Analysis

  • max time kernel
    151s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 01:23

General

  • Target

    6538f3adde737517d34a8746dadeaff7.exe

  • Size

    192KB

  • MD5

    6538f3adde737517d34a8746dadeaff7

  • SHA1

    34795b3256e1c1cc3f214b77a65b97e259844822

  • SHA256

    7ed34929829fd3d141c5c67d69906b1264fb982f4b88d7db033ddd0269d5d8a2

  • SHA512

    0926e6dc2274144ca76f5e3e6c315ab24c50e9e52cfc8a1c14a7fd4dce551d0ef974713f19afc8f325a6db52c8209b311d13dbc4b526f5f28b4501887a1e9822

  • SSDEEP

    1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o4l1OPOe2MUVg3Ve+rXfMUa

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe
    "C:\Users\Admin\AppData\Local\Temp\6538f3adde737517d34a8746dadeaff7.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe
      C:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe
        C:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe
          C:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe
            C:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe
              C:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2908
              • C:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe
                C:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1472
                • C:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exe
                  C:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2668
                  • C:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe
                    C:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1656
                    • C:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe
                      C:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1396
                      • C:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe
                        C:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1808
                        • C:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe
                          C:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1876
                          • C:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe
                            C:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8DF39~1.EXE > nul
                            13⤵
                              PID:2040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA0B~1.EXE > nul
                            12⤵
                              PID:1944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A83AF~1.EXE > nul
                            11⤵
                              PID:2996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F665B~1.EXE > nul
                            10⤵
                              PID:876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A070C~1.EXE > nul
                            9⤵
                              PID:2848
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3AA15~1.EXE > nul
                            8⤵
                              PID:2820
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{04A18~1.EXE > nul
                            7⤵
                              PID:2680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D714C~1.EXE > nul
                            6⤵
                              PID:2892
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3484F~1.EXE > nul
                            5⤵
                              PID:2696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9D7B5~1.EXE > nul
                            4⤵
                              PID:2488
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81962~1.EXE > nul
                            3⤵
                              PID:2968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6538F3~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2552

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{04A18332-B12E-413f-916D-AF45474EAE4D}.exe

                          Filesize

                          192KB

                          MD5

                          ee0653c76ef601eb39cba569f46368a4

                          SHA1

                          ffba063e6ea2d90b8ef309b3f283b03146c878a6

                          SHA256

                          5269ca7fcba81c50aeebd168e48d1de0bc57692c0b14f4bfc7edf5d3729d86b4

                          SHA512

                          db23eecaa6243b8164d263cd0f793a08d54e841c18177c020b10ea210951c29b4cbc774a61b788bd7338f0b07a7cb269d748ea92bba810a1f0f31d417e8c60d0

                        • C:\Windows\{0CF71C1B-D84A-4a87-A95B-B1260E4A964D}.exe

                          Filesize

                          192KB

                          MD5

                          52ef1a7d74d6c503ac8716220e293817

                          SHA1

                          6bda25044c240250e1a707762a44a2fea2f077ac

                          SHA256

                          6a3883bc5849ad7a0a610e2d0d7e1e035c90779645cf867857186e8bdcc695ca

                          SHA512

                          31ee3d492f106b71a3e6d1f1488ea5ae0415b2565e8f3d88c6c42ce17ceb5d4e02c9b01e8cfffd9f0c28767a5acbf0568d0c68676ed40bd89eb77d1d4efb1e39

                        • C:\Windows\{3484F4E6-052E-4f7c-889D-E6137F872E93}.exe

                          Filesize

                          192KB

                          MD5

                          e9d6e7a7196e6c0d20cb469dc1253c79

                          SHA1

                          7f113f6999972b9014d139fefc5a23ef07bc2ad0

                          SHA256

                          3a711faa0a5749b95397963b80c1106882df7e9f8799c0c52fa8ccf317bff2af

                          SHA512

                          68626332cc6191194f8248044f7defa22d28cf307214932fe813ef0b256886ead54fd888cadcf73a395acee53394a449f714327b91dc882cc31b0eaec654eb6a

                        • C:\Windows\{3AA15387-7A76-41ba-8B20-0453263D9FFB}.exe

                          Filesize

                          192KB

                          MD5

                          d8455c3fb1dda79ba8fe62a2d304a2ba

                          SHA1

                          5980196c9e247f45205812b1fc396941e329ac50

                          SHA256

                          8383afeaa95c284d93e0772d59db599bf1d10e35e420c7c3380908d1dabd338b

                          SHA512

                          4326f327201f2096459b7f1e2f83d84673aa305b32385ef7b1d14f8c8dc6a6b0f67b12f6b58b06fba23b871abd8a60e095363d2b44e2facbdeabebe710f22d8e

