Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Resource
win10v2004-20241007-en
General
-
Target
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
-
Size
92KB
-
MD5
d106182df886d6340d51e8c210d1c820
-
SHA1
7202edae2957b238d19fc1c1646f6a0542ea8b20
-
SHA256
d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51
-
SHA512
a4fb0d308cc5c2f053cded92cb9e853d0087483c0bd055284f5a819eec7371c19e8d2a7f170796439ccdd0c07c7329166ca62f7e41c9a36b1f8e2a83105eee36
-
SSDEEP
768:4zW4wnebSdDlmkok6lRGXu+jKZAOWjpiRHVAGr4PzpyRAJ7IwnDoSds:41bC4Bk6lMTOWw4PkRAPo5
Malware Config
Signatures
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\regedit.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_10.0.19041.928_none_6a67731cf3e151f2\@AppHelpToast.png d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx35linq-system.data.services.client_31bf3856ad364e35_10.0.19041.1_none_27ec78792847b9a0\System.Data.Services.Client.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0001045d_31bf3856ad364e35_10.0.19041.1_none_61439c6c1bfd8643\KBDINUK2.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..itiator_service_mof_31bf3856ad364e35_10.0.19041.1_none_69b31686898b623a\iscsiprf.mof d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-fontext.resources_31bf3856ad364e35_10.0.19041.1_de-de_d0b77ad140dca012\fontext.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-uevpsmof_31bf3856ad364e35_10.0.19041.1288_none_2ab9f4074c2b8f06\Microsoft.Uev.Commands.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-onecoreuap-deviceaccess_31bf3856ad364e35_10.0.19041.746_none_d665b070f8fb6cac\f\deviceaccess.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-s..-csvlk-pack-license_31bf3856ad364e35_10.0.19041.1_none_c2f7145f0b942797\csvlk-pack-Volume-CSVLK-2-ul-oob-rtm.xrm-ms d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ffd7fb326c498cc8\default.aspx.fr.resx d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_10.0.19041.1081_none_b201fe701a40c4dd\f\upnp.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_10.0.19041.1266_none_1b79ad13f653c2a7\r\mf.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1_none_1791c82185e5947c\appidapi.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_10.0.19041.1202_none_cfef4afda1c50630\ImagingProvider.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\ShouldMatch.snippets.ps1xml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_10.0.19041.546_none_93b8eb238c554662\f\cscapi.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_networking-mpssvc-powershell-core_31bf3856ad364e35_10.0.19041.964_none_9371855fac3af1ee\NetIPsecIdentity.cmdletDefinition.cdxml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_ja-jp_afb5d1f043634aff\wizardInit.ascx.ja.resx d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_10.0.19041.1_de-de_260241d331308f2d\prnmngr.vbs d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-metabase_31bf3856ad364e35_10.0.19041.906_none_21ab306fb502b2f0\wamreg.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-c..uicomponents-events_31bf3856ad364e35_10.0.19041.1_none_70063ae8425cf0a3\ETWCoreUIComponentsResources.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-smbserver-powershell_31bf3856ad364e35_10.0.19041.1_none_b6de35efa82cca34\SmbGlobalMapping.cdxml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.264_none_9627a04e40f9f001\msscntrs.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_windows-staterepository_31bf3856ad364e35_10.0.19041.844_none_e4fc4c625c499e43\r\Windows.StateRepositoryUpgrade.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-onecore-m..imedia-broadcastdvr_31bf3856ad364e35_10.0.19041.746_none_77c084943ec4b063\f\BcastDVRCommon.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.546_none_67000d82a7c2a372\f\KBDUS.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_6723a46eefe53392\I386\STDDTYPE.GDL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-runtime-mediaframe_31bf3856ad364e35_10.0.19041.264_none_55cf3b0b39f63659\f\RTMediaFrame.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.906_none_9204c42a031e28cf\f\iisRtl.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_39b8617b1ce8940d\storagewmi_uninstall.mfl d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6d58070f4284e576\SmiProvider.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\WMICOOKR.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.746_none_9be9f1245111722d\f\twinapi.appcore.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1_none_ac040ccaa73c8c1b\wow32.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_networking-mpssvc-powershell-core_31bf3856ad364e35_10.0.19041.1_none_6b80e4b6ecb73422\NetIPsecPhase1AuthSet.cmdletDefinition.cdxml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mirage_31bf3856ad364e35_10.0.19041.1151_none_32c7db5b89038d04\f\Windows.Mirage.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\r\IMJKAPI.DLL d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..tmlrendering-legacy_31bf3856ad364e35_11.0.19041.1288_none_d50678dbc55b5baf\IndexedDbLegacy.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-i..panese_ax2_keyboard_31bf3856ad364e35_10.0.19041.1_none_7ced66069fc034c8\kbdax2.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_70e1bd5d3f2b0cf0\MSFT_GroupResource.strings.psd1 d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-sendmail.resources_31bf3856ad364e35_10.0.19041.1_en-us_afb87b10560d9420\sendmail.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-csrsrv.resources_31bf3856ad364e35_10.0.19041.1_es-es_3e094b8a68c797b1\csrsrv.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-m..etintlerr.resources_31bf3856ad364e35_10.0.19041.1_en-us_eec85152910116db\msjint40.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\manageUsers.aspx.it.resx d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_pt-br_35e66098dcc078f4\APHostRes.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.powershell.ovf_31bf3856ad364e35_10.0.19041.1_none_a56a52b11cf118f3\OperationValidationResources.psd1 d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-ipmiprovider_31bf3856ad364e35_10.0.19041.1_none_df7f622f65287420\ipmiprv.mof d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-ime-korean-cacpad_31bf3856ad364e35_10.0.19041.1_none_30c75d12562ba02f\imkrcac.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.managemen..re.native.unmanaged_31bf3856ad364e35_10.0.19041.546_none_8e65ec621b72d68e\Microsoft.Management.Infrastructure.Native.Unmanaged.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-m..-internal.resources_31bf3856ad364e35_10.0.19041.1_it-it_498945b3b1793bbc\MbaeApi.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\r\aspnetca.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-metabase_31bf3856ad364e35_10.0.19041.1_none_f977afaaf5b16a1c\coadmin.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_netfx-mscorlib_tlb2_b03f5f7f11d50a3a_10.0.19041.1_none_bf3a67bf0af4a719\mscorlib.tlb d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.264_none_66e0b708f017bc79\I386\P6FONT.GPD d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\Describe.Tests.ps1 d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\r\wmiutils.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_be98bb8265bc211a\r\mmgaserver.exe d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-devicecenter_31bf3856ad364e35_10.0.19041.746_none_90b2aaec923e877b\r\DeviceCenter.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\x86_microsoft-windows-msmpeg2enc.resources_31bf3856ad364e35_10.0.19041.1_en-us_cc01521a47b8eceb\msmpeg2enc.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft.powershel..nfigurationprovider_31bf3856ad364e35_10.0.19041.1_none_b9b2391a00849682\DscCoreConfProv.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_10.0.19041.84_none_bcc4656ed261a5b5\ReAgent.xml d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b0c852643271e4bc\default.help.txt d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-g..in-appmgr.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cbda6915b642c15b\appmgr.dll.mui d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-flacencoder_31bf3856ad364e35_10.0.19041.153_none_fccee3f4ec2dfcfc\MSFlacEncoder.dll d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2664 d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe"C:\Users\Admin\AppData\Local\Temp\d2d25dd399804c3524a6a90ae82a55335c411e3ec49ea72016debb65688afb51N.exe"1⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664