Malware Analysis Report

2025-05-28 21:06

Sample ID 241109-qv1kzavgpn
Target 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N
SHA256 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369
Tags
discovery evasion execution upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369

Threat Level: Likely malicious

The file 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution upx

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 13:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 13:35

Reported

2024-11-09 13:37

Platform

win7-20241010-en

Max time kernel

78s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\sc.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\sc.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\sc.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\sc.exe
PID 2872 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2872 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2872 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2872 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2744 wrote to memory of 2752 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2744 wrote to memory of 2752 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2744 wrote to memory of 2752 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2744 wrote to memory of 2752 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe

"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

N/A

Files

memory/2872-0-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\SysWOW64\1230\smss.exe

MD5 a6c080a7ee452327034346750b5f4cea
SHA1 7a081ee5307d671efefcd6ed16877c134ed8e403
SHA256 988bce3b4913512a60280efdccbc14e85d9df87f1b1ce9809ffe788582c23253
SHA512 229595b4c2cc1b805e91e963778c46922f8538a57b8b7790ca612d36e46ff04b417d80f644e145546fa93b6dc690921c8b1e4dbd2734298eb35dddc31c89cac2

memory/2744-13-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2872-11-0x00000000003A0000-0x00000000003C2000-memory.dmp

memory/2872-10-0x00000000003A0000-0x00000000003C2000-memory.dmp

memory/2872-19-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2744-21-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 13:35

Reported

2024-11-09 13:37

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe

"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp

Files

memory/2612-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\SysWOW64\1230\smss.exe

MD5 cb6f96e866ca64abdd6bde7f7f03c5a4
SHA1 a333effdd2e3394d7955795999e6ba45d979438e
SHA256 78ce1cdd5517b603473ed997d85e1e47cdd71d7cb0df2f12f4466972777357f9
SHA512 8f82b9bf0472506335ba07881a64275a1fc2ec275a5e7f2544044301660e9dff2ab17709f7f39d5ebf4293bd9fa738dbf32810fcb48f63de073d8f2db5f4b05a

memory/5004-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/5004-14-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2612-13-0x0000000000400000-0x0000000000422000-memory.dmp