Malware Analysis Report

2025-04-03 19:53

Sample ID 241109-xwla1azglg
Target 87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N
SHA256 87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791
Tags
upx discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791

Threat Level: Likely malicious

The file 87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:12

Reported

2024-11-09 19:14

Platform

win7-20240903-en

Max time kernel

91s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msctf32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msctf32.exe" C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\spoolsv.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
File created C:\Windows\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\spoolsv.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" C:\Windows\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\ax = c82cb36011a0a0a015a6739355250031 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f C:\Windows\spoolsv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 C:\Windows\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4874BAF5-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe

"C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe"

C:\Windows\spoolsv.exe

C:\Windows\spoolsv.exe

Network

N/A

Files

memory/2400-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 13e610f85e6de85110760bd7bdb08c79
SHA1 d44b7ba4cb27f5991cb7cfe75e45e95d772d5683
SHA256 5e1ba6f1a21bb71f646574e58e474ba7c937aad2d52625064880db2021cde63d
SHA512 70ba6b39e1dec333e245ac75b2a0e2c9bea858480bba91d48610c93b79e4f171abd77b5efb257b81404a47a014aca57be35c71ab814988087b4c5dd6f59fa34a

memory/2400-10-0x00000000002A0000-0x00000000002D9000-memory.dmp

C:\Windows\spoolsv.exe

MD5 df35fe9ed39a2519b964070032dd9a61
SHA1 3c7bc476e136e20d78869c979dc9007257a8c396
SHA256 08d2865c7daa8366ea1f86a484e7bb5e4deac01f93e57d13b7ba84c43b50301b
SHA512 f8fffd741bee8af03a583cf186961d0db08b00450a6399f88bcb17450cedebd6091abaa43db6452ba7ecb7a99ebf76857f600e5c0e05da882a48c635fb4600d3

memory/2800-16-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2400-14-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2800-17-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:12

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67275450-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67275450-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mslth32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67275450-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67275450-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67275450-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67275450-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 4b00f76d7dad1c79736c6dad84cbea03 C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe

"C:\Users\Admin\AppData\Local\Temp\87f6a0b6ea613ced876bd497497a4123bb6d127e50515298a773cbdc9a5d1791N.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 728

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2060-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 88129a5564dd3407a19dfc3b35f1e323
SHA1 28b6fa205af7fdf517fd3bec41befd34737cee2f
SHA256 f789aa7d07d445d0be1687b6d8d94c549905b8dc824b6b15f8c3dfbb8ad21533
SHA512 a6943e464a96d67b4f3336e785a5ddb2ea3170bda76fdad8fdc8e9333e228f54709371a119e0aa7bea4b97de6aa24726a235b7cc2641a03854d11adaacafbb3d

memory/2060-7-0x0000000000400000-0x0000000000439000-memory.dmp