp

memory/1040-16-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:00

Reported

2024-11-07 15:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msbyc32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63A9D195-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 4f34f59ebc15d27431dbdd50dd02637a C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe

"C:\Users\Admin\AppData\Local\Temp\24d0dc9cfec2375e31892b9caf32557c0714c1d55c7f2bcc15c6c83919740d57N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 700

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1804-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 ceb7740a33c31e25a78a6f809f7bdbc9
SHA1 694ba3138c789d04e14f8acd8d5dc3e443382523
SHA256 25d6b879e63f3f067363eacc67388b245d186c6e5f665f891972faa84a03d85f
SHA512 bcf0b6768cfb5c37972e92bd3f30c3a6823b0d35161207d93788c6f40f5894d5e75bde77b73b94322779f58e3c3f17b3aafb66c9a27fc5970c2de9d6fd367749

memory/1804-7-0x0000000000400000-0x0000000000439000-memory.dmp