Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19/03/2024, 23:52
General
-
Target
b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
-
Size
90KB
-
MD5
d73e565f8a2fc8ed530d3f9c1c2effd0
-
SHA1
89152dac91d3d5aea080d7303e5f924a7f87d893
-
SHA256
b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a
-
SHA512
3cb4a8109dad68cb1f0a99383dabf77e1c49eb473d5347aee830586e57d3a169c2b8002d4625d3421b29edf03bba17c6f0551106c9679f8210d815c36c246132
-
SSDEEP
768:Qvw9816vhKQLroyU4/wQRNrfrunMxVFA3b7glws:YEGh0oyUl2unMxVS3Hgz
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe"C:\Users\Admin\AppData\Local\Temp\b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E070B2A8-36BA-45da-BAD9-F29540CB0F59}.exeC:\Windows\{E070B2A8-36BA-45da-BAD9-F29540CB0F59}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F4683618-36FD-4168-9A58-327220C2749C}.exeC:\Windows\{F4683618-36FD-4168-9A58-327220C2749C}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6EE418C5-9516-4bc4-92F0-735B6B93C4DC}.exeC:\Windows\{6EE418C5-9516-4bc4-92F0-735B6B93C4DC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BF77C2A2-D3A2-4315-B577-BFB751071011}.exeC:\Windows\{BF77C2A2-D3A2-4315-B577-BFB751071011}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F925BBA1-BDC8-4a8c-9659-B63EB08C303A}.exeC:\Windows\{F925BBA1-BDC8-4a8c-9659-B63EB08C303A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DEB99764-C2D1-4fe5-8A71-8FB38DA5490E}.exeC:\Windows\{DEB99764-C2D1-4fe5-8A71-8FB38DA5490E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{952C8B3E-B28F-409a-B6D8-81A4EAF99F65}.exeC:\Windows\{952C8B3E-B28F-409a-B6D8-81A4EAF99F65}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{327CF471-EC2B-479c-9408-2E76B7744991}.exeC:\Windows\{327CF471-EC2B-479c-9408-2E76B7744991}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7CC8A94E-77E0-411b-AF40-F2D1C8918C45}.exeC:\Windows\{7CC8A94E-77E0-411b-AF40-F2D1C8918C45}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EC34B392-A249-481e-95AA-27E953AB1030}.exeC:\Windows\{EC34B392-A249-481e-95AA-27E953AB1030}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0D9AFD31-CCCC-42a3-AA45-85FA31AC0088}.exeC:\Windows\{0D9AFD31-CCCC-42a3-AA45-85FA31AC0088}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{978449AB-59B6-4728-8224-8C093FC4AE0B}.exeC:\Windows\{978449AB-59B6-4728-8224-8C093FC4AE0B}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D9AF~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EC34B~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7CC8A~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{327CF~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{952C8~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DEB99~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F925B~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF77C~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EE41~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F4683~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E070B~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B349B2~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5bb3de94d23d04be980d7e3efbfb8ab44
SHA115fb541d6764609a43638e0227a9383436197932
SHA2568bd580ac94805399c5a4efb12e242c7548447739df45f4504e0f103f4439a931
SHA512071eed8b18511341533f46315488c78860716b7cde36e9db94c9fbae8cd31f6b66a4f5d96bf6ef703a0078ac82290a487c7d60a1cd6eb968f6dccb27bf6db6ef
