Malware Analysis Report

2025-04-03 19:48

Sample ID 241110-hd5vcssang
Target 9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N
SHA256 9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30
Tags
upx discovery evasion execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30

Threat Level: Likely malicious

The file 9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery evasion execution

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:38

Reported

2024-11-10 06:40

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\sc.exe
PID 2420 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\sc.exe
PID 2420 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\sc.exe
PID 2420 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\sc.exe
PID 2420 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2420 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2420 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 2420 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe C:\Windows\SysWOW64\1230\smss.exe
PID 3028 wrote to memory of 2108 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3028 wrote to memory of 2108 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3028 wrote to memory of 2108 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3028 wrote to memory of 2108 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe

"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

N/A

Files

memory/2420-0-0x0000000000400000-0x0000000000422000-memory.dmp

\Windows\SysWOW64\1230\smss.exe

MD5 e1602e62a089421184e1ae7fe7e84f63
SHA1 6227665726f81c8577d19e15cbc6ebc36cbd2631
SHA256 ce5296d6821fa133ea3a2cd0a4e3ccc4218c494bde11739d252098fe5e610c32
SHA512 f6dcfa59fdaf8e8977b2c0b09d767dcb6d40b86c603a7186da3291f78343f09ee315df11ee169918e0be1a994a1766ce5cc0b91653870f3e8855ea4e193fa960

memory/3028-13-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2420-12-0x00000000005C0000-0x00000000005E2000-memory.dmp

memory/2420-11-0x00000000005C0000-0x00000000005E2000-memory.dmp

memory/2420-21-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3028-19-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:38

Reported

2024-11-10 06:40

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\1230\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe

"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3988-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\SysWOW64\1230\smss.exe

MD5 d9f3a2460c7035d69c1d0f59da5fcfb7
SHA1 d703ab9d0dd08c4fc732f455c908d0e28c4c8632
SHA256 86550bf4d8795871ab7fa596b96f0f50ad0adb07c7468f460ba690b1a35afc2b
SHA512 1326aa8b556fa6949d68a1632bf5e830b038296264d7589ee9b2edf7da4e7df310a0e31a95451fa94f9943e2ef15cf50189604919be06446aa471ac809671d82

memory/3988-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/548-13-0x0000000000400000-0x0000000000422000-memory.dmp