9c85fae6b334bb652543d2a82772301f93149491073f3d362f711cab31719f11

Analysis

max time kernel
150s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
13/02/2025, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ida-pro_90sp1_x64win.exe
Size

462.5MB
MD5

57caca01f05c181d57d238a36c8ce0fa
SHA1

0aca1d58d172c8b3cb8d4facb9c03bfb10d0f5d3
SHA256

9c85fae6b334bb652543d2a82772301f93149491073f3d362f711cab31719f11
SHA512

028441c8f1b610bf9ae78e9a5571b0f498dda809af3b20686bcac023fa9683569dd4df23ab473c03e3bdd15706265cace4599eecf1c5bf5099e68d45abd9de1f
SSDEEP

12582912:Cj3sAitGNU1A9rxtCypOOZsZquwbxvPEvqNKLblJ/i:CjcAitGN+I/ObquGJPpOlJ/

Score

4^/10

defense_evasion discovery trojan

Malware Config

Signatures

Loads dropped DLL 18 IoCs

pid	Process
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ida-pro_90sp1_x64win.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ida-pro_90sp1_x64win.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2100	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ida-pro_90sp1_x64win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ida-pro_90sp1_x64win.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ida-pro_90sp1_x64win.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	ida-pro_90sp1_x64win.exe
5008	ida-pro_90sp1_x64win.exe

C:\Users\Admin\AppData\Local\Temp\ida-pro_90sp1_x64win.exe
"C:\Users\Admin\AppData\Local\Temp\ida-pro_90sp1_x64win.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjFCN0VEQUQtNkFDMi00QTg0LUFBNEMtNzBERjU5OUQxMjU4fSIgdXNlcmlkPSJ7NTg5Qzg4RDgtNDFDRS00Q0FCLUFDQTQtQkZGQjMxMzIxNjZCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzRCN0JBQUQtQ0M3NC00QzdCLUIyRjYtMkQ5NjcwNjZENTZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDAzMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjU2MjA2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2NDA3Njk4MTYiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6ABB.tmp

Filesize
43KB

MD5
99b50db8d177a51b7077084bb75673b5

SHA1
ff68863631241c2159cecdd03f5101e628b25bf7

SHA256
09db806002dd23cf97d5b8057a792fc90d11fe5c595f63f92f5c4494b33cbc6f

SHA512
fc5b6d06f95fedfbd929ecb2ed5f86cd0fd797140b54be29b23c8096925c3025504d0613f85ea4c2f0e459b8cd59dba22395c8348801a332d6595bd83d87d4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6B0A.tmp

Filesize
288KB

MD5
122a3741699fb5c0950273245c9dea15

SHA1
811f9149e3310a8e6521da156f92f3aaab012145

SHA256
f675eba3b22e0a2238ec4961d99de3bacca0ab553ab26eecb49800a12a9371ab

SHA512
567c480f70fdc78769ae45bf83b6632f7ab380ebeb00689028d39ff03840c8b778149a3fafe1dab2ac77a1fd17a23b09f58774b1c5e791bfd33b99528225eccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6B4A.tmp

Filesize
35KB

MD5
08ad4cd2a940379f1dcdbdb9884a1375

SHA1
c302b7589ba4f05c6429e7f89ad0cb84dd9dfbac

SHA256
78827e2b1ef0aad4f8b1b42d0964064819aa22bfcd537ebaacb30d817edc06d8

SHA512
f37bd071994c31b361090a149999e8b2d4a7839f19ea63e1d4563aada1371be37f2bfcc474e24de95ff77ca4124a39580c9f711e2fbe54265713ab76f631835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6B6A.tmp

Filesize
121KB

MD5
2f427b95ab4d18e83f89a001c6b861ad

SHA1
56d10658f71f102961ebc334d277728025d01cdf

SHA256
00ec351fd1e77bcb5bf452b9e8dc5b386c65d74d02815b0adebb70fb57db5416

SHA512
ebe0b9ca89c2ac2e70d23043b495a21d5c29b5e22ee458641119b7394ac307ae50cc2f636fc409ddbb2039361547106961dabcae0c123055c315f8f900074d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6B7B.tmp

Filesize
532KB

MD5
a6f7a08b0676f0564a51b5c47973e635

SHA1
d56f5f9e2580b81717317da6582da9d379426d5b

SHA256
5dd27e845af9333ad7b907a37ab3d239b75be6ccc1f51ef4b21e59b037ce778c

SHA512
1101813034db327af1c16d069a4dfa91ab97ee8188f9ed1a6da9d25558866e7e9af59102e58127e64441d3e4a768b2ad788fd0e5a16db994a14637bfbade2954

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6BAB.tmp

Filesize
72KB

MD5
c04970b55bcf614f24ca75b1de641ae2

SHA1
52b182caef513ed1c36f28eb45cedb257fa8ce40

SHA256
5ddee4aab3cf33e505f52199d64809125b26de04fb9970ca589cd8619c859d80

SHA512
a5f2660e336bf74a1936fb2e1c724220d862632907f5fd690b365009ac3e1bf35fa6689071f3da4049e495f340ff83f8438b79079ef1f248b9dcaedbdd5d3e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6BBB.tmp

