Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
Resource
win11-20250610-en
General
-
Target
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
-
Size
871KB
-
MD5
56da2f6b254b5f36cbade3b9179547b8
-
SHA1
317d20db189d011a0f4cca9ddf5f45d0292bf2e2
-
SHA256
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859
-
SHA512
145f165de16288f22fe3d3224dad9214d90c243f774ae18149f8551c96803b2c4caec2acab1b21047d42c5c3ca0033654ef2af6f025bfab5d0a9ce98298ba059
-
SSDEEP
12288:gSvO2x9mONvKRILSFnOkx2LIaxya5FAQjU/Lik8CQ3uEuZ9oawhtyybA:7vO2xJKRI2FOkx2LFEvcUQPxuZ98c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 652 3942b6f5 -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 1 114.114.114.114 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 28 223.5.5.5 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 48 114.114.114.114 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 53 223.5.5.5 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 3942b6f5 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 3942b6f5 File created C:\Windows\SysWOW64\3942b6f5 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 3942b6f5 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 3942b6f5 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\b2998 3942b6f5 File opened for modification C:\Windows\194508 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3942b6f5 -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 3942b6f5 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 3942b6f5 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 3942b6f5 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 3942b6f5 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 3942b6f5 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 3942b6f5 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 3942b6f5 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 3942b6f5 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 652 3942b6f5 652 3942b6f5 652 3942b6f5 652 3942b6f5 652 3942b6f5 652 3942b6f5 652 3942b6f5 652 3942b6f5 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Token: SeTcbPrivilege 1476 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Token: SeDebugPrivilege 652 3942b6f5 Token: SeTcbPrivilege 652 3942b6f5
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"1⤵
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
C:\Windows\Syswow64\3942b6f5C:\Windows\Syswow64\3942b6f51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871KB
MD544a11fba20fceb104ef77af5c7ee25d2
SHA12ba264948710cfe4e1a7016d88386c3d50fc9d5a
SHA256b6477af9244e75d11316d1d10cf4d4e9f601b841c20e0ae81703bf71c0a2d23d
SHA512d5a7c68f3e10398c7cc46907a7d3e65f79bd3fa45dc1195eff3ef479aee90a435e7834bd5fe929433f839083eee574e40ade0f29b2ddc02fe7c2359e0213193e