c790a45c17ec4cc11e5a6038fdb7a0af8b4e503c85bcf6c14ce3c94b1aaa011f

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADN_Loader.exe
Size

74KB
MD5

5ebf4bddbf0850ef7f8054f7ecdc3f2a
SHA1

241037df8a3dc9ee488558296cf5a89958b75350
SHA256

c790a45c17ec4cc11e5a6038fdb7a0af8b4e503c85bcf6c14ce3c94b1aaa011f
SHA512

c5733e1c7f64c21215a2a199c54324667aa72f8af61b9aa8cfb278be073bbd84921e848bc742f3a0476908c60a6704a49534e2b37445c7120d96e23bb7449036
SSDEEP

1536:VFFrWuTv9O7Sn2IDKzGChZwxpnpAP1v0S4E0HWqnJsZqlkbLLylLVuMvJfenouyh:XFrWQAGn2+qGHXnpAP1v0S4jnRlavylV

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
440	x64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral2/memory/3992-12-0x0000000000400000-0x0000000000436000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADN_Loader.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
460	timeout.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 5088	3992	ADN_Loader.exe	86
PID 3992 wrote to memory of 5088	3992	ADN_Loader.exe	86
PID 5088 wrote to memory of 3644	5088	cmd.exe	87
PID 5088 wrote to memory of 3644	5088	cmd.exe	87
PID 5088 wrote to memory of 4868	5088	cmd.exe	88
PID 5088 wrote to memory of 4868	5088	cmd.exe	88
PID 5088 wrote to memory of 440	5088	cmd.exe	89
PID 5088 wrote to memory of 440	5088	cmd.exe	89
PID 5088 wrote to memory of 460	5088	cmd.exe	91
PID 5088 wrote to memory of 460	5088	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C091.tmp\C092.bat C:\Users\Admin\AppData\Local\Temp\ADN_Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\Software\imotech
    3⤵
    PID:3644
- - C:\Windows\system32\reg.exe
    reg query HKEY_CURRENT_USER\Software\imotech
    3⤵
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\x64.exe
    "C:\Users\Admin\AppData\Local\Temp\x64.exe" 24\10\2500 "C:\Users\Admin\AppData\Local\Temp\AgileDotNet.exe"
    3⤵
    - Executes dropped EXE
    PID:440
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C091.tmp\C092.bat

Filesize
909B

MD5
07828f5cf65c79388f1c97543bd7d386

SHA1
0cd163e5518e29a6e1d2b59a0d08eea9c5b6c37c

SHA256
163556ce238e1634ec7f73fa71f498d3c71c71d269170625fac1051bd8ddf268

SHA512
b57e758447045ff1f94023ba37c8802cdb826133e65aedd694cc4782921340e606a4969b8614bcc6b8b7a71c72f8d2940556ae2f27cba68574abef6caf386d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe

Filesize
67KB

MD5
b05ac25a3943c03a93748b945d4e5769

SHA1
61ecf9da2adc939ebf139c8e0636e8b1bf1260e1

SHA256
b30cb11ef8c7bc78cfacfa1f257a147114450074c2bbc00aa67b9781a73feb14

SHA512
dd357c98ade34cbf06d668a17ba287fe2ccfdec13d11a14101a8913c035c845497491da20053d9656f2dff04b603a8bd715d778e063df209f909e63151339ee8

Download Submit
memory/3992-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3992-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download