Filesize
14KB

MD5
77fe66d74901495f4b41a5918acd02ff

SHA1
ce5bbd53152cd5b03df8bcc232a1aea36a012764

SHA256
b017168c69ef40115141813e47122391602e1af28af342c56495b09f1c3c7522

SHA512
cc6e323d0076577a0a04dbe2c33d90dc616cb5ec3637d3df67cbf169766ca2e6de567fcff4f32938fd6118d98e4796642a3010b7264f0ae247fa8f0fe079bd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6C39.tmp

Filesize
14KB

MD5
d74aadd701bfacc474c431acab7b9265

SHA1
8a2b424d1f949430ddc1faddee3e9ccb79c95de2

SHA256
f1029f5cca3dabfeffe2c9db6ad84a9ff0f64f5b2fb85cb6ab348740f756e07d

SHA512
0ef85e311fb4843997fd5f87f0a2eec9715e26eae76bfb7bb701d8c043720aeaf7f4825d25187bf35e0a9f00def15ed071120128805445f1330c07c3e0ea5ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6D34.tmp

Filesize
74KB

MD5
924b90c3d9e645dfad53f61ea4e91942

SHA1
65d397199ff191e5078095036e49f08376f9ae4e

SHA256
41788435f245133ec5511111e2c5d52f7515e359876180067e0b5ba85c729322

SHA512
76833708828c8f3fad941abeea158317aff98cf0691b5d5dfa4bca15279cdad1cc23a771258e4de41cf12a58f7033a3ee08b0b5eb834d22be568ea98b183ccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6D45.tmp

Filesize
102KB

MD5
78de24eb7826b1338849ff0348a7e82b

SHA1
03080b8f1c9a7a46951d35f8623ed39c4ba4f722

SHA256
5101c472779b552f3ce044bc2542f726068d914c0d396c8dc1d99ec1aab80767

SHA512
f24ec06717cfbe0d2fcc4ce591b6b5161183c8f62a2db0a43512c676fa1345ddab397f7db6f612c4587ab431274d56bba58c71943afbf60276e45d404429ff64

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6D75.tmp

Filesize
24KB

MD5
4cf27e0747e5719a5478aa2624f6b996

SHA1
13df901e34f77e5ea11f36c0afedda7f86a2c003

SHA256
e69a9d06f2c17cc021ebf9b62ca110548facdc147b67dea4846e09865043d2d9

SHA512
4b0ddcbd7321128f977e1dbbe18cc76c7e489d4ee84b7775989e99778b5a60daa683c6063c5b700794b7f2070ae381fef20b19b3cb35c1babef9be79ff264941

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6D85.tmp

Filesize
24KB

MD5
124e89d0fcc409ede3595a253b788708

SHA1
bc88e037c3edea02dd20aeff10818105be9f4033

SHA256
27ea1b57a3024aec4a03188e80fdb2aa301fa5179c19be9c8b0dfc2aac73a114

SHA512
7cd0ca268a5dbd2aa22dbce1f253a2d067ca30c5195e059c3f431d546a20d1811592f8bd8fe88b6ad9cb5c6fdd6a4666ff451b84a5e790a9d5058865d48790b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6D96.tmp

Filesize
100KB

MD5
606f13d4d580b1f322b3f3d3df423bba

SHA1
02cb375e13b415edc8b5360dffdba531e47827ed

SHA256
c71a16b1056e522cd0365449448116d06f37a3273d77694d170340064511dd25

SHA512
867a45dc15e99148f24fc528fbc9255582e5534bb4696700292b70163fddb15f35ddf2acd0536a9cd78b4d8f9d827bf7530d2303bfd7e428f11573b381a0986c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRL00001390\BR6DA7.tmp

Filesize
56KB

MD5
145d5c49fe34a44662beaffe641d58c7

SHA1
95d5e92523990b614125d66fa3fa395170a73bfe

SHA256
59182f092b59a3005ada6b2f2855c7e860e53e8adf6e41cd8cd515578ae7815a

SHA512
48cb0048f4fcf460e791a5b0beca40dbf2399b70f1784236b6d1f17835201d70dfa64c498814b872f57e527793c58a5959230fe40ddf5ebdcb0b1de57e9c53ef

Download Submit
memory/5008-82-0x0000000066680000-0x000000006668E000-memory.dmp

Filesize
56KB

Download
memory/5008-81-0x0000000074210000-0x000000007421E000-memory.dmp

Filesize
56KB

Download
memory/5008-88-0x0000000067E00000-0x0000000067E1B000-memory.dmp

Filesize
108KB

Download
memory/5008-87-0x0000000066C00000-0x0000000066C14000-memory.dmp

Filesize
80KB

Download
memory/5008-86-0x0000000066C40000-0x0000000066C4B000-memory.dmp

Filesize
44KB

Download
memory/5008-85-0x0000000073F80000-0x0000000073F8B000-memory.dmp

Filesize
44KB

Download
memory/5008-77-0x0000000001940000-0x000000000194E000-memory.dmp

Filesize
56KB

Download
memory/5008-84-0x0000000067C80000-0x0000000067D0C000-memory.dmp

Filesize
560KB

Download
memory/5008-69-0x0000000001920000-0x0000000001939000-memory.dmp

Filesize
100KB

Download
memory/5008-83-0x00000000710C0000-0x00000000710DF000-memory.dmp

Filesize
124KB

Download
memory/5008-80-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download
memory/5008-89-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download
memory/5008-98-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download
memory/5008-107-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download
memory/5008-117-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download
memory/5008-126-0x0000000000700000-0x00000000009D3000-memory.dmp

Filesize
2.8MB

Download