Analysis
-
max time kernel
102s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:22
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe
Resource
win10v2004-20250502-en
General
-
Target
SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe
-
Size
416KB
-
MD5
79875579217d38930dfe270fd7e14df1
-
SHA1
64138d4d9e4e6615ae74083e14726bcd90e88ff9
-
SHA256
3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
-
SHA512
e52c0a297a36d11af497c1531427b8674c7f3de67cf277855e3685e5e5a28febb7effa68864b521b324c32b4fa253a394c1e05f7893847e4c7167d94fac6ccc3
-
SSDEEP
6144:ZPUIrO0NCh31Alxujw54YsnLiO1ptnvT0lAkuW8GUi/83FrPKoTIf504AO4n2/jd:ZPUIrO0NChSlMw4vn7T0lAnW8BKhj
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
flow pid Process 26 1724 nudwee.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation nudwee.exe -
Executes dropped EXE 14 IoCs
pid Process 1724 nudwee.exe 4484 Ptufpfa.exe 3796 nudwee.exe 3660 Ptufpfa.exe 3224 Ptufpfa.exe 3040 Ptufpfa.exe 3356 Ptufpfa.exe 5844 Ptufpfa.exe 3240 Ptufpfa.exe 2104 Ptufpfa.exe 1400 Ptufpfa.exe 228 Ptufpfa.exe 6116 Ptufpfa.exe 5808 nudwee.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\nudwee.job SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nudwee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ptufpfa.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe 4484 Ptufpfa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4484 Ptufpfa.exe Token: SeDebugPrivilege 4484 Ptufpfa.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4520 SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 4520 wrote to memory of 1724 4520 SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe 84 PID 4520 wrote to memory of 1724 4520 SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe 84 PID 4520 wrote to memory of 1724 4520 SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe 84 PID 1724 wrote to memory of 4484 1724 nudwee.exe 92 PID 1724 wrote to memory of 4484 1724 nudwee.exe 92 PID 1724 wrote to memory of 4484 1724 nudwee.exe 92 PID 4484 wrote to memory of 3660 4484 Ptufpfa.exe 96 PID 4484 wrote to memory of 3660 4484 Ptufpfa.exe 96 PID 4484 wrote to memory of 3660 4484 Ptufpfa.exe 96 PID 4484 wrote to memory of 3660 4484 Ptufpfa.exe 96 PID 4484 wrote to memory of 3040 4484 Ptufpfa.exe 97 PID 4484 wrote to memory of 3040 4484 Ptufpfa.exe 97 PID 4484 wrote to memory of 3040 4484 Ptufpfa.exe 97 PID 4484 wrote to memory of 3040 4484 Ptufpfa.exe 97 PID 4484 wrote to memory of 3224 4484 Ptufpfa.exe 98 PID 4484 wrote to memory of 3224 4484 Ptufpfa.exe 98 PID 4484 wrote to memory of 3224 4484 Ptufpfa.exe 98 PID 4484 wrote to memory of 3224 4484 Ptufpfa.exe 98 PID 4484 wrote to memory of 3356 4484 Ptufpfa.exe 99 PID 4484 wrote to memory of 3356 4484 Ptufpfa.exe 99 PID 4484 wrote to memory of 3356 4484 Ptufpfa.exe 99 PID 4484 wrote to memory of 3356 4484 Ptufpfa.exe 99 PID 4484 wrote to memory of 5844 4484 Ptufpfa.exe 100 PID 4484 wrote to memory of 5844 4484 Ptufpfa.exe 100 PID 4484 wrote to memory of 5844 4484 Ptufpfa.exe 100 PID 4484 wrote to memory of 5844 4484 Ptufpfa.exe 100 PID 4484 wrote to memory of 3240 4484 Ptufpfa.exe 101 PID 4484 wrote to memory of 3240 4484 Ptufpfa.exe 101 PID 4484 wrote to memory of 3240 4484 Ptufpfa.exe 101 PID 4484 wrote to memory of 3240 4484 Ptufpfa.exe 101 PID 4484 wrote to memory of 2104 4484 Ptufpfa.exe 102 PID 4484 wrote to memory of 2104 4484 Ptufpfa.exe 102 PID 4484 wrote to memory of 2104 4484 Ptufpfa.exe 102 PID 4484 wrote to memory of 2104 4484 Ptufpfa.exe 102 PID 4484 wrote to memory of 1400 4484 Ptufpfa.exe 103 PID 4484 wrote to memory of 1400 4484 Ptufpfa.exe 103 PID 4484 wrote to memory of 1400 4484 Ptufpfa.exe 103 PID 4484 wrote to memory of 1400 4484 Ptufpfa.exe 103 PID 4484 wrote to memory of 228 4484 Ptufpfa.exe 104 PID 4484 wrote to memory of 228 4484 Ptufpfa.exe 104 PID 4484 wrote to memory of 228 4484 Ptufpfa.exe 104 PID 4484 wrote to memory of 228 4484 Ptufpfa.exe 104 PID 4484 wrote to memory of 6116 4484 Ptufpfa.exe 105 PID 4484 wrote to memory of 6116 4484 Ptufpfa.exe 105 PID 4484 wrote to memory of 6116 4484 Ptufpfa.exe 105 PID 4484 wrote to memory of 6116 4484 Ptufpfa.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.24464.28302.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe"C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe"2⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:3224
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:5844
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"C:\Users\Admin\AppData\Local\Temp\10000100101\Ptufpfa.exe"4⤵
- Executes dropped EXE
PID:6116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exeC:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe1⤵
- Executes dropped EXE
PID:3796
-
C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exeC:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe1⤵
- Executes dropped EXE
PID:5808
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5b50b319f925e236b32c5538584eddd64
SHA1a21246660fa53198bed7689b268940209144cb0e
SHA25640fbf427d09a81e1faf2ef856a73f92c0b3f4c8e814db9700bdcb1c8f228781c
SHA512e93baaf153cc3cbd897fbffec4296ad4b0888c9b67a6b1c93051d2c2c10dfa502e723be354b16b520edfe02f94a98140fb4467baf7259306c340fedac6d80a82
-
Filesize
416KB
MD579875579217d38930dfe270fd7e14df1
SHA164138d4d9e4e6615ae74083e14726bcd90e88ff9
SHA2563633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
SHA512e52c0a297a36d11af497c1531427b8674c7f3de67cf277855e3685e5e5a28febb7effa68864b521b324c32b4fa253a394c1e05f7893847e4c7167d94fac6ccc3