Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:11
General
-
Target
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
-
Size
28.9MB
-
MD5
e93ab7d09ceca46c4ecec7ab9a02d387
-
SHA1
79e08d601f9f696bbb6801da6f3523970bebd1e7
-
SHA256
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1
-
SHA512
aecf648eade4d1868180667c94a2b18e5af7808e485a53c77fad13d9ea7efcb74ecfa41592b37c93c1754aacb6946c34bfd2e300c007656f94f42a4870d5200c
-
SSDEEP
786432:4XuCHGJTk6G76kMNr0R7QMMnmAiiqPS3o:5ZPkMYsMMnmAi63o
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe"C:\Users\Admin\AppData\Local\Temp\575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn AccSys /tr "C:\ProgramData\NETFLIX2025\NET25" /st 06:19 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\ProgramData\NETFLIX2025\NET252⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\ProgramData\NETFLIX2025\NET25"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FD8.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30.1MB
MD57582cd461741aba6dd97e6beea1d2a80
SHA1b480584bb18016c13d505d8bd42685562600de39
SHA25613bbe630f1646252d5beb6a2d239d6c34478c1e45089f6dc0736af9582e1a1d6
SHA5120402c4e7980365ee3e11502fcdeb2ec1804128a49e0c349eae43cf193852161e3a3510e6335bb0adfbe702a3ee7508717147a6f55613cb1df35343da724cc8f6
-
Filesize
216B
MD59be965e43b02c92b5c1ce592a874a5bf
SHA11321df4e3656ea9ff150e905a97c0aba6d03c50b
SHA2568d2bceeb5eb21c701dd0b5617da64ad14bf7714201b5ea195fd292debd35fb75
SHA5123ee6da8f93c42f642628fcb7b9e8c3a7a889f62510a6c9e8eea5d6c4d8830cfb02576d8e68dc3633aea764d9605ee3975f361df88f581566220f010a919f26da
-
Filesize
3KB
MD5196d686dfbdda630ce8ed759f280b314
SHA162f2330bfadffd5c08da886c97b4a486b3c913b1
SHA2567c350d6930284d3b6dfa89b4b92f3c119bc2dc2d981bb53bf93422100e51895b
SHA512b172990636548f20956b8100eb67dc94ef256dfddb2711bb44d31f1d6aebed6f19eb92c478fd4ac813ac298cae25a2d42f4e48b66f065d99d21cf5e8c77b2b36
-
Filesize
4KB
-
Filesize
2.0MB