Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 19:22

General

  • Target

    d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe

  • Size

    1.4MB

  • MD5

    92053d03dfac0312694b042bee1b1c10

  • SHA1

    526c7708e9cc2d57b1b0a533e732a1394e73b7ba

  • SHA256

    d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef

  • SHA512

    c09d98ec4561e342804776f2eb6a6c99b78a6fc7c741a77aa107904a4bca07b1721b73ce3662c6dffeeac664f731e465657b267b219ac901a67bfce1e7d8ae6f

  • SSDEEP

    24576:sjHPOSOkx2LFscUQPxuZ98Es8k3OH3C0rQ6+8pKJJFo3Q+qdCOKIbA0I:sTGkQy5QZuTtS0rQMYOQ+q8CE0I

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe
    "C:\Users\Admin\AppData\Local\Temp\d2dc049d4401de82f358542b503707618921b6e8af9a3858432c87e280925cef.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:540
  • C:\Windows\Syswow64\6d7574ba
    C:\Windows\Syswow64\6d7574ba
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:868

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\6d7574ba

          Filesize

          1.4MB

          MD5

          2e537961f39f94214e0bf2fdde8a79b0

          SHA1

          ae8e233648517b8f849c3b152953e6c6118a2507

          SHA256

          8f28e6e3d3cc95c3b7163b51ce46f1d115f13319955087ee85556ae87e902c0b

          SHA512

          142523fbff7af81f6477c06c749166555050d295a84e9e583cbcf849178412e2e93a2d5fa5339f21989e98dd3bc1ff5cc311de3242bd6b12b72f61433ba20094

        • memory/540-0-0x0000000000F20000-0x0000000000FA9000-memory.dmp

          Filesize

          548KB

        • memory/540-10-0x0000000000F20000-0x0000000000FA9000-memory.dmp

          Filesize

          548KB

        • memory/540-21-0x0000000000F20000-0x0000000000FA9000-memory.dmp

          Filesize

          548KB

        • memory/868-4-0x00000000008C0000-0x0000000000949000-memory.dmp

          Filesize

          548KB

        • memory/868-12-0x00000000008C0000-0x0000000000949000-memory.dmp

          Filesize

          548KB

        • memory/868-22-0x00000000008C0000-0x0000000000949000-memory.dmp

          Filesize

          548KB