c790a45c17ec4cc11e5a6038fdb7a0af8b4e503c85bcf6c14ce3c94b1aaa011f

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 01:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ADN_Loader.exe
Size

74KB
MD5

5ebf4bddbf0850ef7f8054f7ecdc3f2a
SHA1

241037df8a3dc9ee488558296cf5a89958b75350
SHA256

c790a45c17ec4cc11e5a6038fdb7a0af8b4e503c85bcf6c14ce3c94b1aaa011f
SHA512

c5733e1c7f64c21215a2a199c54324667aa72f8af61b9aa8cfb278be073bbd84921e848bc742f3a0476908c60a6704a49534e2b37445c7120d96e23bb7449036
SSDEEP

1536:VFFrWuTv9O7Sn2IDKzGChZwxpnpAP1v0S4E0HWqnJsZqlkbLLylLVuMvJfenouyh:XFrWQAGn2+qGHXnpAP1v0S4jnRlavylV

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	x64.exe

Loads dropped DLL 2 IoCs

pid	Process
2544	cmd.exe
2544	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-0-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1732-13-0x0000000000400000-0x0000000000436000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADN_Loader.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2380	timeout.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2544	1732	ADN_Loader.exe	31
PID 1732 wrote to memory of 2544	1732	ADN_Loader.exe	31
PID 1732 wrote to memory of 2544	1732	ADN_Loader.exe	31
PID 1732 wrote to memory of 2544	1732	ADN_Loader.exe	31
PID 2544 wrote to memory of 3052	2544	cmd.exe	32
PID 2544 wrote to memory of 3052	2544	cmd.exe	32
PID 2544 wrote to memory of 3052	2544	cmd.exe	32
PID 2544 wrote to memory of 3068	2544	cmd.exe	33
PID 2544 wrote to memory of 3068	2544	cmd.exe	33
PID 2544 wrote to memory of 3068	2544	cmd.exe	33
PID 2544 wrote to memory of 2108	2544	cmd.exe	34
PID 2544 wrote to memory of 2108	2544	cmd.exe	34
PID 2544 wrote to memory of 2108	2544	cmd.exe	34
PID 2544 wrote to memory of 2380	2544	cmd.exe	35
PID 2544 wrote to memory of 2380	2544	cmd.exe	35
PID 2544 wrote to memory of 2380	2544	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AFCF.tmp\AFD0.bat C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\Software\imotech
    3⤵
    PID:3052
- - C:\Windows\system32\reg.exe
    reg query HKEY_CURRENT_USER\Software\imotech
    3⤵
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\x64.exe
    "C:\Users\Admin\AppData\Local\Temp\x64.exe" 24\10\2500 "C:\Users\Admin\AppData\Local\Temp\AgileDotNet.exe"
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AFCF.tmp\AFD0.bat

Filesize
909B

MD5
07828f5cf65c79388f1c97543bd7d386

SHA1
0cd163e5518e29a6e1d2b59a0d08eea9c5b6c37c

SHA256
163556ce238e1634ec7f73fa71f498d3c71c71d269170625fac1051bd8ddf268

SHA512
b57e758447045ff1f94023ba37c8802cdb826133e65aedd694cc4782921340e606a4969b8614bcc6b8b7a71c72f8d2940556ae2f27cba68574abef6caf386d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe

Filesize
67KB

MD5
b05ac25a3943c03a93748b945d4e5769

SHA1
61ecf9da2adc939ebf139c8e0636e8b1bf1260e1

SHA256
b30cb11ef8c7bc78cfacfa1f257a147114450074c2bbc00aa67b9781a73feb14

SHA512
dd357c98ade34cbf06d668a17ba287fe2ccfdec13d11a14101a8913c035c845497491da20053d9656f2dff04b603a8bd715d778e063df209f909e63151339ee8

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download