2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13-01-2025 04:35

250113-e7x5tswlfz 10

13-01-2025 03:52

250113-ee43nsvjby 10

12-01-2025 15:57

250112-tealdsymgt 10

12-01-2025 15:53

250112-tbnc3s1mhn 10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/wintonic.exe
Size

1.6MB
MD5

c7cc7175fa6a305036ecd68cfb4c970c
SHA1

c440e7653a4811935222651dfe61e56a70e5b92a
SHA256

a0375c241cebcf6c4a0293f45a5dc0ce1150fe8169ea410c818af67e6f487b4c
SHA512

0fe4873d7cf6be5fcae7cefd545205ea58a977679b2183ec5caabd47920e3b66813e31e6e545d585f15d3a17d21846b042cd40a507d662c19a2bc58fbfbe4fff
SSDEEP

49152:+h+ZkldoPK8YakOvfcrEb8XCOEU5fwr9K:X2cPK83vkrEb8XCfU5AM

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1032	1720	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintonic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	wintonic.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	wintonic.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	wintonic.exe
1720	wintonic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1720	wintonic.exe
1720	wintonic.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1720	wintonic.exe
1720	wintonic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	wintonic.exe
1720	wintonic.exe

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\wintonic.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\wintonic.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 824
  2⤵
  - Program crash
  PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1720 -ip 1720
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut87DE.tmp

Filesize
3KB

MD5
0cf65e6cf94a33c4880d0f6fa4096b6d

SHA1
d41057859f2b393cea11ee8ef1705c399971f9f6

SHA256
a7264eae3c348892888cf9b679b9cc68c0bf1d165d46f25a3c40b7d69d124d96

SHA512
98e6c7e1678d821d2250c3d9df7d8935072ee4005b806b93638e23d9ba258510644ae4d5bc29bbe46bddd1bf7e88339d41c2806dedd96c8b139c2f4f0382bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\DisableSelection.js

Filesize
1KB

MD5
84789d911ffa412658a4a8de09a5ddad

SHA1
fd7210a1aa2c418e791c85207711a42ad5aece08

SHA256
8dec17fa1c458dcfa180aba15fe3cc14d2186261dc1c08bb3058c0d46cbf8fe9

SHA512
21df811c5a67e8735cf2f99ec4321ae119fae46f0dc90706ce8e5ad1c395326566a97649a014c6fccc8495584a1c313c9e220ef5ed0f1eb7a54dd3c20bb3e263

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\box_offer.png

Filesize
136KB

MD5
c0365cebf7840a858fc5cfe5481a23a2

SHA1
5c507a012ae8ed0b20bf7639bc7af530551f4572

SHA256
56f6287f836218cb72863f1c27199c086bb163765be9b9b633b13797fad023a6

SHA512
0ccf76f9c29348584b94f0addc3d3e44732ba351ab81cae852915ad1e3f523d95d367425ebeb6acb56e5148826e764f49aba069316ab677ef4f223e5918cf314

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\default.htm

Filesize
53KB

MD5
1afd79f93d4ff74014cfd9fd2c3eabe7

SHA1
ae60b150bb6a234050394ca7e719c41beaa771eb

SHA256
89140a88f9d94b465bec7404b6ac26a81f4662be9dcf0970ab633e6f8c822b4c

SHA512
563e585ebd56900f4e529fda02a773096586b8d709e5b535e63dfbfccf7bf83d6442c4f2574584965de100aeddc5ff4f0c4de379aa35481e819acae9f9b12bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\en.ini

Filesize
10KB

MD5
71b3e091938e47148a6ec83bee3bf3e4

SHA1
e1321455cb27e5b5c50eb7f757d1293c63a7c672

SHA256
af4c95ec9a0340801fe86f65c7a2e0be8f63b649d5ed7203961d163117c3b450

SHA512
7dffc75972bcf2207c73a428ab3c8e6475f0888dda3d75996512fc1843478437936ee5caa1015e454a69b761e82a696183d5dfb0fb72ef34108bd0056e800454

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\icon_2.png

Filesize
3KB

MD5
36ade8563ee546017f853b04e383fe08

SHA1
cbbc1d9dc2519a24ae5bf2007b54c01fabe7ee5d

SHA256
714d8e13e29c4058baf67f4eb0b37d3a7a2c4d70ae9382f36f931e5ca8f4309a

SHA512
0446226178060de70226c31c6a8a414012360abd4a6bf6f4f5e806576b48459182a0f7ad613bef71b4622fde90a7c79601c786eb36a34199a309f51f92efa39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\icon_3.png

Filesize
4KB

MD5
0aafc269ca12635038175ef7277e18f0

SHA1
a834113896dbddb7f8307f052875fb4aadd1c753

SHA256
dd72dde3fadb4f9d3d0325ea4d5d6eeaa462cb974990dc7fd02b22c8b3103119

SHA512
00f36cd10c98062f780a519cf3f206e78d53f5196cff3cea9a231dd7e9922b7ec9e0fed9c9271c4532f611df451fc130ea487f828315326b9df73da9497ce7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\icon_4.png

Filesize
5KB

MD5
91d1c7f571d0425ce461a72cd0f8408e

SHA1
820358d079cbd022681425109df129615bbe5919

SHA256
0a89dd3e68c5257bd648df1907cf41da81141930a16aafd857b0e9ca0913c54b

SHA512
795bbfc2335a3f035b16f0753f763cc21bc0fd8668faed555e5d539a50e8c57ce609cd775b16f2717c559245ac5c88f1f9b819f6865d25a6fdb9f3ff4a24d226

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\launcher.png

Filesize
356KB

MD5
16a9ccc54e1a9a6ad08ad296260b2c0c

SHA1
cf89ec85a93fc0924cc8eff4baa6f6034d173630

SHA256
8f2279fe481fde7a153c7304c6b86b468624b743fa9918ccb94743c0d2d9fb89

SHA512
3969714da17349bc233981eafb59772a44e495d8b394e0d90b60677d7058f03755c8339d4aa9c74acc0e486f5ae80d63bf72a761bfc7dd11597cf4c5d9ef7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\logo.png

Filesize
8KB

MD5
07c812500f8afd380c0551441200525c

SHA1
163774a879cfb46954614f744d4dcf70a4bc995a

SHA256
98ca7630186a22365da54c430a91381e145df309342cfa7bcc17b71d0946375f

SHA512
c915fa4ad18402507a216780d2c139d9d82cec3fef234927f7750e9186de0098db48df0dccdc239b01fcddaddc316e830f6ad534e5fb45c22000eda8a956573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dktyoxl.tmp\tick.png

Filesize
568B

MD5
2be05c8c1db7c9197c8fb3d7c949bf60

SHA1
326d00fddc65ef293a1085a03b7581de93ad524c

SHA256
6fca1371442ca7283f24d5f70e574e9c2b22cbca7722f209c9d20fcd42be8714

SHA512
a1b624d6518183d0b398af0c008cdbaf5dfd8045ec3b068f2a56d1584e7304b3bce62a76ce80492bb745411ba0e5326fbdeb103240ebc5c993c2edd0d42da39c

Download Submit