Overview

overview

10

Static

static

10

c39e5e5773...fb.exe

windows7-x64

7

c39e5e5773...fb.exe

windows10-2004-x64

7

c3a61d282c...2f.exe

windows7-x64

7

c3a61d282c...2f.exe

windows10-2004-x64

7

c3aaa8d067...d1.exe

windows7-x64

10

c3aaa8d067...d1.exe

windows10-2004-x64

10

c40612db16...6d.exe

windows7-x64

10

c40612db16...6d.exe

windows10-2004-x64

10

c45000d072...99.exe

windows7-x64

10

c45000d072...99.exe

windows10-2004-x64

10

c4639b8ab9...97.exe

windows7-x64

10

c4639b8ab9...97.exe

windows10-2004-x64

10

c47cd91636...6d.exe

windows7-x64

1

c47cd91636...6d.exe

windows10-2004-x64

1

c486ed6acb...df.exe

windows7-x64

7

c486ed6acb...df.exe

windows10-2004-x64

7

c4b4c8152f...dc.exe

windows7-x64

10

c4b4c8152f...dc.exe

windows10-2004-x64

10

c4c197e502...e0.exe

windows7-x64

10

c4c197e502...e0.exe

windows10-2004-x64

10

c4ca622404...18.exe

windows7-x64

10

c4ca622404...18.exe

windows10-2004-x64

10

c50b533887...50.exe

windows7-x64

10

c50b533887...50.exe

windows10-2004-x64

10

c50b94cf52...6f.exe

windows7-x64

10

c50b94cf52...6f.exe

windows10-2004-x64

10

c520bfebf2...a2.exe

windows7-x64

8

c520bfebf2...a2.exe

windows10-2004-x64

10

c53059381a...48.exe

windows7-x64

10

c53059381a...48.exe

windows10-2004-x64

10

c59549cfc2...b8.exe

windows7-x64

1

c59549cfc2...b8.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    59s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c486ed6acb598d864bd441b40bbb31df.exe

  • Size

    6.8MB

  • MD5

    c486ed6acb598d864bd441b40bbb31df

  • SHA1

    4842165e42d247982c8dadbbe316ec8f1dcb1174

  • SHA256

    6d0f06ad75a8a2959de87e4c142faa335f593d5af278f0617c1acc886c4a946a

  • SHA512

    9fb7e9a285c6ca9b769dc9ed5eedd60e710064c59c32e6d7cd89b37e05ef4d782440bf4fd32729c6a4f090ff1c61e7017bd4578c1d32c4545e0b9e42054c0029

  • SSDEEP

    12288:nsssDsssssssssssssssssssssssssssssssssssssbssssssssssssssssssssj:3

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c486ed6acb598d864bd441b40bbb31df.exe
    "C:\Users\Admin\AppData\Local\Temp\c486ed6acb598d864bd441b40bbb31df.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5376
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn server /tr C:\Users\Admin\AppData\Local\TempWorm.exe.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4744
    • C:\ProgramData\Microsoft\svchost.exe
      "C:\ProgramData\Microsoft\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn server /tr C:\Users\Admin\AppData\Local\TempWorm.exe.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4796
  • C:\Users\Admin\AppData\Local\TempWorm.exe.exe
    C:\Users\Admin\AppData\Local\TempWorm.exe.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5552
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 964
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\svchost.exe
    Filesize

    6.8MB

    MD5

    c486ed6acb598d864bd441b40bbb31df

    SHA1

    4842165e42d247982c8dadbbe316ec8f1dcb1174

    SHA256

    6d0f06ad75a8a2959de87e4c142faa335f593d5af278f0617c1acc886c4a946a

    SHA512

    9fb7e9a285c6ca9b769dc9ed5eedd60e710064c59c32e6d7cd89b37e05ef4d782440bf4fd32729c6a4f090ff1c61e7017bd4578c1d32c4545e0b9e42054c0029

    Download Submit

  • C:\Users\Admin\AppData\Local\TempWorm.exe.exe
    Filesize

    13.5MB

    MD5

    8d53904af39e3fcdff20e5115ef9e912

    SHA1

    7cc1c5e653ea87e1c707df1aefbb2389a96bc1fa

    SHA256

    4871736c6220dd5cb3f71a0e03c7a8f9ecb2702ba965ed205d9b9286b194c54b

    SHA512

    8ecbb3db5dc57a3551ecf6e2d1abf8f3ffb6208e8a5d72bf8b9432b90c322efe6ed8e093586ca467756fb70ecc73d93c9e4c7410a7ddde64023898b80d563378

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BlackData.dat
    Filesize

    2B

    MD5

    bafd7322c6e97d25b6299b5d6fe8920b

    SHA1

    816c52fd2bdd94a63cd0944823a6c0aa9384c103

    SHA256

    1ea442a134b2a184bd5d40104401f2a37fbc09ccf3f4bc9da161c6099be3691d

    SHA512

    a145800e53a326d880f4b513436e54a0ab41efc8fdd4f038c0edae948e5ae08d2a7077d5bb648415078dda2571fe92c4d6fa2130a80f53d9dd329e7040729e81

    Download Submit

  • memory/4892-26-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4892-29-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5376-7-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5376-8-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5376-6-0x00000000754D2000-0x00000000754D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5376-25-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5376-2-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5376-0-0x00000000754D2000-0x00000000754D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5376-1-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5552-35-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5552-36-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5552-43-0x00000000754D0000-0x0000000075A81000-memory.dmp

    Filesize

    5.7MB

    Download