Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
Resource
win11-20250610-en
General
-
Target
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe
-
Size
871KB
-
MD5
56da2f6b254b5f36cbade3b9179547b8
-
SHA1
317d20db189d011a0f4cca9ddf5f45d0292bf2e2
-
SHA256
77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859
-
SHA512
145f165de16288f22fe3d3224dad9214d90c243f774ae18149f8551c96803b2c4caec2acab1b21047d42c5c3ca0033654ef2af6f025bfab5d0a9ce98298ba059
-
SSDEEP
12288:gSvO2x9mONvKRILSFnOkx2LIaxya5FAQjU/Lik8CQ3uEuZ9oawhtyybA:7vO2xJKRI2FOkx2LFEvcUQPxuZ98c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3700 eacf3d9c -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 1 114.114.114.114 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 3 223.5.5.5 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 6 114.114.114.114 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Destination IP 7 223.5.5.5 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\eacf3d9c 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 eacf3d9c File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE eacf3d9c File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies eacf3d9c File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 eacf3d9c -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\3f5868 eacf3d9c File opened for modification C:\Windows\5d2280 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eacf3d9c Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" eacf3d9c Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" eacf3d9c Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" eacf3d9c Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" eacf3d9c Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" eacf3d9c Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix eacf3d9c Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" eacf3d9c Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ eacf3d9c -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 3700 eacf3d9c 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Token: SeTcbPrivilege 5440 77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe Token: SeDebugPrivilege 3700 eacf3d9c Token: SeTcbPrivilege 3700 eacf3d9c
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"C:\Users\Admin\AppData\Local\Temp\77ec7f7faaa3660f2521981552470f72a28fad840c6d3d0674033087fe16c859.exe"1⤵
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5440
-
C:\Windows\Syswow64\eacf3d9cC:\Windows\Syswow64\eacf3d9c1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871KB
MD51081741d546b0a9e50a243e46b2518cb
SHA1f0f793a1b76dd9692862e48ec64fea66b5f6154d
SHA25626bb28ba3ec301fdec433448aa3ed7175c519b4febef6496e119037a37e366aa
SHA5121a10ba91a3e0244552ff49fd7044af00ea64d1191d5a1371288e5a6235bddcca2044c215dd4aede85955dbef02ab525000cc5ad99db7ec45f1469150e03c9eac