Overview

overview

10

Static

static

3

65ac9daf30...b7.exe

windows7-x64

10

65ac9daf30...b7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    125s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe

  • Size

    243KB

  • MD5

    f3c11989987acee8b271f571cdc7757c

  • SHA1

    50a191d53bc397ce08af356a224135488ed23619

  • SHA256

    65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7

  • SHA512

    27e9690090d4d928140b0c6b34205371bd2c8cce8423308fff0fdbd1ebfec9b4b50538a226de73145598aa4f7d9153db67a21cebed00808466cf2a93b697a119

  • SSDEEP

    3072:X9As+JFTpwVwFVSY9QziR0BEchY/VMaFWfC2UdG8zeIw0fuZb56RxokMUuncB:NAxFTpwCFkxBYRW3sZ33eYAk4Q

Score
8/10
defense_evasiondiscovery

Malware Config

Signatures

  • System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

    Abuse Regasm to proxy execution of malicious code.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe
    "C:\Users\Admin\AppData\Local\Temp\65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe"
    1⤵
    • System Binary Proxy Execution: Regsvcs/Regasm
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\regasm.exe
      "C:\Users\Admin\AppData\Local\Temp\regasm.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4800
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 544
        3⤵
        • Program crash
        PID:3800
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4800 -ip 4800
    1⤵
      PID:1824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\regasm.exe
      Filesize

      2.5MB

      MD5

      0a7608db01cae07792cea95e792aa866

      SHA1

      71dff876e4d5edb6cea78fee7aa15845d4950e24

      SHA256

      c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

      SHA512

      990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

      Download Submit

    • memory/4800-9-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4800-13-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4800-15-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4896-0-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4896-1-0x0000000000E40000-0x0000000000E84000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4896-2-0x0000000005880000-0x000000000591C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4896-3-0x0000000074F60000-0x0000000075710000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4896-4-0x0000000005800000-0x0000000005820000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4896-5-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4896-6-0x0000000074F60000-0x0000000075710000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4896-17-0x0000000074F60000-0x0000000075710000-memory.dmp

      Filesize

      7.7MB

      Download