Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/07/2025, 19:23

General

  • Target

    89ea68d5b4d7b3287f0220966cc64c341148aa6ab3ea6d445cfad40b9bfa68ba.exe

  • Size

    704KB

  • MD5

    2517517512cd61100e76bc9a2f4de2fd

  • SHA1

    b43b55dc1f2bbc4200f78b466ef1feac5fce8b07

  • SHA256

    89ea68d5b4d7b3287f0220966cc64c341148aa6ab3ea6d445cfad40b9bfa68ba

  • SHA512

    4afed57735e3871e9db5a17bbd0df0ff8aa472fe2c0c6fdefa14a0d58c94a9d4bbfe8556094acc7f98d7f505dba275a0482ac2db03e6a0cf4cad54b07aa5d865

  • SSDEEP

    12288:hSvO2x9mONvKRILSFnOkx2LIaxy6RJ05r:ovO2xJKRI2FOkx2LFEF

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89ea68d5b4d7b3287f0220966cc64c341148aa6ab3ea6d445cfad40b9bfa68ba.exe
    "C:\Users\Admin\AppData\Local\Temp\89ea68d5b4d7b3287f0220966cc64c341148aa6ab3ea6d445cfad40b9bfa68ba.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2112
  • C:\Windows\Syswow64\c4f12804
    C:\Windows\Syswow64\c4f12804
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4784

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\c4f12804

          Filesize

          704KB

          MD5

          79e80ec8c3c1c8e3ca4991b0cb96d61d

          SHA1

          80e10562c9e843aebfdd7be30026f2ec72c453c0

          SHA256

          8eafab016a517b20f8b0ddfcd0df7f4f4270c19c267bf8631d4f69c30c0e65b1

          SHA512

          7d7fdcd808b784a966e7adcb3ac514d1167b4330c091c109694d17357377747b29ee98bafa9882fac36a95ec1f77bb279b2539ad71c817b1086223110c308c7b

        • memory/2112-0-0x00000000006D0000-0x0000000000733000-memory.dmp

          Filesize

          396KB

        • memory/4784-4-0x0000000000820000-0x0000000000883000-memory.dmp

          Filesize

          396KB