Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe

  • Size

    4.0MB

  • MD5

    864270cb27584f05d35e5f4570c1379f

  • SHA1

    5405fdced4ff4210cc6b759c980ea1aa1fe59c0d

  • SHA256

    f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae

  • SHA512

    5245605308612cee9801e3b0ff71ad7ee9075f79ad7fd61e3d4e781248950ee59b739ca16dfc08cf18194e914ace079a56d54e4e7fa309cb8ddb4c5c9b316500

  • SSDEEP

    98304:nnKl2qOb2lP8ssYoJxKkyWsM0r1QnfKHV0Fe7:nCNDtojKL2Kqo7

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe
    "C:\Users\Admin\AppData\Local\Temp\f3a2004a051be73f194df6c23d67fdf41ba0e75541533cddb3d597f5dfc4f5ae.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5408
  • C:\Windows\Syswow64\f3e6fb70
    C:\Windows\Syswow64\f3e6fb70
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5052

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\f3e6fb70

          Filesize

          4.0MB

          MD5

          d0c4f55d3fce3a91f97f636604c0537f

          SHA1

          2de1d1c27224745c9d6fcbbf210823b08856ad00

          SHA256

          27ffb8a7469dec29ab0cecd1f4453685b652e3ecfea02cf15018b11519a09977

          SHA512

          2c94b3e677f7c80e59ee591dbc93c5a2f25c56675fc42ed55a9e0fcad25088275dc8d09afd8e9bc6e25e001325a5464e56d47477ed7318df7ce9f62d2b0e0bd4

        • memory/5052-4-0x0000000000C10000-0x0000000000C73000-memory.dmp

          Filesize

          396KB

        • memory/5408-0-0x0000000000180000-0x00000000001E3000-memory.dmp

          Filesize

          396KB