Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe
Resource
win10v2004-20250502-en
General
-
Target
d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe
-
Size
384KB
-
MD5
da059465844b16c5da7a35c82f592e4b
-
SHA1
852a96260354eb86636fa47b79cef7f54866ffca
-
SHA256
d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6
-
SHA512
8bc8351429ac0aa2cab0cc806de3fddb780d3b1bce0e1304d9e726bd9f4393d7c8df7266fa8844cc186437808405c80feb1c7551876eecad0d3c514dc7681fb7
-
SSDEEP
6144:NcTgav1cdCTuoPbgwmOLJvKRILSFvdFDcEOkCybEaQRXr9HNdvOaxy8Kl:NSvO2x9mONvKRILSFnOkx2LIaxy/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1892 b0b491a0 -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 3 114.114.114.114 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Destination IP 16 223.5.5.5 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Destination IP 35 114.114.114.114 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Destination IP 42 223.5.5.5 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\b0b491a0 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 b0b491a0 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE b0b491a0 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies b0b491a0 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 b0b491a0 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\206448 b0b491a0 File opened for modification C:\Windows\2f63a0 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0b491a0 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix b0b491a0 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" b0b491a0 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" b0b491a0 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" b0b491a0 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" b0b491a0 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" b0b491a0 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" b0b491a0 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ b0b491a0 -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 1892 b0b491a0 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Token: SeTcbPrivilege 2768 d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe Token: SeDebugPrivilege 1892 b0b491a0 Token: SeTcbPrivilege 1892 b0b491a0
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe"C:\Users\Admin\AppData\Local\Temp\d6c65fd2a9e8c1ee1cbbf3e834c9915611621b36ad6232fa5a4590edea4f6aa6.exe"1⤵
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\Syswow64\b0b491a0C:\Windows\Syswow64\b0b491a01⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5f7afb05043ff76406197818548fe9523
SHA123b4b82049a1b212691df3e42bd484e248610dd7
SHA2564bb17f8c93377d438627e3a2d6bf250231e2b29d47e8e77dcaa5477832f6db9a
SHA51203809c60bfe53f61d54888832dbeafe2a0281ba5c378c717e39e925664a50b767fa5dee100d03c44f61f7ff778951da1193910af3fd950cefb72740313add12b