Malware Analysis Report

2025-08-05 10:32

Sample ID 241107-tex2pavkdw
Target cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN
SHA256 cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440d
Tags
upx discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440d

Threat Level: Likely malicious

The file cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:58

Reported

2024-11-07 16:00

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mspqt32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mspqt32.exe" C:\Windows\spoolsv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\spoolsv.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
File opened for modification C:\Windows\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolsv.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 C:\Windows\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\ax = c05bfb529e36ccc7a953139edbacc394 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Windows\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E2E3D0-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe

"C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe"

C:\Windows\spoolsv.exe

C:\Windows\spoolsv.exe

Network

N/A

Files

memory/2792-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 7c6022450d2921fe3b19139d32da5a46
SHA1 4db702553c2e1c97edbbe1380de072d992ca5be0
SHA256 05ae2bd0b57877da1bfbcf5c0a32eb01c7bb9900e4af8c8e28ad6bfe085fb6a5
SHA512 c77d7f98f9ab64a77bca5f3a01959dba5df24edcd151c9bd623637013e1228c144b2df6bd15782f37e6f3e05026be75a96de828c298b5d6ccebdd992dea24949

memory/2792-13-0x0000000000230000-0x0000000000269000-memory.dmp

memory/2792-15-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2268-16-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\spoolsv.exe

MD5 4ef845d997823e87967dd247bd5b8a6d
SHA1 5dd2674d6ab98441613c24c215ec3ab5e0e64a2f
SHA256 2c6eebc4b25098e63cd515572be6814fde8a90e55f3c10c258519ea235d22690
SHA512 173834a01b90bae680d84dea37b36a6a6ee3a555c2c0e5f4c15a0694921452430a7cdab38aeed2e2d66532c83a0280470f7ce765932100410d0aa036a613688e

memory/2268-17-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:58

Reported

2024-11-07 16:00

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mspqt32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983}\ax = c05bfb529e36ccc7a953139edbacc394 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D4BB1A-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe

"C:\Users\Admin\AppData\Local\Temp\cda5d08af50e0de1d77cfd6bb5c4352e6c05ad2f856a3408a9cbccb30232440dN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 776

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4392-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 7c6022450d2921fe3b19139d32da5a46
SHA1 4db702553c2e1c97edbbe1380de072d992ca5be0
SHA256 05ae2bd0b57877da1bfbcf5c0a32eb01c7bb9900e4af8c8e28ad6bfe085fb6a5
SHA512 c77d7f98f9ab64a77bca5f3a01959dba5df24edcd151c9bd623637013e1228c144b2df6bd15782f37e6f3e05026be75a96de828c298b5d6ccebdd992dea24949

memory/4392-7-0x0000000000400000-0x0000000000439000-memory.dmp