Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:25

General

  • Target

    77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe

  • Size

    871KB

  • MD5

    56da2f6b254b5f36cbade3b9179547b8

  • SHA1

    317d20db189d011a0f4cca9ddf5f45d0292bf2e2

  • SHA256

    77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859

  • SHA512

    145f165de16288f22fe3d3224dad9214d90c243f774ae18149f8551c96803b2c4caec2acab1b21047d42c5c3ca0033654ef2af6f025bfab5d0a9ce98298ba059

  • SSDEEP

    12288:gSvO2x9mONvKRILSFnOkx2LIaxya5FAQjU/Lik8CQ3uEuZ9oawhtyybA:7vO2xJKRI2FOkx2LFEvcUQPxuZ98c

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
    "C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1476
  • C:\Windows\Syswow64\3942b6f5
    C:\Windows\Syswow64\3942b6f5
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:652

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\3942b6f5

          Filesize

          871KB

          MD5

          44a11fba20fceb104ef77af5c7ee25d2

          SHA1

          2ba264948710cfe4e1a7016d88386c3d50fc9d5a

          SHA256

          b6477af9244e75d11316d1d10cf4d4e9f601b841c20e0ae81703bf71c0a2d23d

          SHA512

          d5a7c68f3e10398c7cc46907a7d3e65f79bd3fa45dc1195eff3ef479aee90a435e7834bd5fe929433f839083eee574e40ade0f29b2ddc02fe7c2359e0213193e

        • memory/652-4-0x0000000000380000-0x00000000003E3000-memory.dmp

          Filesize

          396KB

        • memory/1476-0-0x00000000007D0000-0x0000000000833000-memory.dmp

          Filesize

          396KB