Malware Analysis Report

2025-08-10 14:57

Sample ID 241112-n9v8pavqbp
Target f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe
SHA256 f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd
Tags
upx discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd

Threat Level: Likely malicious

The file f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery persistence

Boot or Logon Autostart Execution: Active Setup

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:06

Reported

2024-11-12 12:08

Platform

win7-20240903-en

Max time kernel

91s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msmcg32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msmcg32.exe" C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 0c17b9b84cde86754a57f30215fce405 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983} C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f C:\Windows\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D764F43-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 C:\Windows\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe

"C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 930f76c4f0f7dd6d6ee8b1dfe2a28065
SHA1 b79de22e2dcf4bb807af9e9e74a031af38afd8b4
SHA256 22f50e25a65ff0691a382f3c672cedee5951581ddb543a9db2f1293c08ca397c
SHA512 5040e234d83c839571310ab40c0e73f907b50b8e24e18dd30d8dab857630d7f9031781a5af4b47e917578fec751e4a7f8051db13486a54c25d1527d7de87ad0b

memory/2088-13-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\svchost.exe

MD5 183f93116d1dcf3215472d7c1aa05964
SHA1 625af0a067ed65e3c11c958ab70b75ca41d5d239
SHA256 2dc431b47a23034024a7efb19e2a1b2d35c7fa30035c2355ea0ee75fc7843fa2
SHA512 b4c5a75dab37957e33f1495fffb4baf422f6fb0e684c3a8a997371f3b1348385879104454d9664001c6d4a68c5f31515de5ca1cbc571342a83d9289575c0909b

memory/2088-15-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2712-16-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 12:06

Reported

2024-11-12 12:08

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msmcg32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983} C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B77DD16-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 0c17b9b84cde86754a57f30215fce405 C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe

"C:\Users\Admin\AppData\Local\Temp\f2e7f09f6fe98a130e5b96531c327e419e273729f6aaa218b6918ed3e564c7fd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 744

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp

Files

memory/3856-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\concp32.exe

MD5 930f76c4f0f7dd6d6ee8b1dfe2a28065
SHA1 b79de22e2dcf4bb807af9e9e74a031af38afd8b4
SHA256 22f50e25a65ff0691a382f3c672cedee5951581ddb543a9db2f1293c08ca397c
SHA512 5040e234d83c839571310ab40c0e73f907b50b8e24e18dd30d8dab857630d7f9031781a5af4b47e917578fec751e4a7f8051db13486a54c25d1527d7de87ad0b

memory/3856-7-0x0000000000400000-0x0000000000439000-memory.dmp