Overview
overview
7Static
static
10f0cdc23_.exe
windows11-21h2-x64
7$TEMP/Established.jpg
windows11-21h2-x64
NatWater/Actions.cab
windows11-21h2-x64
1Agent
windows11-21h2-x64
1Concluded
windows11-21h2-x64
1Expanded
windows11-21h2-x64
1Feature
windows11-21h2-x64
1Harold
windows11-21h2-x64
1Pins
windows11-21h2-x64
1Pipes
windows11-21h2-x64
1Portuguese
windows11-21h2-x64
1Pour
windows11-21h2-x64
1References
windows11-21h2-x64
1Worldsex
windows11-21h2-x64
1NatWater/Almost.jpg
windows11-21h2-x64
NatWater/B...es.jpg
windows11-21h2-x64
NatWater/Looks.jpg
windows11-21h2-x64
NatWater/Printers.jpg
windows11-21h2-x64
NatWater/Sticks.jpg
windows11-21h2-x64
NatWater/Up.jpg
windows11-21h2-x64
NatWater/Volt.jpg
windows11-21h2-x64
Resubmissions
04/07/2025, 19:19
250704-x1mpmaxvfy 1004/07/2025, 19:18
250704-xz7neadl5z 704/07/2025, 19:09
250704-xt65padl3z 10Analysis
-
max time kernel
10s -
max time network
8s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
0f0cdc23_.exe
Resource
win11-20250619-en
Behavioral task
behavioral2
Sample
$TEMP/Established.jpg
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
NatWater/Actions.cab
Resource
win11-20250502-en
Behavioral task
behavioral4
Sample
Agent
Resource
win11-20250610-en
Behavioral task
behavioral5
Sample
Concluded
Resource
win11-20250610-en
Behavioral task
behavioral6
Sample
Expanded
Resource
win11-20250619-en
Behavioral task
behavioral7
Sample
Feature
Resource
win11-20250619-en
Behavioral task
behavioral8
Sample
Harold
Resource
win11-20250619-en
Behavioral task
behavioral9
Sample
Pins
Resource
win11-20250619-en
Behavioral task
behavioral10
Sample
Pipes
Resource
win11-20250619-en
Behavioral task
behavioral11
Sample
Portuguese
Resource
win11-20250610-en
Behavioral task
behavioral12
Sample
Pour
Resource
win11-20250619-en
Behavioral task
behavioral13
Sample
References
Resource
win11-20250502-en
Behavioral task
behavioral14
Sample
Worldsex
Resource
win11-20250610-en
Behavioral task
behavioral15
Sample
NatWater/Almost.jpg
Resource
win11-20250610-en
Behavioral task
behavioral16
Sample
NatWater/Brochures.jpg
Resource
win11-20250619-en
Behavioral task
behavioral17
Sample
NatWater/Looks.jpg
Resource
win11-20250619-en
Behavioral task
behavioral18
Sample
NatWater/Printers.jpg
Resource
win11-20250619-en
Behavioral task
behavioral19
Sample
NatWater/Sticks.jpg
Resource
win11-20250619-en
Behavioral task
behavioral20
Sample
NatWater/Up.jpg
Resource
win11-20250619-en
Behavioral task
behavioral21
Sample
NatWater/Volt.jpg
Resource
win11-20250502-en
General
-
Target
0f0cdc23_.exe
-
Size
1.1MB
-
MD5
2f8393e1aa4c24d3e5e5be7b34496978
-
SHA1
1e5a0ab07c575daf9a072f69c221c6823f1d9072
-
SHA256
0c09d626762969426c58e715e6f44aa782f4edeeae4b436e7246fa3dc3713ba4
-
SHA512
5b40c6f9de5a95bf2a81de087f8cb1785e9e4f3a8835a4904a339a1ad2b873a4e1f18bff51c16d5f0018ca526dd427c695ea9e1fccb0117e8e92d173f2b56dae
-
SSDEEP
24576:N0ajgKNQm3E/UUHc0fZUaB3WvtRbOuEcNB0ysEajeYEWc:NFtE8AXfPY5E+JUfEWc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4460 Smooth.com -
Executes dropped EXE 1 IoCs
