Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06/03/2024, 03:13
General
-
Target
b381c7c9b23a2dba55aa561e2cd4331a.exe
-
Size
204KB
-
MD5
b381c7c9b23a2dba55aa561e2cd4331a
-
SHA1
3c46281195ebd99b5a71cac20bc61c74a5541be5
-
SHA256
b133044ab849f7e29d6ca958bc8393345da35514af65d894ccef4323150408e6
-
SHA512
9af446c09d3691a2ce266b2b2f708a542a65c36ac2296f5c742d488fefe6a399cd3eead0f538743638d399997226eb4ba0367a992acca7e7eabd8348c9ab2504
-
SSDEEP
1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oul1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b381c7c9b23a2dba55aa561e2cd4331a.exe"C:\Users\Admin\AppData\Local\Temp\b381c7c9b23a2dba55aa561e2cd4331a.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EB8E0581-8817-4b74-831F-9D67B403C421}.exeC:\Windows\{EB8E0581-8817-4b74-831F-9D67B403C421}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1A30103F-F056-4e41-B8D1-054D9B8BEE28}.exeC:\Windows\{1A30103F-F056-4e41-B8D1-054D9B8BEE28}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{140A07E8-8768-4ff6-9AF3-54E7DB1DDC12}.exeC:\Windows\{140A07E8-8768-4ff6-9AF3-54E7DB1DDC12}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{86DEBF03-207D-473d-8FA6-B29ABA8376CC}.exeC:\Windows\{86DEBF03-207D-473d-8FA6-B29ABA8376CC}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E3DFC0E6-0A60-42bb-B476-028D4033F2B2}.exeC:\Windows\{E3DFC0E6-0A60-42bb-B476-028D4033F2B2}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E7D168A3-5543-4702-823D-FC6E9B088D06}.exeC:\Windows\{E7D168A3-5543-4702-823D-FC6E9B088D06}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8E33C9A1-D18B-497e-BC73-F1BDE533D82C}.exeC:\Windows\{8E33C9A1-D18B-497e-BC73-F1BDE533D82C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3525AC3D-60EE-47d1-9B15-5592AF18A349}.exeC:\Windows\{3525AC3D-60EE-47d1-9B15-5592AF18A349}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{625D2070-C5BD-4097-B8C2-E5821D0A2D3F}.exeC:\Windows\{625D2070-C5BD-4097-B8C2-E5821D0A2D3F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{89F050D6-456E-4742-A810-52FC9977D936}.exeC:\Windows\{89F050D6-456E-4742-A810-52FC9977D936}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DE21D23C-18A6-4695-9151-142C7124051C}.exeC:\Windows\{DE21D23C-18A6-4695-9151-142C7124051C}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\{EC4B244A-FFCA-4cf2-8B3D-C37A98702C18}.exeC:\Windows\{EC4B244A-FFCA-4cf2-8B3D-C37A98702C18}.exe13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE21D~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89F05~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{625D2~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3525A~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E33C~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7D16~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3DFC~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86DEB~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{140A0~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1A301~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB8E0~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B381C7~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD58ef882b5cd6415ef6c64e329bee382ba
SHA1966abbd0e1d61cfd1fbc5be43bb16c9953dabb25
SHA256861f9ac7c2f15ab1b3350e8a4588a0293465ffb42b14232e1a0ef3cfff4d4827
SHA512d4e9e0e05533ba22088e30771bbf96cfd8bac48cedfdf0bd4c7ca716d501c7bfb0f3a3f0e3b372e92f9b9e59f0dac2397b093a8f7096a6993a3fb161803e7302
