Malware Analysis Report

2025-06-15 23:12

Sample ID 241109-nj6azatdnc
Target 79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N
SHA256 79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115
Tags
discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115

Threat Level: Likely malicious

The file 79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence upx

Boot or Logon Autostart Execution: Active Setup

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:26

Reported

2024-11-09 11:28

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msvwn32.exe" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msvwn32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\ax = ce0b6cb7e491c4728bd2053922a6de17 C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17FAD008-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 C:\Windows\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe

"C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

N/A

Files

memory/1716-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 1fd0a34a538bc4fbcd1ea0fbf51710b7
SHA1 8941495f781238047c48b4b847e46b741a10482d
SHA256 54dcf5cbce8268a37dcac479c30f388431c52cd9b64605e965f9a91f1df9a0dd
SHA512 e80308f62e5c0de6521ec08eab0da8ed8bd298b04d50c4be4d7913cbe090f4ed99144c2a8b0baec864470e7ad4ac9ad2185a4408d3e02fd1cc4eb83cae977997

memory/1716-13-0x00000000002C0000-0x00000000002F9000-memory.dmp

C:\Windows\svchost.exe

MD5 507544b52e25c5ae3d519345553fb182
SHA1 f506271e582016b9ecdcce03ae05a7fe87cccff3
SHA256 792795a522f193065f383f939ddfed5a91f653c5766dacd1de02b358e3835438
SHA512 a6551b0881ec762d4ebec7cf296f0cfe502ac08ab0e1490f6fcbdafd558d6fdae8434b0e95ce6c0131306a81ed3f52e68b5e0aed9a8c9e370a81c083de7aaebc

memory/1716-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1216-16-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 11:26

Reported

2024-11-09 11:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msqfn32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B73E6A7-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 914c55ea7bcb7de11d853ba0ea6fda6e C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe

"C:\Users\Admin\AppData\Local\Temp\79f79e7fdd867e701fbae0f4cebc9dd49537e3d40cdc227446227e34dcfe5115N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 179.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4848-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 8b7b57b28e3ff0290b645fc8c8de8445
SHA1 721ad1ba5b5f5b0577167110305a5956ff67cda1
SHA256 bf2451144d7339c651ebd3ec786c67da4035f8e3aed286be7d938f01f81e4f85
SHA512 78ab1363432625d9d169b2926691a9f380e74ec064b98331fb49c926b70c71002c6a7cc32d6e8eb05946c5155d720a2b24e552a65a8683a62da12bfc7d657804

memory/4848-7-0x0000000000400000-0x0000000000439000-memory.dmp