pid Process 4460 Smooth.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3044 tasklist.exe 1192 tasklist.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\MontanaHard 0f0cdc23_.exe File opened for modification C:\Windows\HoseMartial 0f0cdc23_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Smooth.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f0cdc23_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3044 tasklist.exe Token: SeDebugPrivilege 1192 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4460 Smooth.com 4460 Smooth.com 4460 Smooth.com -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 392 wrote to memory of 5956 392 0f0cdc23_.exe 82 PID 392 wrote to memory of 5956 392 0f0cdc23_.exe 82 PID 392 wrote to memory of 5956 392 0f0cdc23_.exe 82 PID 5956 wrote to memory of 3044 5956 cmd.exe 86 PID 5956 wrote to memory of 3044 5956 cmd.exe 86 PID 5956 wrote to memory of 3044 5956 cmd.exe 86 PID 5956 wrote to memory of 2536 5956 cmd.exe 87 PID 5956 wrote to memory of 2536 5956 cmd.exe 87 PID 5956 wrote to memory of 2536 5956 cmd.exe 87 PID 5956 wrote to memory of 1192 5956 cmd.exe 89 PID 5956 wrote to memory of 1192 5956 cmd.exe 89 PID 5956 wrote to memory of 1192 5956 cmd.exe 89 PID 5956 wrote to memory of 1924 5956 cmd.exe 90 PID 5956 wrote to memory of 1924 5956 cmd.exe 90 PID 5956 wrote to memory of 1924 5956 cmd.exe 90 PID 5956 wrote to memory of 6088 5956 cmd.exe 91 PID 5956 wrote to memory of 6088 5956 cmd.exe 91 PID 5956 wrote to memory of 6088 5956 cmd.exe 91 PID 5956 wrote to memory of 1188 5956 cmd.exe 92 PID 5956 wrote to memory of 1188 5956 cmd.exe 92 PID 5956 wrote to memory of 1188 5956 cmd.exe 92 PID 5956 wrote to memory of 4460 5956 cmd.exe 93 PID 5956 wrote to memory of 4460 5956 cmd.exe 93 PID 5956 wrote to memory of 4460 5956 cmd.exe 93 PID 5956 wrote to memory of 5544 5956 cmd.exe 94 PID 5956 wrote to memory of 5544 5956 cmd.exe 94 PID 5956 wrote to memory of 5544 5956 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0cdc23_.exe"C:\Users\Admin\AppData\Local\Temp\0f0cdc23_.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy Volt.jpg Volt.jpg.bat & Volt.jpg.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5956 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\SysWOW64\findstr.exefindstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set WTWeCJRHnQjpWResuXaRjuzPxbYFNhbkAGH=AutoIt3.exe & Set KUauBpAncgceSqQjbhWnLryvbslsLXOSEy=.a3x & Set EvvvqBcYMSRiiQYlWBlnWuKasDttNcuTzgk=3003⤵
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y Actions.jpg *.*3⤵
- System Location Discovery: System Language Discovery
PID:6088
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Judge" Pins3⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\432811\Smooth.comSmooth.com i3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460
-
-
C:\Windows\SysWOW64\choice.exechoice /d n /t 53⤵
- System Location Discovery: System Language Discovery
PID:5544
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
467KB
MD50af9e22506b0c923c0cbdd17e569dd31
SHA10a18cc56c9d54ac5d7bddb62a2cc2446133df0b3
SHA25615f040b15db2d9665a8a50eb3a972cfcf30b2a4a08be9759876a64f072005084
