Overview

overview

10

Static

static

10

0a36d74a14...04.exe

windows10-2004-x64

8

0b8b9525ea...96.exe

windows10-2004-x64

1

0bcbf39901...03.exe

windows10-2004-x64

10

0e5e999136...e7.exe

windows10-2004-x64

10

0fc0de254b...ce.exe

windows10-2004-x64

10

1a47c4fd5a...a8.exe

windows10-2004-x64

7

1a6ed538d9...ed.exe

windows10-2004-x64

7

1ac9b17068...d7.exe

windows10-2004-x64

8

1be6fdb2df...e9.exe

windows10-2004-x64

10

2bbbb9b0cd...b2.exe

windows10-2004-x64

10

2cda90e9e8...33.exe

windows10-2004-x64

3

2d58b1a373...aa.exe

windows10-2004-x64

5

2e966d3480...2e.exe

windows10-2004-x64

7

3a0297561d...1c.exe

windows10-2004-x64

10

3a90ad3258...8d.exe

windows10-2004-x64

6

3e76598b80...50.exe

windows10-2004-x64

10

4a5b5eb5a4...36.exe

windows10-2004-x64

10

4b482e8492...8c.exe

windows10-2004-x64

6

4bd46a2850...9c.exe

windows10-2004-x64

10

4cca8b360d...0a.exe

windows10-2004-x64

10

4e31114ffd...f7.exe

windows10-2004-x64

10

5ac2fcc4da...83.exe

windows10-2004-x64

10

5b25182d96...14.exe

windows10-2004-x64

7

5ddb366ead...46.exe

windows10-2004-x64

9

5f1364d246...bc.exe

windows10-2004-x64

10

6e0c9935ea...65.exe

windows10-2004-x64

1

6ea27426ff...08.exe

windows10-2004-x64

4

7dad12bd22...d2.exe

windows10-2004-x64

8

7db9e09e8b...71.exe

windows10-2004-x64

3

7e9af10bfe...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe

  • Size

    990KB

  • MD5

    88d6b61f9b307ca1ba9aefbe413ca028

  • SHA1

    0a67ce5a5f48652547563812911b2d94418a0dcc

  • SHA256

    5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc

  • SHA512

    36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf

  • SSDEEP

    12288:DpqiC/2OGAtkCP4cejGSOpRK3CnIiCSsPKplohwrsclnn:Dpo/2+ttPJLfpRK3CnHCSoWuUsE

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 4 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe
    "C:\Users\Admin\AppData\Local\Temp\5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\at.exe
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\system volume information" /e /g "Admin":f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5988
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\system volume information" /e /g "Admin":f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4008
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\system3_.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\Desktop\system3_.exe
      C:\Users\Admin\Desktop\system3_.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\at.exe
          AT /delete /yes
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2308
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\system volume information" /e /g "Admin":f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5300
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\system volume information" /e /g "Admin":f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5576
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\system3_.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5792
    • C:\Users\Admin\Desktop\system3_.exe
      C:\Users\Admin\Desktop\system3_.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4648

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    4a90329071ae30b759d279cca342b0a6

    SHA1

    0ac7c4f3357ce87f37a3a112d6878051c875eda5

    SHA256

    fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b

    SHA512

    f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    530B

    MD5

    1fbb37f79b317a9a248e7c4ce4f5bac5

    SHA1

    0ff4d709ebf17be0c28e66dc8bf74672ca28362a

    SHA256

    6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9

    SHA512

    287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    7bfb324785efda7b72fe68e776ffbf01

    SHA1

    0ce7fd5e0c43a30e6ab0c569eae1db63d64bd769

    SHA256

    62ca49e542916005953f57ce42fbf822e6c48b789ab7b0c6e21e5a5eec90f99a

    SHA512

    07a3badd8c9e2e70dc55631b7fe28ffd22ba416388242c91b076befe96b9cc5ba6a7af37f866143b8eb0a58fd414b31bd790720b5eea448c6e06464e947cbc4b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    3b402cadecc74e66fab3979ed1e94c16

    SHA1

    8bbe374482ccc69adf9b0c973483869177ff1bd5

    SHA256

    84a08ede3bb024ea43de720e78be7fcdee4bbddb7c9a78f5f55067d5d462f7ff

    SHA512

    45667f912348f36ea92c1faf47889e2235dac499c91019ae38d84cef792553cee2baa2c6d61b9b8796811135d8826149bbb6a4899114fc6867d12da33580bf74

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\setting[2].htm
    Filesize

    167B

    MD5

    0104c301c5e02bd6148b8703d19b3a73

    SHA1

    7436e0b4b1f8c222c38069890b75fa2baf9ca620

    SHA256

    446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

    SHA512

    84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

    Download Submit

  • C:\Users\Admin\Desktop\autorun.ini
    Filesize

    102B

    MD5

    948c74cd98911b420ff89dac13399bcb

    SHA1

    76dfc73518f003953923b1b4f2b973f4bb56a411

    SHA256

    94a1ac3d574425ec8a3cc01675e4d787373d2a190dddd4f8ba507c49ca3fd42a

    SHA512

    b31d82ede9d48e390a50a9dcf5c4c607c62638e8bc56f473250f9a56b7967d5de948abed69bbb2c35eb0112288faa5c438316b06ccbb36d289e93952b30e2ede

    Download Submit

  • C:\Users\Admin\Desktop\system3_.exe
    Filesize

    990KB

    MD5

    88d6b61f9b307ca1ba9aefbe413ca028

    SHA1

    0a67ce5a5f48652547563812911b2d94418a0dcc

    SHA256

    5f1364d24646f22acc7127263adfb401a9c3a4655f9ecb085f931ebc9aaf61bc

    SHA512

    36a0c8038390bae34c05610a2396c47ef575905b205fbc4ca13dc4984a18cc42ee3d9def3664ee67fc2fe4a2f1056c59058211e1b92bdd4d5e8683d74e0a5ccf

    Download Submit

  • memory/1744-0-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download

  • memory/1744-92-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download

  • memory/3176-93-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download

  • memory/4648-13-0x0000000000400000-0x00000000004D7000-memory.dmp

    Filesize

    860KB

    Download