                        • C:\Windows\{81962FF1-09AF-4fd3-A82C-B4A554DF8BE3}.exe

                          Filesize

                          192KB

                          MD5

                          9e7d8cf155d5e5010c02cbad2c963de1

                          SHA1

                          8daf9bed78c08527fb2a602e2d9c97fbad384053

                          SHA256

                          57b43fbf9259f2b0557624ddc25261a2d3d6b6f54bc0515e5a399872a2f13421

                          SHA512

                          3f1d6c4faca2d3575f017d2f95547ca643345805312174c8b762b8fb1c31ea0dd8e60793f77cd642adf4eced32e38efbb93ac55db2d56c9881a570d8219fcd01

                        • C:\Windows\{8DF39A86-C685-4972-A643-72197C0C5AE0}.exe

                          Filesize

                          192KB

                          MD5

                          c9a5c34e4993ad4123a99f9a9841785e

                          SHA1

                          c8fcce0589671cf334fbe576882a3198c34a1df4

                          SHA256

                          6a07828bc03afd18cdbbd8f90cfce1dd7e02be443ecc59104c0fe61b45bf83bf

                          SHA512

                          024ab8f7e254c7da091fe3247d4044be93fab9eb2f360a1f4bf6bbf2b60a52edeb30a0bd95a7a80fbcee68c26de5ebe1cd1fe0ddf9acb8b8e9a64d4444c70e5c

                        • C:\Windows\{9D7B5510-7A5E-4678-BF37-FAECB3FBB4D6}.exe

                          Filesize

                          192KB

                          MD5

                          b901aad1c64af513ccdde3c59a8a4e22

                          SHA1

                          4c40cf77a2c4d1a5a15e83294d5d672dd8ec5a7b

                          SHA256

                          a4de343aa17ba72e4d30aa5033c76669ccbb81332f25dd59573a77490db3753a

                          SHA512

                          6a7bc8e340891cb2159e5b97e1261516a6fc5929a15cc4f058818bdc34156eb420e46d38973a069f711bfbfba4135dd0302d85a9e2039d885ce4d25f3e31d7a6

                        • C:\Windows\{A070C967-6747-4db1-B99C-897F3889119A}.exe

                          Filesize

                          192KB

                          MD5

                          3f2d450997a041613ca56a59781a0054

                          SHA1

                          ed63bcabbb7a9b8b00db493349ca908c423965a8

                          SHA256

                          50e0afda65998bcee3c45b197da441c3c4a2097435a36e12baf028daa180d905

                          SHA512

                          2cb524e2d8ec959b1305c95374378ae531196caf7a517a6a829600c373bb858639c636e8fab7b13201af78f54a3b1e145f6ac6e61faaf9d2edc753632ed0777c

                        • C:\Windows\{A83AF555-2F0E-4a19-998D-62CC51471A15}.exe

                          Filesize

                          192KB

                          MD5

                          4c81aad96152ccbe0c927a6025eac57e

                          SHA1

                          142fa2245da6572f369429143cb55df087bbac84

                          SHA256

                          1b3177e5185abfdf3d7784faac82249eef58479b7b1198cfd332263f72a64e68

                          SHA512

                          841279ba2906504f66c7002949349f37d50b076c4350158ab52fa1c419d56cb7389f7b55a1c6c397083418342f7f210b81f5b83d0e49725bc51a0c8bf391e73a

                        • C:\Windows\{D714C5EE-65CF-4fff-B46C-7F50977A1ECE}.exe

                          Filesize

                          192KB

                          MD5

                          d8561d45f46d5fd0ad86fc4be0ef61dd

                          SHA1

                          8c7d98452e95efc32f23688f4e84c53f74f62019

                          SHA256

                          fc365b23ebe26889c0c1560faf11477a09dbdf11fc94eb3324b3e0efaa244b47

                          SHA512

                          f0074e9f91fbdd05279ff8fd74d956eb182e7a9995a82eb47748c70a8abceb64bdad696a387bbc711916cdd4e3bca6b3e585064b29a8c8f6713f721a8232b3ba

                        • C:\Windows\{EBA0BECC-660A-41c9-88C7-6AA625037830}.exe

                          Filesize

                          192KB

                          MD5

                          aa6560e57b89f76cf92cfa05a7f90c54

                          SHA1

                          f6dc1c5603e163015f0537a53193236208168ed1

                          SHA256

                          673506d9b5066d12bd34978a83a7b948d29c73ff226fe3a74a35bc87e0ead3c9

                          SHA512

                          32fcbcd6dc4081dfbfa5ee58f768224e611b8d5e0268b1bc2dd6c42c5392c0ab1298265b23ee8fb6560f99d4eee6055c5cefcae466118fd1e7762fc7dc6426c3

                        • C:\Windows\{F665B63C-3424-442f-8629-9DBEA8E0D85A}.exe

                          Filesize

                          192KB

                          MD5

                          fad479a0a82b05d8ef395778a655aa40

                          SHA1

                          11aa740110b77c560088377739f196e01cdfd597

                          SHA256

                          01cbd471381b74bf98741392f7efa932e29f26920de5b5e8c2de4d15c6ef22fb

                          SHA512

                          d176a63e470564602979e255395fbff8c4bb68eb8940ff9ce991dc69c9aa23d3667cb8e0dc46b98be1f727f756ff00c3bf9b9734606ce7a58c39e5288999e60d