Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    f40bd31a73a8f0376fb9c672f146819aa5ba07413ae56d5c0ac21b901473418d.exe

  • Size

    871KB

  • MD5

    b08f7374c5120e9ef9b1de18da461197

  • SHA1

    2e91d7f639a155fb0ae684e66a3db17ba30f8943

  • SHA256

    f40bd31a73a8f0376fb9c672f146819aa5ba07413ae56d5c0ac21b901473418d

  • SHA512

    10f1a5afd4bf4364bd1e208c37b63aa0a7c15448cdd20d1ac85f3539e9294c96103db4c365bbbc5ff7dc9ed2af73417703827a2d2c8de71da8d031badfc96bc1

  • SSDEEP

    12288:jSvO2x9mONvKRILSFnOkx2LIaxya5FAQjU/Lik8CQ3uEuZ9oawhtyybA:WvO2xJKRI2FOkx2LFEvcUQPxuZ98c

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f40bd31a73a8f0376fb9c672f146819aa5ba07413ae56d5c0ac21b901473418d.exe
    "C:\Users\Admin\AppData\Local\Temp\f40bd31a73a8f0376fb9c672f146819aa5ba07413ae56d5c0ac21b901473418d.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2240
  • C:\Windows\Syswow64\c0e16163
    C:\Windows\Syswow64\c0e16163
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5924

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\c0e16163

          Filesize

          871KB

          MD5

          fd6064ffa0d73b416957f0bfc8f1c716

          SHA1

          f830fbd9e31e18d0dea97b8081f0e579c3a44713

          SHA256

          b0984aec36b2861569e3eba2ceffd640179fce1821291d767b14b1e34913dcc6

          SHA512

          8308fd8bd046ffb72b7d05ff40f9292049a10ff9c893c6700c8d9acc8c34238eda57c39635ec915c0e7d5d6efaed5e99a6051ba27abf2f8f5448cfdaecf90d95

        • memory/2240-0-0x0000000000BA0000-0x0000000000C03000-memory.dmp

          Filesize

          396KB

        • memory/5924-4-0x0000000000AC0000-0x0000000000B23000-memory.dmp

          Filesize

          396KB