Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 19:25

General

  • Target

    77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe

  • Size

    871KB

  • MD5

    56da2f6b254b5f36cbade3b9179547b8

  • SHA1

    317d20db189d011a0f4cca9ddf5f45d0292bf2e2

  • SHA256

    77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859

  • SHA512

    145f165de16288f22fe3d3224dad9214d90c243f774ae18149f8551c96803b2c4caec2acab1b21047d42c5c3ca0033654ef2af6f025bfab5d0a9ce98298ba059

  • SSDEEP

    12288:gSvO2x9mONvKRILSFnOkx2LIaxya5FAQjU/Lik8CQ3uEuZ9oawhtyybA:7vO2xJKRI2FOkx2LFEvcUQPxuZ98c

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
    "C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5440
  • C:\Windows\Syswow64\eacf3d9c
    C:\Windows\Syswow64\eacf3d9c
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3700

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\eacf3d9c

          Filesize

          871KB

          MD5

          1081741d546b0a9e50a243e46b2518cb

          SHA1

          f0f793a1b76dd9692862e48ec64fea66b5f6154d

          SHA256

          26bb28ba3ec301fdec433448aa3ed7175c519b4febef6496e119037a37e366aa

          SHA512

          1a10ba91a3e0244552ff49fd7044af00ea64d1191d5a1371288e5a6235bddcca2044c215dd4aede85955dbef02ab525000cc5ad99db7ec45f1469150e03c9eac

        • memory/3700-4-0x00000000002D0000-0x0000000000333000-memory.dmp

          Filesize

          396KB

        • memory/5440-0-0x0000000000CC0000-0x0000000000D23000-memory.dmp

          Filesize

          396KB