Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-1tkhgawcnm
Target 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251
SHA256 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251
Tags
upx discovery evasion execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251

Threat Level: Likely malicious

The file 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery evasion execution

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:56

Reported

2024-11-10 21:59

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\sc.exe
PID 2500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2500 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2016 wrote to memory of 2316 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2016 wrote to memory of 2316 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2016 wrote to memory of 2316 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 2016 wrote to memory of 2316 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe

"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

N/A

Files

memory/2500-0-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\SysWOW64\1230\smss.exe

MD5 f27c6d2ab9d6c286a5c6631c36ed829a
SHA1 d0f9f77b5599b482f83c71f9a51f9656f4e18425
SHA256 c3325f5f991dceb1864c6cd22cfec2b743408968c27888f866369fb11483f90e
SHA512 ac29e89443680476a5736059cc6fcc786bbf66f658a5faca79abeb38986bd099e2074a308534ee42ac3d9a5c409959599ecfa62998dbf4bbf504465646c2de21

memory/2500-16-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2016-18-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:56

Reported

2024-11-10 21:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe

"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1920-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\SysWOW64\1230\smss.exe

MD5 b3d3815eab1a084ba566c1ccc74a72de
SHA1 6bc0725cc2353ad97417b026362f3a24e5fb745f
SHA256 3cb3bf7a6184d3f0038cef5cdedd26c990b06763c49c1196b018b2195fcad84c
SHA512 71406398db01c01ee276be096c22be38af3ac810d1ea06a9ed099be82cbc537c1f6264a273c583541609d5917b0d72df262bcdac18c7df56e05d249ec1b26b2c

memory/1920-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3104-13-0x0000000000400000-0x0000000000422000-memory.dmp