4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
Size

1.4MB
MD5

29683f5b4ad272c624cc2069e9b39573
SHA1

dab6f53e6bf60cdd6ee20850235a85a10d57f28b
SHA256

04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e
SHA512

0ea2b3e67766f36d202850b5ad639383285eb93c7f626430b20f40990bd2a7e5f405ec91b782f3e1b12bc255a7637831114df06f753c039bf8774946752a48e5
SSDEEP

24576:n8dvIOVmW6AbPsArkueRKmV3sNlHfiqJIu7:nowONbkBuyKmBs7iu7

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe

Executes dropped EXE 2 IoCs

pid	Process
1632	app.exe
1448	app.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe"	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1448	1632	app.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
1632	app.exe
1632	app.exe
1632	app.exe
1632	app.exe
1632	app.exe
1632	app.exe
1632	app.exe
1632	app.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
Token: SeDebugPrivilege	1632	app.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	app.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1632	2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe	31
PID 2756 wrote to memory of 1632	2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe	31
PID 2756 wrote to memory of 1632	2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe	31
PID 2756 wrote to memory of 1632	2756	04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe	31
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32
PID 1632 wrote to memory of 1448	1632	app.exe	32

C:\Users\Admin\AppData\Local\Temp\04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe
"C:\Users\Admin\AppData\Local\Temp\04f053e37f7e0f8045fa590614b885ae3a2ecbd55fe48d886ea6563429fe1a9e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
576104900231ffbf8aa9880886a1ff1a

SHA1
e1b3c21515ec506008214ae2472851ff210f53d5

SHA256
daa41f3ecf13689c934076aed4ee80330dd6c3f6d7ccdc0314969b2f69faba06

SHA512
f4d42020a03732fde80cd2572cf67546bb765c1e9c4d25d6b01b21a671c9b87790a534b4daae0f6565b122b6db3b89192fe373d2ebd09d62f6bd0ade65aa23a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
359ce8211729ac0b8a9f837a87fd0cfd

SHA1
9b3b02aeca85bfcd3573b58cab45a67e347d4c5b

SHA256
9bcf8f5b60685cac31a1f174dd098e6c086993edd9e44e3bbf5d013450ad31c7

SHA512
fbb23ccc47f97b7401d6e40c980e4526b4ff9d34ef4f284969fa50c8378da24ce2e28b66b9964fdaa93b50f51deaa510ba55f0d9707c2ab60917da42dc5b3aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F6A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F7C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51C7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe

Filesize
1.4MB

MD5
48bd4dc570fe5814bfe21887cd034e90

SHA1
39e4ad0e36a0a2fac33a5eca8cbc1ef38d3c378b

SHA256
0401f59dd0811e0fe20729f2b5906088ed5a5ab57cf12e91d397b95ec56f8f79

SHA512
da796048cd92b24db1d0ff0e7746aa1c79af58ab48173afdc410c893b2d5dcf01206f6cfd79fa337e2b753a48e5cdc2997b4391db9fbc4df8e7aba72d167c55a

Download Submit
memory/1448-230-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-227-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-221-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-223-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-225-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-229-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1448-234-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1448-233-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1632-219-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1632-231-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1632-205-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/2756-204-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-184-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-185-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-186-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download