Malware Analysis Report

2025-05-06 04:20

Sample ID 241109-s4lvaaxdpl
Target 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN
SHA256 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00d
Tags
discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00d

Threat Level: Shows suspicious behavior

The file 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx

Executes dropped EXE

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:40

Reported

2024-11-09 15:42

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\NWC.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\NWC.EXE C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe N/A
File opened for modification C:\WINDOWS\NWC.EXE C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\WINDOWS\NWC.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WINDOWS\NWC.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe

"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"

C:\WINDOWS\NWC.EXE

C:\WINDOWS\NWC.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4068 -ip 4068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 264

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sys.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1360-0-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1360-1-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\NWC.EXE

MD5 58f36f67134fcac45149c01bacc53ca0
SHA1 b973ce2097c356c3a2452ea4ceb006a0ca3d9817
SHA256 0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00d
SHA512 aba0a933276968e9b2a06ff4fca0b6e98461bbaeddd15e11388b24fffe5301ca2f9b91ad5ed0dc58743e75a2fb87cf1046322c73d4cf102bd9e91d213c0fccfc

memory/4068-6-0x0000000000510000-0x0000000000520000-memory.dmp

memory/4068-7-0x00000000001C0000-0x00000000001CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys.bat

MD5 1c14c9f3df6eec3d4da6223c2105249d
SHA1 2779a4f686a0c33eef723710c45f5e38dd9fd69c
SHA256 c3cfa5bc5aac47ce0b6e8601471e69c0343538d855d4054aece63833915ccec5
SHA512 4c08d021e797bbab0c8ab50f2ef585858cd537ecb85229d8f5978075f13f8f70f2afa5d0680a2a18adbcb7ae92096aa6f048af06203e197998dd1165ed2c927d

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:40

Reported

2024-11-09 15:42

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe

"C:\Users\Admin\AppData\Local\Temp\0ba9f200b9220fe05159c97876bb824e102364720db53b5608db95192359d00dN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 88

Network

N/A

Files

memory/1660-1-0x0000000000020000-0x000000000002E000-memory.dmp

memory/1660-0-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1660-2-0x0000000000510000-0x0000000000520000-memory.dmp