Malware Analysis Report

2025-08-05 14:36

Sample ID 250702-x3zrzazyay
Target ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc
SHA256 ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc

Threat Level: Shows suspicious behavior

The file ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Unexpected DNS network traffic destination

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:23

Reported

2025-07-02 19:25

Platform

win10v2004-20250619-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\72b4bc7f N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\72b4bc7f C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\72b4bc7f N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\72b4bc7f N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\72b4bc7f N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\72b4bc7f N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\1687c8 C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
File opened for modification C:\Windows\e09e8 C:\Windows\Syswow64\72b4bc7f N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\72b4bc7f N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\72b4bc7f N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\72b4bc7f N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\72b4bc7f N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\72b4bc7f N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\72b4bc7f N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\72b4bc7f N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\72b4bc7f N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\72b4bc7f N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\72b4bc7f N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\72b4bc7f N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe

"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"

C:\Windows\Syswow64\72b4bc7f

C:\Windows\Syswow64\72b4bc7f

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
CN 223.5.5.5:53 down.nugong.asia udp
US 8.8.8.8:53 down.nugong.asia udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/1316-0-0x00000000002B0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\72b4bc7f

MD5 9cdcb7a81c6dd143b0d4b02d5775185a
SHA1 b6393d9c5fca4fd34f7d035455f9b3490b69ab06
SHA256 926395a47b117aee972442835c2b3fb447d51ce7a0f7659f6f38f98f3da4ca0d
SHA512 76b46093f2e279c34d71d5985adb1d53e4e0188b1714701c7d54094ab57aa87a3d47a8c9a15c136c2c3e13f8f0687c7420cd5647a4c05be43776c1e754bd19ec

memory/820-4-0x00000000000A0000-0x0000000000103000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 19:23

Reported

2025-07-02 19:25

Platform

win11-20250610-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Syswow64\fda805ec N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Syswow64\fda805ec N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Syswow64\fda805ec N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Syswow64\fda805ec N/A
File created C:\Windows\SysWOW64\fda805ec C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Syswow64\fda805ec N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\16bc60 C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
File opened for modification C:\Windows\1c13d0 C:\Windows\Syswow64\fda805ec N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Syswow64\fda805ec N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Syswow64\fda805ec N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Syswow64\fda805ec N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Syswow64\fda805ec N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Syswow64\fda805ec N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Syswow64\fda805ec N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Syswow64\fda805ec N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Syswow64\fda805ec N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Syswow64\fda805ec N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Syswow64\fda805ec N/A
Token: SeTcbPrivilege N/A C:\Windows\Syswow64\fda805ec N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe

"C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"

C:\Windows\Syswow64\fda805ec

C:\Windows\Syswow64\fda805ec

Network

Country Destination Domain Proto
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 114.114.114.114:53 down.nugong.asia udp
CN 223.5.5.5:53 dns.alidns.com udp
CN 223.6.6.6:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.6.6.6:80 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp

Files

memory/1328-0-0x0000000000F80000-0x0000000000FE3000-memory.dmp

C:\Windows\SysWOW64\fda805ec

MD5 e60e376ca2282fcde714c066fb6e5ddc
SHA1 6ee845e09584de80f2bac607ebf3bf52fea5e004
SHA256 6c5d507b682811e018c15476f5de916484aa664ffd654ffada0f5aa59d316303
SHA512 23ebb57fe2931f7581c0fb0017a8342e67fed901ba54d6866101f40b6d9553ccd349ac71151f316000c9609d9a43155dc969b830987d98ec676594fb50b50454

memory/1640-4-0x0000000000410000-0x0000000000473000-memory.dmp