SHA512813eaede24117daf74294c4d9f7b3cc59b41b83785dda0ce8277c8bfb64109c14c574640d96a666d93cee3ac6ad9e4a5d8abc62533564ce984d6ebddb4b5072c
-
Filesize
478KB
MD5e46cc3cf2db4502ac1ecb3bfa7cef9d0
SHA1bed48acd38d6be13487c2be5ebf87943bb2ddb0e
SHA2561ffde3f0b42c24e9d9fbfe868f9a27ed4ba5208f733ce3b1ec064604a6b45b92
SHA512b602dd81a6f62bba8cbb240d0e08ada1655959b43ef37b35631cf3824683c9effbb4e78db009be61ee00c47bee685cb35766939fd6ac51ca6f20d24f4ae2d961
-
Filesize
121KB
MD50637a7f3b27457de2c31284b536e2650
SHA1b06cad6345dd33c772a188329371dace6d8c1e39
SHA25632b57b1fe1a1b36d29bda5c1e782cf969c5c2dbaf7bf8d23856e0d199cbfe113
SHA512a2087c0f5632bdb623ae2a6980e71c7b70c107fd9a8476f5d610dc8830cf5674cbada6dc0c45227e572b5e1d4fa26aeb0c73387eefe7343326020b36ab905242
-
Filesize
67KB
MD58f7ade728f200bbebea6a89078746b5c
SHA166606853420213b70fed86428f549942bb719518
SHA256f478f80e6f5cc06357106d766edd032c7e9d4d678d395ef06bae11f0acc93f03
SHA51209ee1fa492c949df8e06de9d36790e7f4589a735fa7b3ecb22eed0d0b802bbfab4d4cb1e132a71ea77932145834402ff208eb9cdc5905da34825a7da56ec871b
-
Filesize
69KB
MD5eb98cf41f60207be4f00f57d0dbfa912
SHA14deaf682dd22843269b7e9173af60d1dae260b5b
SHA256981c00cd31bc71a4abd347fa925e07b373c001f523eeaeab8233030e7b33a746
SHA51215b7915c7eaeb811027791ef3987514165126bf119d8b0b6b0a4bdefbbf6810458aac312a6b627a525d61ea153126ec30d3af72c23e0f981f377f79488648f40
-
Filesize
83KB
MD5624560396f6e45240443d8ff4ec33fe5
SHA1c4dceedfd6650b9932b8f3d6f2c8447b0a6f8404
SHA256bcd21b828ca19dd2af3dcea50cc8cffee7ca93bb9c07f8491c7429e55671767f
SHA512a5a91e148d2988c44c7718f85152e0c72c062b2b6617bd9d98511d7e3a2bf4ebd5e19c88c35e5280e50780a7da07b87f86a5ebfdc275da0480c5511526fd2cbb
-
Filesize
68KB
MD51988635dba11d4bf1bc7f0324d916703
SHA1f575df302d3e727d230ff5ab5fbae7dcf16ae448
SHA256250c74f0933ffed14cc8f81585c5322cc4a43f612d5391dbd28e1fafbf51770e
SHA5126e2821ccf1f711cf29647ccbce7f29633997d013457f770b265bbd9fc58a695851af02bdaa55d51a6d3f2714af10719aece67f2e1fe0da804b3ed3c9824ee57b
-
Filesize
61KB
MD5205824c6f6de5a04b18157808f16ae15
SHA1bfe41802af073f1f27be9987011e36cdd6dea580
SHA25604e9e75696d2c43417cc55fdf6ea9ee347c08689472f0490e4c727e982629c59
SHA5124633313a75b5619fa159e6380bee39a82326c396361943900d759a545c4011cbffc73b8b90a9ca46f372f7e3e5a43da27439f648a70b70da2d783a7df34202d1
-
Filesize
83KB
MD508fc19e80913f01cc2017a0cdb07312d
SHA1f4446e06d5075c5484e4cebed15c95f8944fd43c
SHA256151464d4d5b509174520f77f72af4a2df13e47f5bc386b8757c16bae54702781
SHA512c264dee1c91d98469cc4f10205d35dc2ead497c3878bc73bf5f6fd24a96b4913489618303f524d1bbd59f12fece635ee2eebd84dd36c46c96498a2a400912ad5
-
Filesize
107KB
MD579f5bc834a462caee8c9b5ba1b21972c
SHA1fccff45b6b11c9c6c04355e7dc00203989b01a22
SHA256223c5867ae5151155ddb9a347e2310b90efc12321ca2380d4623ab74fa387998
SHA5125bea8b73ec01e848a748dd381e60679b7096cb1767de4d5220b89ff385977799134fcc357ca474388698c52ee48735d2c566010fbc2fedb3cfeb2d99147b3abf
-
Filesize
33KB
MD5f595d410bfd66503706ceca38af31d96
SHA1db514ab05dc131d5104f71cd97fb050389009642
SHA256a71f9d8551fe695bfd6fcbdd5e32fa7210af1b0af6fcab45e8652d30356f3778
SHA512bda49d0a42b50faad2700b148d8b2159e870afb7eacfc9bf914e282a7c512889e8e63ea499244f1c0f9899ff232a8e67c44c315c9f34919688c97fe136bf31a9
