Analysis Overview
SHA256
d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef
Threat Level: Shows suspicious behavior
The file d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Unexpected DNS network traffic destination
UPX packed file
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:22
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:25
Platform
win10v2004-20250619-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\21c2ae57 | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\21c2ae57 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\21c2ae57 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\21c2ae57 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\21c2ae57 | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\21c2ae57 | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\3d5c0 | C:\Windows\Syswow64\21c2ae57 | N/A |
| File opened for modification | C:\Windows\501f90 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\21c2ae57 | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\21c2ae57 | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\21c2ae57 | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\21c2ae57 | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\21c2ae57 | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe
"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"
C:\Windows\Syswow64\21c2ae57
C:\Windows\Syswow64\21c2ae57
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| US | 8.8.8.8:53 | dns.alidns.com | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | down.nugong.asia | udp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/4680-0-0x0000000000AF0000-0x0000000000B79000-memory.dmp
C:\Windows\SysWOW64\21c2ae57
| MD5 | 6ca0b7d038d628c8220528fb645ebbaf |
| SHA1 | 0dc0a243268471bfa5e238a43813febc9f436c79 |
| SHA256 | e157268ac94668c8dc1639a9e7571313c30970302971a7b1f463aa4a74a72a2c |
| SHA512 | 2a0afd6bdaf03d1d39fda44fabe362cc55bb84ed833ff200420024e40a9cc3886038b79deee35cab122d3c192b061e3c7b6390328e09e72ed24f7ae91613fa22 |
memory/224-4-0x00000000002B0000-0x0000000000339000-memory.dmp
memory/4680-10-0x0000000000AF0000-0x0000000000B79000-memory.dmp
memory/224-12-0x00000000002B0000-0x0000000000339000-memory.dmp
memory/4680-21-0x0000000000AF0000-0x0000000000B79000-memory.dmp
memory/224-22-0x00000000002B0000-0x0000000000339000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:25
Platform
win11-20250610-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Syswow64\6d7574ba | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 114.114.114.114 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Destination IP | 223.5.5.5 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\6d7574ba | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Syswow64\6d7574ba | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Syswow64\6d7574ba | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Syswow64\6d7574ba | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Syswow64\6d7574ba | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\edc48 | C:\Windows\Syswow64\6d7574ba | N/A |
| File opened for modification | C:\Windows\93eb8 | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Syswow64\6d7574ba | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Syswow64\6d7574ba | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Syswow64\6d7574ba | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Syswow64\6d7574ba | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Syswow64\6d7574ba | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\Syswow64\6d7574ba | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe
"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"
C:\Windows\Syswow64\6d7574ba
C:\Windows\Syswow64\6d7574ba
Network
| Country | Destination | Domain | Proto |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 114.114.114.114:53 | down.nugong.asia | udp |
| CN | 223.5.5.5:53 | dns.alidns.com | udp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.6.6.6:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
| CN | 223.6.6.6:80 | dns.alidns.com | tcp |
| CN | 223.5.5.5:443 | dns.alidns.com | tcp |
| CN | 223.5.5.5:80 | dns.alidns.com | tcp |
Files
memory/540-0-0x0000000000F20000-0x0000000000FA9000-memory.dmp
C:\Windows\SysWOW64\6d7574ba
| MD5 | 2e537961f39f94214e0bf2fdde8a79b0 |
| SHA1 | ae8e233648517b8f849c3b152953e6c6118a2507 |
| SHA256 | 8f28e6e3d3cc95c3b7163b51ce46f1d115f13319955087ee85556ae87e902c0b |
| SHA512 | 142523fbff7af81f6477c06c749166555050d295a84e9e583cbcf849178412e2e93a2d5fa5339f21989e98dd3bc1ff5cc311de3242bd6b12b72f61433ba20094 |
memory/868-4-0x00000000008C0000-0x0000000000949000-memory.dmp
memory/540-10-0x0000000000F20000-0x0000000000FA9000-memory.dmp
memory/868-12-0x00000000008C0000-0x0000000000949000-memory.dmp
memory/540-21-0x0000000000F20000-0x0000000000FA9000-memory.dmp
memory/868-22-0x00000000008C0000-0x0000000000949000-memory.dmp