Malware Analysis Report

2025-08-05 14:36

Sample ID 250702-x381msgj7w
Target 96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4
SHA256 96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4

Threat Level: Shows suspicious behavior

The file 96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Executes dropped EXE

Unexpected DNS network traffic destination

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:23

Reported

2025-07-02 19:26

Platform

win10v2004-20250610-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\97df8710 N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\97df8710 C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\97df8710 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\97df8710 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\97df8710 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\97df8710 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\5d5718 C:\Windows\Syswow64\97df8710 N/A
File opened for modification C:\Windows\66a758 C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\97df8710 N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\97df8710 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\97df8710 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\97df8710 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\97df8710 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\97df8710 N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\97df8710 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\97df8710 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\97df8710 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\97df8710 N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\97df8710 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe

"C:\Users\Admin\AppData\Local\Temp\96c1b8ab6baba4ae9ff2af063d1c4007ab4acf62bdacc8246c7df6ec21fea4c4.exe"

C:\Windows\Syswow64\97df8710

C:\Windows\Syswow64\97df8710

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 down.nugong.asia udp
US 8.8.8.8:53 down.nugong.asia udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.6.6.6:443 dns.alidns.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/5996-0-0x0000000000680000-0x0000000000709000-memory.dmp

C:\Windows\SysWOW64\97df8710

MD5 a2775f04118ee087e0cf98102835822f
SHA1 d5bdca336492ec9aa57bad3ce3f55e4a44e63f2a
SHA256 c84a8f02ceca333c17b5f9ab05a5e099f0a5cf97cb5f25a4f4f1f03a75cd9426
SHA512 0e1d23dd8142076cc6a39380add27e0aeaa1f1f7c3d7586f2395ca8e3848c1696dc4f66ce49a6d6841e9b31cc2ab49ae3965ebbdf65140154efd4c344578508c

memory/5452-4-0x0000000000250000-0x00000000002D9000-memory.dmp

memory/5996-10-0x0000000000680000-0x0000000000709000-memory.dmp

memory/5452-12-0x0000000000250000-0x00000000002D9000-memory.dmp

memory/5996-21-0x0000000000680000-0x0000000000709000-memory.dmp

memory/5452-22-0x0000000000250000-0x00000000002D9000-memory.dmp