Analysis Overview
SHA256
96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4
Threat Level: Shows suspicious behavior
The file 96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Unexpected DNS network traffic destination
UPX packed file
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:23
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:23
Reported
2025-07-02 19:26
Platform
win10v2004-20250610-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\97df8710 | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\97df8710 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\97df8710 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\97df8710 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\97df8710 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\97df8710 | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\5d5718 | C:\Windows\Syswow64\97df8710 | N/A |
| File opened for modification | C:\Windows\66a758 | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\97df8710 | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\97df8710 | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\97df8710 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\97df8710 | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\97df8710 | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\97df8710 | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe
"C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe"
C:\Windows\Syswow64\97df8710
C:\Windows\Syswow64\97df8710
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | dns.alidns.com | udp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/5996-0-0x0000000000680000-0x0000000000709000-memory.dmp
C:\Windows\SysWOW64\97df8710
| MD5 | a2775f04118ee087e0cf98102835822f |
| SHA1 | d5bdca336492ec9aa57bad3ce3f55e4a44e63f2a |
| SHA256 | c84a8f02ceca333c17b5f9ab05a5e099f0a5cf97cb5f25a4f4f1f03a75cd9426 |
| SHA512 | 0e1d23dd8142076cc6a39380add27e0aeaa1f1f7c3d7586f2395ca8e3848c1696dc4f66ce49a6d6841e9b31cc2ab49ae3965ebbdf65140154efd4c344578508c |
memory/5452-4-0x0000000000250000-0x00000000002D9000-memory.dmp
memory/5996-10-0x0000000000680000-0x0000000000709000-memory.dmp
memory/5452-12-0x0000000000250000-0x00000000002D9000-memory.dmp
memory/5996-21-0x0000000000680000-0x0000000000709000-memory.dmp
memory/5452-22-0x0000000000250000-0x00000000002D9000-memory.dmp