Malware Analysis Report

2025-08-06 01:19

Sample ID 241107-sl946avcld
Target 55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN
SHA256 55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137a
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137a

Threat Level: Shows suspicious behavior

The file 55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:14

Reported

2024-11-07 15:16

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe

"C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 emrlogistics.com udp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp
US 3.18.7.81:443 emrlogistics.com tcp
US 3.19.116.195:443 emrlogistics.com tcp

Files

memory/2328-0-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2328-1-0x00000000004B0000-0x00000000004B6000-memory.dmp

memory/2328-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/2328-2-0x00000000004B0000-0x00000000004B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\asih.exe

MD5 6f298d16675c35aa6bd25c0fa697858a
SHA1 86f2daf0b26851e02d2d58b2a2d1ff8ff9d77eac
SHA256 51407a2e6ffa519cdc07c038256b75166ef49cfe04d1f3e32f45c31720cc04a1
SHA512 9b1369b1d0bef0963fb95c46b7a20cfc242416598538740df5a197e6d5f2820e72a0238e0cf7e3561fe5a8a7974b8be55b68683994fa5226c5bc3d264e85facd

memory/2328-13-0x00000000023A0000-0x00000000023AF000-memory.dmp

memory/2768-18-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2328-17-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2768-20-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2768-27-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2768-28-0x0000000000500000-0x000000000050F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:14

Reported

2024-11-07 15:16

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\asih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe

"C:\Users\Admin\AppData\Local\Temp\55cc4c2219be1d3772897d7adf8966b64e05eecb74db00a316b41a631c58137aN.exe"

C:\Users\Admin\AppData\Local\Temp\asih.exe

"C:\Users\Admin\AppData\Local\Temp\asih.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 emrlogistics.com udp
US 18.119.154.66:443 emrlogistics.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 3.140.13.188:443 emrlogistics.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 18.119.154.66:443 emrlogistics.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 3.140.13.188:443 emrlogistics.com tcp
US 18.119.154.66:443 emrlogistics.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 3.140.13.188:443 emrlogistics.com tcp

Files

memory/2276-0-0x0000000000500000-0x000000000050F000-memory.dmp

memory/2276-1-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/2276-2-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/2276-3-0x00000000005E0000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\asih.exe

MD5 6f298d16675c35aa6bd25c0fa697858a
SHA1 86f2daf0b26851e02d2d58b2a2d1ff8ff9d77eac
SHA256 51407a2e6ffa519cdc07c038256b75166ef49cfe04d1f3e32f45c31720cc04a1
SHA512 9b1369b1d0bef0963fb95c46b7a20cfc242416598538740df5a197e6d5f2820e72a0238e0cf7e3561fe5a8a7974b8be55b68683994fa5226c5bc3d264e85facd

memory/2276-18-0x0000000000500000-0x000000000050F000-memory.dmp

memory/1564-20-0x00000000004D0000-0x00000000004D6000-memory.dmp

memory/1564-21-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/1564-27-0x0000000000500000-0x000000000050F000-memory.dmp