Malware Analysis Report

2025-04-03 19:48

Sample ID 241110-hbr6gs1las
Target 3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN
SHA256 3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dc
Tags
discovery evasion execution upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dc

Threat Level: Likely malicious

The file 3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution upx

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:34

Reported

2024-11-10 06:36

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe

"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3612-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\SysWOW64\1230\smss.exe

MD5 96b4ab1ecc0ef0514ffd3bb18e60de84
SHA1 6a72a892d4c2a31d8c45ece0d4cc88add9c3bd90
SHA256 6a4ffb52c0b9457734db7b430ca7f7e004e6053edf472b56b404341c123b3c5b
SHA512 1ad0b5f276c042de0c6855090bd9340c7f9b2880416192f013fb492d1d07519276b7c477f7f54f4015bbb457763295ee9b659c74e340960d35623eb2fedfcd4e

memory/4000-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3612-13-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:34

Reported

2024-11-10 06:36

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\1230\smss.exe
PID 3008 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\1230\smss.exe
PID 3008 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\1230\smss.exe
PID 3008 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe C:\Windows\SysWOW64\1230\smss.exe
PID 596 wrote to memory of 2364 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 596 wrote to memory of 2364 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 596 wrote to memory of 2364 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 596 wrote to memory of 2364 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe

"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

N/A

Files

memory/3008-0-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\SysWOW64\1230\smss.exe

MD5 f31b1d0d2dabfbf38ed4d2365ff40ed4
SHA1 21a49e9cd9367f5d7254d71c125ad54b11630e1b
SHA256 60e466ba14b73585ed9ed950c389b2b2a03d155235ec9cd1313b9edba763b654
SHA512 e127516d09bfa9ee868f1a6086fc5735a3ad7dd1b90c3ec609fd26a428c2ec9fbaaf4aed9dc86ff8502b849e4319c978fdc1b434cdc9a4ea97617a622aa6cead

memory/3008-11-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/3008-10-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/596-19-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3008-20-0x0000000000400000-0x0000000000422000-memory.dmp