5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
97s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
Size

288KB
MD5

040b6bc9b0e6555c619b0b6ac5c100c6
SHA1

29658672a828a82cfb57f13332799e5c14af8ae4
SHA256

e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4
SHA512

e0dcee7db91991c26e9c0405435d59da2980b883a36ed4c6a38792f6af7d156979368e0a9be9ada036f8f3f537cc770b5174e27b361ea1839877f908f806b5b0
SSDEEP

6144:KCqhNgYNRrD/tlWnuxWxVODw2v4ryAADzcL51rhAHA:KNhNgarD/tlWniqONx/6foA

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	1524	WScript.exe
29	1524	WScript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwn_uQkXgSH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwn_daDq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pre-Setting 199xLOBm.lnk	dwn_daDq.exe

Executes dropped EXE 2 IoCs

pid	Process
5032	dwn_uQkXgSH.exe
368	dwn_daDq.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
29	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2884	PING.EXE
1012	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwn_daDq.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2884	PING.EXE
1012	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1580	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
5032	dwn_uQkXgSH.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe
368	dwn_daDq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
Token: SeDebugPrivilege	5032	dwn_uQkXgSH.exe
Token: SeDebugPrivilege	368	dwn_daDq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 5032	1580	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe	86
PID 1580 wrote to memory of 5032	1580	e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe	86
PID 5032 wrote to memory of 368	5032	dwn_uQkXgSH.exe	87
PID 5032 wrote to memory of 368	5032	dwn_uQkXgSH.exe	87
PID 368 wrote to memory of 3316	368	dwn_daDq.exe	90
PID 368 wrote to memory of 3316	368	dwn_daDq.exe	90
PID 3316 wrote to memory of 2884	3316	WScript.exe	91
PID 3316 wrote to memory of 2884	3316	WScript.exe	91
PID 368 wrote to memory of 1524	368	dwn_daDq.exe	93
PID 368 wrote to memory of 1524	368	dwn_daDq.exe	93
PID 1524 wrote to memory of 1012	1524	WScript.exe	94
PID 1524 wrote to memory of 1012	1524	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe
"C:\Users\Admin\AppData\Local\Temp\e249dbf0acda03b41cc7ffb9d3ffe996eb648e79ec5b514d819180faebef48f4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\config.sys\VRfFOm\dwn_uQkXgSH.exe
  "C:\config.sys\VRfFOm\dwn_uQkXgSH.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\config.sys\VRfFOm\dwn_daDq.exe
    "C:\config.sys\VRfFOm\dwn_daDq.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_uبc.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2884
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_Spس.vbs"
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\order_Spس.vbs

Filesize
1KB

MD5
d228541a535ca8d5f48f0664b2ecdb4d

SHA1
24e8788ea0c8f11f29571299b155ca065cf71023

SHA256
673e5e21cd3417665389dacf0d6da9706bf50319f53425242e3053f38b279d97

SHA512
5091b89a29cfbddc5cf51236210f019b1836b2f2cebf4b8f98386db7f3c868b256cecdbdba6955340631e1e5a4afcd3dfb6014051783973d955f68140c87ce70

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_uبc.vbs

Filesize
397B

MD5
e36fc454581f34a367ec67603531a4c5

SHA1
2b5f36eb7d1b12101810680d20afbd011237a8f3

SHA256
8005a51d109ff7fbf161e6cf007c48df1f9c7665436c4498423f089db00d327b

SHA512
eac5f9c5c44f1e4099097aa836a1026c2557eea01ef8c731bbee9627824238cff854b4c068af109362627f4dc307cf54d735f4e017c02effd264f8dd20ecd455

Download Submit
C:\config.sys\VRfFOm\dwn_uQkXgSH.exe

Filesize
288KB

MD5
016e67c5d285a54665b4e3adbc0f7946

SHA1
15830ba32f037f54ebfa3f3be1e94d7c168147bd

SHA256
752a345c28beb6d1d5c9800e640e62782c5fa575a5b586146338a43578ae0a78

SHA512
c62fb81ac1f43d2523d6ccdfb8b91d6451cd89d0b23f49778653f5b0c8a1999ce82ef7f573a109d132d94f61bcfe29895bb2b56ca8223db40ff8140bd2ebe4c5

Download Submit
C:\config.sys\VRfFOm\tik_bNfiH.txt

Filesize
4B

MD5
d3accd33402becc720abebee93ebe193

SHA1
7362b81a747f7e757e03d0c4d2e20822d7f52bf5

SHA256
9f2a59a60e65fbcd5a3e1b7248adf92890ce3a32b19e43fb4751c2657196de13

SHA512
4becf1bca4f0375aa0262b27fd05d35c8868d0d79b2ead2d815eb3caff11a913516e7b9461094d9a0b61b33d6995c3947681222f35e93322862d2675bbab1a12

Download Submit
C:\config.sys\VRfFOm\tik_spskHE.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
memory/1580-8-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-0-0x00007FFD9B045000-0x00007FFD9B046000-memory.dmp

Filesize
4KB

Download
memory/1580-7-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-5-0x000000001C170000-0x000000001C216000-memory.dmp

Filesize
664KB

Download
memory/1580-4-0x000000001C020000-0x000000001C0BC000-memory.dmp

Filesize
624KB

Download
memory/1580-60-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-33-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-6-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/1580-3-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-55-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-1-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-39-0x00007FFD9B045000-0x00007FFD9B046000-memory.dmp

Filesize
4KB

Download
memory/1580-42-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/1580-2-0x000000001BAB0000-0x000000001BF7E000-memory.dmp

Filesize
4.8MB

Download
memory/5032-35-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/5032-43-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/5032-38-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/5032-37-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/5032-36-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download
memory/5032-34-0x00007FFD9AD90000-0x00007FFD9B731000-memory.dmp

Filesize
9.6MB

Download