Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe
Resource
win10v2004-20250610-en
General
-
Target
f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe
-
Size
4.0MB
-
MD5
864270cb27584f05d35e5f4570c1379f
-
SHA1
5405fdced4ff4210cc6b759c980ea1aa1fe59c0d
-
SHA256
f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae
-
SHA512
5245605308612cee9801e3b0ff71ad7ee9075f79ad7fd61e3d4e781248950ee59b739ca16dfc08cf18194e914ace079a56d54e4e7fa309cb8ddb4c5c9b316500
-
SSDEEP
98304:nnKl2qOb2lP8ssYoJxKkyWsM0r1QnfKHV0Fe7:nCNDtojKL2Kqo7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5052 f3e6fb70 -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 26 223.5.5.5 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Destination IP 43 114.114.114.114 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Destination IP 49 223.5.5.5 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Destination IP 1 114.114.114.114 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\f3e6fb70 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 f3e6fb70 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE f3e6fb70 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies f3e6fb70 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 f3e6fb70 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\567df8 f3e6fb70 File opened for modification C:\Windows\5c9640 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3e6fb70 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix f3e6fb70 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" f3e6fb70 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" f3e6fb70 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ f3e6fb70 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" f3e6fb70 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" f3e6fb70 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" f3e6fb70 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" f3e6fb70 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5052 f3e6fb70 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Token: SeTcbPrivilege 5408 f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe Token: SeDebugPrivilege 5052 f3e6fb70 Token: SeTcbPrivilege 5052 f3e6fb70
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe"C:\Users\Admin\AppData\Local\Temp\f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe"1⤵
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
C:\Windows\Syswow64\f3e6fb70C:\Windows\Syswow64\f3e6fb701⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5d0c4f55d3fce3a91f97f636604c0537f
SHA12de1d1c27224745c9d6fcbbf210823b08856ad00
SHA25627ffb8a7469dec29ab0cecd1f4453685b652e3ecfea02cf15018b11519a09977
SHA5122c94b3e677f7c80e59ee591dbc93c5a2f25c56675fc42ed55a9e0fcad25088275dc8d09afd8e9bc6e25e001325a5464e56d47477ed7318df7ce9f62d2b0e0bd4