-
Filesize
90KB
MD51baa7d48d4d455da41787ee811a89504
SHA1266bc22cf41f95661b1387b20f2af1c084fd61aa
SHA256256f584e09b70e48e6d7b523404e4e2ee07785070dd8b1576b8387c27195af74
SHA51252f1b5ea56f50631c977705a73fdb5287efa915ef99b1577821ad0d0786433a6b424413ccba4f60498b0099c029580219559ffc04e5932e22f6374822553340e
-
Filesize
90KB
MD522a37404d731ae8d580588fd9cc75bfc
SHA120f41d41b5a052ca5a4a83ca34d75a46bd6cf487
SHA256ced64d9359713bf19c8424d4df2d9b29497044e5bb7f9e4fa8843097cc5cefc3
SHA51231d0719dc1749268d5943252332e5e4c65a23d63f1129f80ae2e4c3fe0a8b522d7caa882ca7faa9b3c1c415571118074c63bee9b840d37bcfcefc9cd2b93c0d1
-
Filesize
90KB
MD5e8769b9e5a060881bad6c8e82da36bf3
SHA1afd62f98281e3b1511cc58cfbe55c0883eb4a314
SHA256f0f51fc43e5734a9e8e788a4564f8bd738d822827d6f417da7b2647892d28a4b
SHA5121ee62c1d82427c20ec5a9cde2990e0259515fe21d819068790ab88792e9680a1f5feb75a571f6dfeb85c687157e18e6a6e3d352fad7361ab4c257465ec046ea0
-
Filesize
90KB
MD5e5c580931d5bf269f61eca18a1b9b145
SHA180ba5c0c790bc634c9977fbcd618855f7bc7c58b
SHA2567a749114d3c89395559725eb71262e4209f7c8b91fda678dcfff241d256ad8b5
SHA512907fe7ecb959fe409101aaf88395283f783f32beb792af1cc8c3ee5f5ba226e493bbeb78c400d7546d43decb4a3daa540f94e594a3b8c9c4deaf051a74a894ca
-
Filesize
90KB
MD5c523da647516506758016b3125db36c0
SHA15dbe8b3538f3ca1b6648439190d53761b071f1e9
SHA25678c32e72192307aef4e590b572d526c381632b82353b3ea8d43fd2450474c280
SHA5124a62cee6d88818b9e00b6771834d8c64ee97cf42cb7c70d45826c8b147f40271eb71c665452819508711b40627364e3ca3e689a4cf7f01d435bb18a8fd9808ae
-
Filesize
90KB
MD524aa932283d986de7ac91419e9b039d2
SHA149409b34789e2191d4086c0d79b3539066c47602
SHA2562b51b1689ba6af6760f8c0f31b7a3ff023dbfd2221fa8c56890f2b3f4d00e505
SHA512da969c017c69c81267338e6bd94e177ab7a40d0946eb1528a2e9e07b21e1122f5c058c51cb178be75186ff258fafc9a5d440c140d826c13cf3683846a56f016f
-
Filesize
90KB
MD54e8c62f8047838a669a86ffb6041b422
SHA13d0c937174e612e4b238c44cce262d76a987870e
SHA25640289ff2c8da99bae2b639b12d186af8e23caf61a5c861f972fc3d02752c177a
SHA512b5c39f5d5ea402d44381d5dad41efe6042d38396a611404e491392e9a75ab5fe90eb8ce7bcc7c470af6085dcdbdbd472c6c4ff2eed83a9f3abe319aa83f28df4
-
Filesize
90KB
MD53ad723046f0980940d9cec40ad90a3a0
SHA157f82d4f365f420e536494d5b81fd2d32a4ec5e9
SHA25678b49340c1e3f85e76ed49a778bf09dc45ff59dde571848fca4f31ead0181593
SHA5127aeca8bed04672d92cd68b9201c26da493bd9c0674e627f57e4e4db88585feef24c22efed00e3a71a91577b9538a883a0671547de5c55f813eaf15f7579fe532
-
Filesize
90KB
MD5ec5c6ae2014a4f6aab95416cf3377807
SHA1a287a6aea657d19e167c762178f6a1ab46115344
SHA2566e9e76da8024423ae3d39c2bbaa6e14acbe9dd2055b95530fba173a5b358f055
SHA5129a6c6ad6544818d3a8e6d968435dbde97d603ce2be68e21d45cfea09ddc59847286049e97da8ed3a2959347ad6391db794d0dd0f61e1e1ae114ae4bc57455d13
-
Filesize
90KB
MD53ae9d0cec0fa8042dc4bacb37bba7339
SHA1b980175cb49614400994a684cb630277888e68a4
SHA2567b0a755578253749e02d3130672fad75bbcf2111e4913c681f672f80b20d24fa
SHA512d937b2e1b1998228b7f221063965321b901d2c0db89dfe2c34b02a9fa165de3d2b841669faeb5c1cb4066f586bb58ac74371e43611dcf217ae67e5184e2051f1
-
Filesize
90KB
MD5b931ee54754bc70d1d79d1b92ec3e95c
SHA14644e29a75f2e325b9b26f919cf598019e394fac
SHA2567c1b3b466b4653abfff7f393ae30f6df2678620fe94595f8acbe947beb0f7b94
SHA512238049f53bccdf931a6e65f5eaecc2855ba051412edcf41cf3e300bf0cf883d29a1f61b9f3b70c7d5d72dd8daf2c3ad4d27fa0c0b73db13c1d09e4d195484736