Malware Analysis Report

2025-08-05 14:35

Sample ID 250702-x3y6fazyax
Target f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5
SHA256 f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5

Threat Level: Shows suspicious behavior

The file f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Unexpected DNS network traffic destination

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:23

Reported

2025-07-02 19:25

Platform

win10v2004-20250619-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\bab0b0d4 N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\bab0b0d4 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\bab0b0d4 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\bab0b0d4 N/A
File created C:\Windows\SysWOW64\bab0b0d4 C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\bab0b0d4 N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\539da8 C:\Windows\Syswow64\bab0b0d4 N/A
File opened for modification C:\Windows\5d68a0 C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\bab0b0d4 N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\bab0b0d4 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\bab0b0d4 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\bab0b0d4 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\bab0b0d4 N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\bab0b0d4 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\bab0b0d4 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\bab0b0d4 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\bab0b0d4 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\bab0b0d4 N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\bab0b0d4 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe

"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"

C:\Windows\Syswow64\bab0b0d4

C:\Windows\Syswow64\bab0b0d4

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 down.nugong.asia udp
US 8.8.8.8:53 down.nugong.asia udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/5456-0-0x0000000000E60000-0x0000000000EC3000-memory.dmp

C:\Windows\SysWOW64\bab0b0d4

MD5 ab402dc3a7115f1c44ec2eb5bf2e1650
SHA1 d56db8ae790137c06201da068d9cf8b4dc988539
SHA256 772e1ae9c8487841c1b5d0d7266dc6ac04da5790d18cce1e575bbd6bd8d1c7af
SHA512 c6ec818c378edefaa92278cd91d7560e28795312d79e9a0d328587436028b4eac53fcd70f157cb7dd70396a19b3a2fcce8b68ae180eb0e6cf86bbe8bf363a7f7

memory/4884-4-0x0000000000910000-0x0000000000973000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 19:23

Reported

2025-07-02 19:25

Platform

win11-20250610-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\15e769f0 N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\15e769f0 C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\15e769f0 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\15e769f0 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\15e769f0 N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\15e769f0 N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\4b3150 C:\Windows\Syswow64\15e769f0 N/A
File opened for modification C:\Windows\44c160 C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\15e769f0 N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\15e769f0 N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\15e769f0 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\15e769f0 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\15e769f0 N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\15e769f0 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\15e769f0 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\15e769f0 N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\15e769f0 N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\15e769f0 N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\15e769f0 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe

"C:\Users\Admin\AppData\Local\Temp\f49d280a0ff5b519c9efba8b63dd1bae8a08b0241fa72778979374160cd4afa5.exe"

C:\Windows\Syswow64\15e769f0

C:\Windows\Syswow64\15e769f0

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 down.nugong.asia udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/4016-0-0x0000000000FE0000-0x0000000001043000-memory.dmp

C:\Windows\SysWOW64\15e769f0

MD5 9673d08a05bac3675be1834efdbfeebb
SHA1 912472a8d76ed230dad269ed8fd5a9c0bd519413
SHA256 83512d3984c065be8dda5d40302972ce491bea302d44524d62fa2b76fae8ace3
SHA512 2d52278e95faea46085374fe6b3c908b8d9b42ecceed67c27ca26607becd73843cc684b2997186f490a745ac37f59e7edc28c4d1bfbe3f043f87c3c436555d18

memory/4392-4-0x0000000000890000-0x00000000008F3000-memory.dmp