Malware Analysis Report

2025-06-15 23:12

Sample ID 241109-neqdystclk
Target 8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N
SHA256 8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0
Tags
upx adware discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0

Threat Level: Known bad

The file 8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N was found to be: Known bad.

Malicious Activity Summary

upx adware discovery persistence stealer

Modifies WinLogon for persistence

Sets service image path in registry

Drops file in Drivers directory

Modifies system executable filetype association

Installs/modifies Browser Helper Object

Adds Run key to start application

Modifies WinLogon

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:18

Reported

2024-11-09 11:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe

"C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 fewfwe.com udp
US 3.18.7.81:80 fewfwe.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 fewfwe.net udp
US 8.8.8.8:53 crl.microsoft.com udp
CH 80.67.82.104:80 crl.microsoft.com tcp

Files

memory/2636-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cb9853a340ddb4d8c910a6b2c32c7724
SHA1 e1dfd48b3049529869ddaaf2f5631aabb2cc01ad
SHA256 4522e1d11856617d1bd15acc26c8e1aabdb6b7899ce34c639ba4b93a24314932
SHA512 a33ed106d97d90f63d56dc11ab35d5bf86be2bcac672be7dbbf487a46ec1597188749ccbc2a897df91d6ea108813b3cc0b6c40f3799a2bbfc52414d87a3777a2

memory/2636-23-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 11:18

Reported

2024-11-09 11:20

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\drivers\\spools.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe

"C:\Users\Admin\AppData\Local\Temp\8d7bc3d7175f3d25eb9897a0c2677f3a27c974f75ead7fbe992a087876579eb0N.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 fewfwe.com udp
US 34.205.242.146:80 fewfwe.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 104.26.6.37:443 www.hugedomains.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 fewfwe.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.242.205.34.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 37.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2260-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\cftmon.exe

MD5 116429d613ef14c20e05129e390f4d61
SHA1 0f3e1674eff85b89ab5bcde64a561e57ddd7e04b
SHA256 772579cec788ae99d4fa4ff6e71a5a8400168dd99b54dc16234c336cdae23982
SHA512 61a84f9fc4bcb4e4db53393b6c549dc842f2c8bcd42902cf2c12231dfe04cb15865d5c2a8fe15064cf8e2e4acfc070245d67f9a040f3cf63e7e0d8edcda3e6c2

memory/2260-14-0x0000000000400000-0x000000000040E000-memory.dmp