Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    94895a7224f376f7b2fdc5d5d92fec372c0e89340f9ad556caffa37dbac09ed6.exe

  • Size

    704KB

  • MD5

    7c2c4299fdce3539ac1e8d6b2a0a2efb

  • SHA1

    e80d211bea25b1982cb013ae8c27f5f7f81be95b

  • SHA256

    94895a7224f376f7b2fdc5d5d92fec372c0e89340f9ad556caffa37dbac09ed6

  • SHA512

    194ea125def6d70090d19f3353e0b51dd76ee8741df278af17d753c59c1cd64a474fdaed6ea1fc87af8a0030946e46672262fccb25f1bbf8e9899ed4a7de13fe

  • SSDEEP

    12288:zSvO2x9mONvKRILSFnOkx2LIaxy6RJ05r:GvO2xJKRI2FOkx2LFEF

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94895a7224f376f7b2fdc5d5d92fec372c0e89340f9ad556caffa37dbac09ed6.exe
    "C:\Users\Admin\AppData\Local\Temp\94895a7224f376f7b2fdc5d5d92fec372c0e89340f9ad556caffa37dbac09ed6.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:680
  • C:\Windows\Syswow64\c52ba20a
    C:\Windows\Syswow64\c52ba20a
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1780

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\c52ba20a

          Filesize

          704KB

          MD5

          dfc74b626016133f27d647cb5b8b6d0f

          SHA1

          08b140463d15b1d5d2351dcf2f88f51f30a9ac98

          SHA256

          9af1a35783cd73cc749bf30b6e03f41f266e3664b563fe69c14d506068e81899

          SHA512

          1ace325e4fee7f54e712d6441b69ff9704f44d0ac02b14ba39ee8e96af60d68cab1b02a8b010f1d8f85eef7d344cc83f290592338299d58eea85cdb3e69c5542

        • memory/680-0-0x0000000000CF0000-0x0000000000D53000-memory.dmp

          Filesize

          396KB

        • memory/1780-4-0x0000000000D20000-0x0000000000D83000-memory.dmp

          Filesize

          396KB