-
Filesize
357B
MD5ec01b89ee67746b25094f5c16cea8e62
SHA14ab7f9321219c50358793a5544820dc9be0b838c
SHA2568ab8d566fb14a7cf4c925e7acaa7cb2572153183e772654c572020a702044162
SHA5129a76271eb42b566d6ca51bc1b1e016094f971197825dcfa02f1d3a2aa227f2a1243f13dac6943d15b60776cd8065c0d09c7f3f01ce6af02f2925adef95a019b7
-
Filesize
31KB
MD59f6790bcd34211a8047f546ca3dee4fc
SHA13eab73d1fe12bebd8f843895c1280e0ef3f95c14
SHA2564eb88b6c9dd74fb724ded480386d2e6e1116a6a936fd1cfe5fe9600d41a8ed18
SHA5127aec9d692ad94a3055edd4fb30b17da83ebf26d845ced1c59737fe0bf567ad00a800d52c32961ed13ff34a7394fbcd23db8a4bc00ad8ca8f4c5ce213b931c522
-
Filesize
86KB
MD5d6f9b7ad4abc7e2651946ce4e0f0aa3a
SHA10d4793f3ebfbef55894f7e95864d175c9d52103e
SHA2562e7ff6ee145781328c5a4c614591b2241131b622109009d03e82460ddce50d2d
SHA512f3a07c7211cdf734bf7156f1155e03abbbbe5b989d78af10c73fe2916578b133d7769657514124a614f70137f39dd73590d16bb6323365ed7ed3e36aae428b36
-
Filesize
127KB
MD5cf08be7163d59411a7796347741706ee
SHA10b6f84ef5ac3fcd0f9e9c647611941812d1a4029
SHA2564ecb23185c5417c85a3797b26f51cb908735ffce12e8c55b94b9ff47cbc3d059
SHA5124bf428d906e17836899eb30e50e14624c481465cd8991ad72a9e8ae087e90ef9676f6c97d23de68ec413a4185b017d68337a96ba75bba9d769d0997f05735ed7
-
Filesize
72KB
MD53a52e2f74e1c11decaf7856da85ebbc0
SHA1a9403ca86a0ed08819f3084aef7f981d061f717d
SHA256394e30fa289832ea300353797d880bb8bfa2bfc573dbdf83edb0016400a7a95a
SHA51223fe7d691e4fddba794174d4ce8694d772f83dc4ec22083faf7919bab0e716a68c938119a60d1dedde83c6c15b3ae609ea46141f1afab550a899e2de2dad0441
-
Filesize
85KB
MD53117b4e2edeed15b686c8874ef3d8c54
SHA1a7b83abbb7bd75c06ee5b2dd6397c3779adb644c
SHA256f5c2b3ac5b2e832299b311d14f1e8aad4711c6ac3a3730b1e2a088574359737d
SHA512772669df5ff9e98f3daaed94c1cb804be31defc775b0624181b31c82269d80726a6d59bc6a86ab6f286f975845fcad8a276852c8777938481b68edcddee1b203
-
Filesize
79KB
MD543e5c0f1041a97241004553f18b32e54
SHA1b1b26ffbed879f69a7dd50ed5f3a00982b24be6e
SHA256507f32c47f94d387349084bbeeb653f873145ee868ec2f031b70b9714a8ec7f0
SHA5126207be4abf4effab82ddfe229aec918a697bd4f1969b891d83888c7e9a6101df6dd2c2e5499efc6d0284b5a28d050ff848ac05d2e6a25daf2a3d1a2e3d3e4d27
-
Filesize
79KB
MD5a437c182d29dbce6b5d69c1ea069d931
SHA1e1e2a32e740b0d6dfa73ab77f4b29f4e82a7f8eb
SHA2566cc5d7c7cd996a67f80e8eeb83108652ecf55dee5783497da5b095ccef87b573
SHA512d7abc4810c2d44603481dffaf3e6421d10af9ba4ace23c9784be23b54543c5785637f08ad1fa694a00e1084cb093464408d1b9d99deb65947f008108b6446ea7
-
Filesize
20KB
MD5079187927e46a2fb84a2777572282c40
SHA14c1388b21c7871c6304b0ff3929c21c14437f8e4
SHA256ff23c8d9515f9d8aa8670571be589d1b6aaabb0b6bedda50d84796aa323c774f
SHA512c96f13cbae3951e8e0e5e4e768aedfe05b6d601a177d19f94b262e592436a5e6fc66f4a4272f8280d47331ce548caf3b180782628237f316adc6b29cd920fd3c
-
Filesize
140KB
MD54e72d227b9d1e375cc45daf8b29bc44b
SHA1fe444ec24264591a2b9fe15798bfc719202d50ff
SHA2565a027997385b8649350893f46e0d68a9411f6c7f8fb0ed0322d3e67ec5184c02
SHA5123cde6e8a6193cde4ba7cb949ef7488da919e2af83fed828abb9357c5307be2efa0419407cd155f6d09e71c15aa72cb25143b3679ac764ec066cac8b3ce844a94