Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe

  • Size

    547KB

  • MD5

    cfcbf7707ba928c5d861d65264fa4e20

  • SHA1

    7fa7523512fd558a08d5c2feffe12bb5be39c359

  • SHA256

    ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc

  • SHA512

    45b3657c29fd7f5943bc2233002a9c5ccd59bcb3580f04d7172522ec37f51b43aaf2f8713490e5f3dba735ac2b368180a6ff1ab27540285b6d27c8260d95d5b3

  • SSDEEP

    6144:VcTgav1cdCTuoPbgwmOLJvKRILSFvdFDcEOkCybEaQRXr9HNdvOaxy8KARG3:VSvO2x9mONvKRILSFnOkx2LIaxy6RY

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe
    "C:\Users\Admin\AppData\Local\Temp\ad506ac55863fd5c1a38e5eff037c9d46968e98aba3044c2e04e3eb8e82313bc.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1328
  • C:\Windows\Syswow64\fda805ec
    C:\Windows\Syswow64\fda805ec
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1640

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\fda805ec

          Filesize

          547KB

          MD5

          e60e376ca2282fcde714c066fb6e5ddc

          SHA1

          6ee845e09584de80f2bac607ebf3bf52fea5e004

          SHA256

          6c5d507b682811e018c15476f5de916484aa664ffd654ffada0f5aa59d316303

          SHA512

          23ebb57fe2931f7581c0fb0017a8342e67fed901ba54d6866101f40b6d9553ccd349ac71151f316000c9609d9a43155dc969b830987d98ec676594fb50b50454

        • memory/1328-0-0x0000000000F80000-0x0000000000FE3000-memory.dmp

          Filesize

          396KB

        • memory/1640-4-0x0000000000410000-0x0000000000473000-memory.dmp

          Filesize

          396KB