df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe
Size

28.9MB
MD5

f326cb6f424adc400a0dfbb365d7050e
SHA1

2bf5995d4f6d67b278422bc0f8e7d53e0c1da1c8
SHA256

45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f
SHA512

f5fc0fae93a86d332d41d04aba72f0cc4d7649b1aeab2f6e3decd7a298d48c525e7b9a7b03b80e799e575e11fcd1dfc3e67d1dee94231531c9cd4710c4649e8a
SSDEEP

786432:4XuCHGJTk6G76kgFVM9MKbb6vpJ3ckMeD+Ud:5ZPkWM1/6xJMv0Pd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NET25.lnk	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3016	timeout.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\_auto_file\shell	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
900	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 900	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	31
PID 2864 wrote to memory of 900	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	31
PID 2864 wrote to memory of 900	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	31
PID 2864 wrote to memory of 900	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	31
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2060	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	33
PID 2864 wrote to memory of 2816	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	34
PID 2864 wrote to memory of 2816	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	34
PID 2864 wrote to memory of 2816	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	34
PID 2864 wrote to memory of 2816	2864	45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe	34
PID 2816 wrote to memory of 3016	2816	cmd.exe	36
PID 2816 wrote to memory of 3016	2816	cmd.exe	36
PID 2816 wrote to memory of 3016	2816	cmd.exe	36
PID 2816 wrote to memory of 3016	2816	cmd.exe	36
PID 2060 wrote to memory of 2832	2060	rundll32.exe	37
PID 2060 wrote to memory of 2832	2060	rundll32.exe	37
PID 2060 wrote to memory of 2832	2060	rundll32.exe	37
PID 2060 wrote to memory of 2832	2060	rundll32.exe	37

C:\Users\Admin\AppData\Local\Temp\45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe
"C:\Users\Admin\AppData\Local\Temp\45707ca513bf23cac8fe8c8f84507bcaee2fa236ec7a887c678b978bc560454f.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /tn AccSys /tr "C:\ProgramData\NETFLIX2025\NET25" /st 06:21 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:900
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\ProgramData\NETFLIX2025\NET25
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\ProgramData\NETFLIX2025\NET25"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEB2.tmp.cmd""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 6
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NETFLIX2025\NET25

Filesize
30.1MB

MD5
491bac278a8095e46a1a74fa86b5cad2

SHA1
f0c02e9669b39cdc6b6613c90af551d5d2d6f71d

SHA256
99602a31ae0245290d736bdf1fcdee9d57e5d12cda0a3423e1e9e88f1f08a081

SHA512
6212eaf62503626b9dbb795b19dd8cd95ccceff64f3ea9acf69aeb296e2ec323c87ae3fedfe754cf50becfd8c544985be8ba58af6913a95cad9d63ba335e952a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEB2.tmp.cmd

Filesize
216B

MD5
bbecab8e6c45d97a551d4b5901a06eac

SHA1
3891e6dfa9995ef601d61bd3eeae577397aa8695

SHA256
a4491d378a105b71b1c9d8ae844bfb990a46223a08ae3283824e2b970c7e75fc

SHA512
67bb847f671847b26005724de850b4d49a4245315f05322c4db218cfd05fdd2930461370bdfef5a772fcb1bff4e5ff25caa780e8d0fccbc0b0f46521311352de

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
89684d2417fd14b4871988db64ccbbe2

SHA1
26fe84efa41cfd768b545fb7fa7091fe6ee826c7

SHA256
6c78479e2819e156bf5650415694e72e3dc2c18590cce1caafa9ce9223d230dd

SHA512
e3579065b853d05fb683cf39b4cc4a6d78f203783566e24f11d1c22d3d714424784d7ea9decf60ec04f5ad44b461640224597bd9c7025cbea7c0809729b3abd0

Download Submit
memory/2864-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x0000000001280000-0x0000000001480000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads