Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:16
General
-
Target
c949630c94733e122dc321316d68ca1f.exe
-
Size
30.1MB
-
MD5
c949630c94733e122dc321316d68ca1f
-
SHA1
cd30c22e274de0149544d1889a4402c067daf212
-
SHA256
09455ae9bbc99b19bd191d6a1e8454dbf5d299e229e70520852dfa4b37905205
-
SHA512
902ad50640283fe67c3d05fc892c204eca0c79f9b1fb5952d11d25d3ec4a499b3de56c599b4a2e92203a5468ef51a983ff8dde333b8143cab1fe4828bccc78ea
-
SSDEEP
786432:4X9YkEvofjPaeA8NOqZWryVB41efzsB4si4inK+:SYkyWji4CkgP3Ex
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c949630c94733e122dc321316d68ca1f.exe"C:\Users\Admin\AppData\Local\Temp\c949630c94733e122dc321316d68ca1f.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\ProgramData\NETFLIX2025\NET25" /st 06:38 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\ProgramData\NETFLIX2025\NET252⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\ProgramData\NETFLIX2025\NET25"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF805.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31.3MB
MD5852c3221fd6705637ad28374be5c30d4
SHA185b5ec91d7bc7e75526c01b26a866c39571bace5
SHA256f2dc4a9d9bef78afd9ae51c37d7a54ed989221cf3f4c800882368c4f707ed152
SHA5127fff666bdd6c2e1d25e888c8c1c7fb9cff3df304f1db04a6e6d408182db1c55df4c2f17b35a7b80c725f2a2e2683e796b1cc269832b1f0ace72cd426d6106ede
-
Filesize
184B
MD513bddc9a3986f2df91159da3b4e7193d
SHA14673baeb2bc38868c057de19373a4985363185e6
SHA256ffe08fcd5634fbfbdecbc22cb1428fdfb825040c6a75824b86de6493074a0f45
SHA51254f8216cb123d8626b37f11576542fef21eb5e2b271f234a1ef40cd1110a34a0b5b4bfcd4f55f8c1a9617bd98d520a859464cfdc2281b91951c753b4df48b35c
-
Filesize
3KB
MD5cc0b5b70e6f134270af1effc21243d0a
SHA1fc8085eeeb9007b2a48879ec29138b05f5c23258
SHA25683d64df4c5fd4862992e2fe98a9cc3b998cf00dd400b8b8da979b96af1178fcf
SHA512f33f2270e336eea650a5b56b03ac5821072a6760a1fa4ceb74345c8e43afa2c6dfbabcf423db5bc548dafbc9d9eb1df03c1aedb7f7b6b59250851e22a35b3d9d
-
Filesize
4KB
-
Filesize
2.0MB