-
Filesize
204KB
MD54441676db00c43c3089aedca754d0270
SHA1ed9dcdd603ee012f6e43198b6e9d39c15fc6e4cd
SHA2564b6c58b9b71c74051284870d4db714792424acc76b4550577e421c5d95e804d8
SHA512e75afa96138025e44195b8785c4a38729541878632d1c5d34238b5010174cc4ecf2954a0a838b78d4479574e5660953e0f5a71386789f73470e9ffafbcd0efba
-
Filesize
204KB
MD53f0bc3a7a8cdadf8616ed825bff11cf4
SHA1734dd292dde7a433b4eb1ee46f90833ea703cf6c
SHA256375b1ca032fa906dc71c2295decd84f93d93f8b2cb99e67a280fc89eee2c888d
SHA512bb45996a2289eaeaa84bf6f24020e9d415e784c7ca14aa191acfd89974bb49b6cf61003215a0e87ccfa1f3c4843f27a3324cf6b81068f33f36099396781c1305
-
Filesize
204KB
MD5ada313117e13dd9fe54159483c4bfb49
SHA1a97443e2ac9ed04ca70cc06b390be59bb165f372
SHA256324962b7baf7210c8e3a057acea3247ae8d80db20dcbc172e91e3949b58522b4
SHA5123ba4aa2278e73f187de856a93561e7488de96dfdf41a22cd7184accc6e654af65fa956a3eb32df8a9b1393929dc142b9c5d4cf3cb97773eb0416947648caba13
-
Filesize
204KB
MD5218a9fc49e987f9add7febfcf4b48fa9
SHA18685c02e06dc05b2c2b04282993d16f878423791
SHA256caa43e54ba1d2e2c127d216632e2c11e2d54a45678b8baf32c0ec7a2f4f0cf27
SHA5127b5ddf271be98836b2989f3f30eee991ab79c074df908547a3dd3304459c2b05c3c7e3b9edd45f537d20755ebc4344ca076647461081465779f586932d261eb1
-
Filesize
204KB
MD5f2cb6e01f160e2b2cba6c3ed40b37a83
SHA1d3100a8fefdaf8558b22d24d92eac8dce6ddb214
SHA256c419b840e306bfb053759fb7a56eeecfe8f0f37c62622e42a73f8a73acf018fb
SHA5122c8220a4ecaca54b4fe5b64f16dcadbdeff0a8be69f82dbb662dfe6ec27479542ddabc32341c2c16996e04f3fd6d5089ba4f67d477ecf5e7f9fbc5b659c9f382
-
Filesize
204KB
MD59c46c6481bcf79e6f608976909a87abc
SHA1bc9626be2ca73120a6a353a8ddbff38fbe1638a4
SHA256c64128078585e9d36ceeab9721afaf21911b43b01190f71fa91ec26e3c7b8f74
SHA512e64102cf867e697a144f13d2926f78f8a0d71f3e68f19ea334de30d00145070dd1b944147a4e049a94311c4d1a02f34a9a7db265d128740f0f7e3c16035ee3a8
-
Filesize
204KB
MD59cf30b6dccdb03c26d965661c4001b1f
SHA1113522ed73446eaa0344f89fe5e82e8c2fdab20a
SHA256b53f368119dc3fe2019bdb7929f3796b78bfe5bdfc242b4c1486910cf47f599c
SHA5127841cbdb8e65218a10018b328d3c203e92174634554db9fccc87f2a7b6407be0118248c8c3a8c4d6dfc752910bf9b0b94d3b9c13f35b7bdef39c2cf27c0c0cfe
-
Filesize
204KB
MD598194840be0fc63b8f5f761aea073e17
SHA188f0a5da281fe4eb8d428c612ea8788826732bef
SHA25659b6dfbfe6715ab5812e9a39ac207036fccc28ae7bcd1423699abf0bbcbcbc54
SHA5129f969dcb3d635d2a68c2747184360c283cfd14369da978009c30f317af9ae4da67deec949da70c1a41b6eb8e66b9facbadc55326ce647a9cb640e50ef5074b42
-
Filesize
204KB
MD56fe03cf9a36f009af4c141be3093aea9
SHA1180658eb6c59817c5484b30c1dd0677b48bb9e4d
SHA25670cec224632c3123e7fca5f9ace24590d7452423adac59d17a130f006d976ce1
SHA5123257531915500186507e1103b62d447411a436468b454e626674bf968f5064401bd617c1b1baad0b99519a7df2dc8691d42f1aaa40a4beb748a2566eaa2eeadb
-
Filesize
204KB
MD55a396b6ab8d41f22eabf5b0edc6583b3
SHA1b601facaeaf7069ecd9226b164931f8673ff6d86
SHA256163ece920cdf75e2add287b601e8d35b9295768a1eb7bf8c6d222afa044b9b0d
SHA5128a89d006bec06c57a50335928cf231575227abdba1ee7c51ceb3978c55b210b981fa90cb79491d5a6204436d6e21c2b628eececb39790514526c7fd74715cce7
-
Filesize
204KB
MD5a3bd2fee203b415436d90501741a77a8
SHA11e86774bdb64498ed746dcbd74be91d84f237339
SHA25630cdbb83996621700f31ce465dd83b9baf438786ce4ee459547313dab60ea48a
SHA5122e7af1bf968d050d4cb0069b135267dd85383ca46266ebcb5bcd832e1dbbf22f592204d7a0083944bbb8ce145c14c5600815374d35ad6b2ca8f8dbd4e59a5954