Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-py2f1azalk
Target 0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5
SHA256 0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5

Threat Level: Likely malicious

The file 0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Adds Run key to start application

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:45

Reported

2024-11-11 12:48

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\stubpath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apple.exe" C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe

"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 exeinfo1.org udp
US 8.8.8.8:53 blog.chosun.com udp
KR 218.145.28.120:80 blog.chosun.com tcp
US 8.8.8.8:53 blog.daum.net udp
US 8.8.8.8:53 opaoxf112.blog.163.com udp
CN 59.111.160.244:80 opaoxf112.blog.163.com tcp
US 8.8.8.8:53 lokias111234.blog.163.com udp
CN 59.111.160.244:80 lokias111234.blog.163.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 07c55247fd9e8ad5cb866186ea6b5339
SHA1 8a48049ee19eaf4b5a9095de677e35ed8246f3d7
SHA256 7384d731390de7ecc588a1aadf77fc4244ff9ecf3e618f4b505e47b6e218280c
SHA512 514f3e154348cc2b01ee8d6b64bc8f994a0f474d2b76806ac956cf8b4f13eceb602edf0c678b23c6241abbc3c659338fa063bd2f2a706fb85c144ee211244e7c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:45

Reported

2024-11-11 12:48

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\3614402243784737 C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\3614402243784737\stubpath = "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\apple.exe" C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A
File opened for modification C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe

"C:\Users\Admin\AppData\Local\Temp\0ad8db226d32c9b6e304552ce8f3af7663d6c82980e516f4a07c128e2eb55bd5.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\3614402243784737" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 exeinfo1.org udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 blog.chosun.com udp
KR 218.145.28.120:80 blog.chosun.com tcp
US 8.8.8.8:53 blog.daum.net udp
US 8.8.8.8:53 opaoxf112.blog.163.com udp
CN 59.111.160.244:80 opaoxf112.blog.163.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 120.28.145.218.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 lokias111234.blog.163.com udp
CN 59.111.160.244:80 lokias111234.blog.163.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 07c55247fd9e8ad5cb866186ea6b5339
SHA1 8a48049ee19eaf4b5a9095de677e35ed8246f3d7
SHA256 7384d731390de7ecc588a1aadf77fc4244ff9ecf3e618f4b505e47b6e218280c
SHA512 514f3e154348cc2b01ee8d6b64bc8f994a0f474d2b76806ac956cf8b4f13eceb602edf0c678b23c6241abbc3c659338fa063bd2f2a706fb85c144ee211244e7c