Malware Analysis Report

2025-08-05 14:35

Sample ID 250702-x3qjaszxhz
Target d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef
SHA256 d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef

Threat Level: Shows suspicious behavior

The file d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Executes dropped EXE

Unexpected DNS network traffic destination

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:22

Reported

2025-07-02 19:25

Platform

win10v2004-20250619-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\21c2ae57 N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\21c2ae57 C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\21c2ae57 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\21c2ae57 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\21c2ae57 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\21c2ae57 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\3d5c0 C:\Windows\Syswow64\21c2ae57 N/A
File opened for modification C:\Windows\501f90 C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\21c2ae57 N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\21c2ae57 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\21c2ae57 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\21c2ae57 N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\21c2ae57 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\21c2ae57 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\21c2ae57 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\21c2ae57 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\21c2ae57 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\21c2ae57 N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\21c2ae57 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe

"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"

C:\Windows\Syswow64\21c2ae57

C:\Windows\Syswow64\21c2ae57

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 down.nugong.asia udp
US 8.8.8.8:53 down.nugong.asia udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/4680-0-0x0000000000AF0000-0x0000000000B79000-memory.dmp

C:\Windows\SysWOW64\21c2ae57

MD5 6ca0b7d038d628c8220528fb645ebbaf
SHA1 0dc0a243268471bfa5e238a43813febc9f436c79
SHA256 e157268ac94668c8dc1639a9e7571313c30970302971a7b1f463aa4a74a72a2c
SHA512 2a0afd6bdaf03d1d39fda44fabe362cc55bb84ed833ff200420024e40a9cc3886038b79deee35cab122d3c192b061e3c7b6390328e09e72ed24f7ae91613fa22

memory/224-4-0x00000000002B0000-0x0000000000339000-memory.dmp

memory/4680-10-0x0000000000AF0000-0x0000000000B79000-memory.dmp

memory/224-12-0x00000000002B0000-0x0000000000339000-memory.dmp

memory/4680-21-0x0000000000AF0000-0x0000000000B79000-memory.dmp

memory/224-22-0x00000000002B0000-0x0000000000339000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 19:22

Reported

2025-07-02 19:25

Platform

win11-20250610-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\6d7574ba N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\6d7574ba C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\6d7574ba N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\6d7574ba N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\6d7574ba N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\6d7574ba N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\edc48 C:\Windows\Syswow64\6d7574ba N/A
File opened for modification C:\Windows\93eb8 C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\6d7574ba N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\6d7574ba N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\6d7574ba N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\6d7574ba N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\6d7574ba N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\6d7574ba N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\6d7574ba N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\6d7574ba N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\6d7574ba N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\6d7574ba N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\6d7574ba N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe

"C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"

C:\Windows\Syswow64\6d7574ba

C:\Windows\Syswow64\6d7574ba

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 down.nugong.asia udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/540-0-0x0000000000F20000-0x0000000000FA9000-memory.dmp

C:\Windows\SysWOW64\6d7574ba

MD5 2e537961f39f94214e0bf2fdde8a79b0
SHA1 ae8e233648517b8f849c3b152953e6c6118a2507
SHA256 8f28e6e3d3cc95c3b7163b51ce46f1d115f13319955087ee85556ae87e902c0b
SHA512 142523fbff7af81f6477c06c749166555050d295a84e9e583cbcf849178412e2e93a2d5fa5339f21989e98dd3bc1ff5cc311de3242bd6b12b72f61433ba20094

memory/868-4-0x00000000008C0000-0x0000000000949000-memory.dmp

memory/540-10-0x0000000000F20000-0x0000000000FA9000-memory.dmp

memory/868-12-0x00000000008C0000-0x0000000000949000-memory.dmp

memory/540-21-0x0000000000F20000-0x0000000000FA9000-memory.dmp

memory/868-22-0x00000000008C0000-0x0000000000949000-memory.dmp