Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-03-2024 23:20
General
-
Target
afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe
-
Size
213KB
-
MD5
cbe810f442b53955e5f5e03394166677
-
SHA1
604b9a3cbdb81ae63079a7474297c0654107d7e0
-
SHA256
afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c
-
SHA512
7bdf9988ab91f0a31a0ce5a9744520f36d08db17bf4af252a14f2a06a7a7a28caa34daf52f2cde0bb19035960f76be060f963801675e125df5187a354a6ca370
-
SSDEEP
1536:YEGh0oIl2unMxVS3HgdoKjhLJhzrryLPAneS3DquFSS4efk6kF/y+Ic7e/FtPt+A:YEGh0oIlvMUyNjhLJhXrhnJ3D4IF
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe"C:\Users\Admin\AppData\Local\Temp\afbd70199058081340ac7b06e20490d4a8c7caf244de8840a106da8be8fafa9c.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1CE953D1-BD51-49a8-A2ED-645263A3F364}.exeC:\Windows\{1CE953D1-BD51-49a8-A2ED-645263A3F364}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{795EAE9F-67DA-4f44-9CE8-5B7423868B80}.exeC:\Windows\{795EAE9F-67DA-4f44-9CE8-5B7423868B80}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{89D879FE-1D0F-4837-8B57-A8872EAAB354}.exeC:\Windows\{89D879FE-1D0F-4837-8B57-A8872EAAB354}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{161DF36D-1F06-43b5-9F5F-61D73DAD0FBA}.exeC:\Windows\{161DF36D-1F06-43b5-9F5F-61D73DAD0FBA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8EF8208C-AC47-4561-B19C-A2988DF0CC3A}.exeC:\Windows\{8EF8208C-AC47-4561-B19C-A2988DF0CC3A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0D78508D-C976-4533-B979-8509BC0BB99B}.exeC:\Windows\{0D78508D-C976-4533-B979-8509BC0BB99B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EA5D5A3E-4B25-4cf5-89BD-AE3B3899225A}.exeC:\Windows\{EA5D5A3E-4B25-4cf5-89BD-AE3B3899225A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7D9DBA81-3308-4df3-827F-5FB654F3D983}.exeC:\Windows\{7D9DBA81-3308-4df3-827F-5FB654F3D983}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BE63B7F1-C712-4f13-9305-8A97EF1897A6}.exeC:\Windows\{BE63B7F1-C712-4f13-9305-8A97EF1897A6}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{33BB423D-443B-464f-858F-CCC7B6C278E2}.exeC:\Windows\{33BB423D-443B-464f-858F-CCC7B6C278E2}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{08E9245E-B9B9-47b6-805F-9C50EEDEFCE0}.exeC:\Windows\{08E9245E-B9B9-47b6-805F-9C50EEDEFCE0}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{628B6DA1-4CDE-450a-9D4C-E8745F87ADAC}.exeC:\Windows\{628B6DA1-4CDE-450a-9D4C-E8745F87ADAC}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{08E92~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33BB4~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE63B~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D9DB~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA5D5~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D785~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8EF82~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{161DF~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89D87~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{795EA~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1CE95~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AFBD70~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD56ebf3ad373efa10549c588e439cb52c4
SHA170ca347377419e606b092cd43b22be463e56d44a
SHA256a569592fd3e06cee8bc98f683e301843dbb68a5c87ca8e59ea5f907f0ef71786
SHA512f6dc1bca007c50d2d5a1ccd70f3c914bbf8852a2ddb417e26af465be522d0cd31d551ea827ec34825fb6d89eea00581bdcb1fd3d353b8f2f68bd1b54368ee70f
-
Filesize
79KB
MD52cee938dc6690fd3b994bd3d8904fe1c
SHA1f4770a6d89e1eff49f5cb2850bae26012f25b100
SHA2567ba077544ffbdf6f60f2fce3ea3f6815b95eaaf47c6254925716ec7d80487c1c
SHA5128f694cb0fe658b1b7cdfa1de32c2567e46873a6accd05f1eefd5441dc80820ef45ebadaf73889f25c8d673bc36b835fc7ff755c62b08c989722aedd784dbf4f7
-
Filesize
213KB
MD5ceb4d3df272995504e818517b855c558
SHA176b94ac7c28a5c1ee18a1e927e63a7736b60ed0d
SHA256969c3a607694097859ca4bb072e5b58d2649b3b45ee412f861ada01bbefea9e9
SHA512adbf6aa28829cc09edc3cd7cfad8b64c639c8a23b7665a32d85abb6b2c2d111f9e0077c1366dd3e1dfc877d79fc383cc1f88b141a53e4c88c76c3eed239bdb09
-
Filesize
213KB
MD5337e8e7891e8a58a3639da7cb0710f43
SHA169f58d33c2f80e1bfb87f49aa81228707bb73cc1
SHA256754336eda3d4977b8aee9798f018460b172371337ba8b11b04ebd2989cd84eac
SHA512b65029b9835cfd3ff864755f14e2e6d229738ac7acd8d34bb476ca67bf10d69412f2e5572620547ad3879a0e98e8e9bdbc1081249fd47e88939d32f5370ff9ae
-
Filesize
213KB
MD5493057ec8cade9d249086ee199e225ae
SHA1619e5bcf87cfed4f5946bbf82d6783e03c3ec475
SHA25619710aeb28e2910d201671b2ccb91b48a26748f39e4001a7f270858ceace761b
SHA512c1e5c0b8a8524c21252168df3793a96f6ee1ba1f3ea59667e7f0576af2556ad210d8c111c7618c353ff468b1075b7f763b05b919fcd82de91ac8d6aca9900e27
-
Filesize
213KB
MD51536d915146f0fc451cf0431f8c4c009
SHA15f3009f8a68d0d0e55965b87fc368f44d9dc2675
SHA256cf8223e21bfde030c198129dcbaf8c0ab999786f8dd7c5bdda2e036f21661f34
SHA5128e9dd825365d8e31ab3a4a10e43b8d9f70946d85d6a274c9281d6ace1d5b261623f8ef595e00eb927eae24ccaafc0b58511310850c0b84a356010e1c2bf8c0b3
-
Filesize
213KB
MD5c675ce486b10dff344f1552370f0b6ea
SHA15b78af26f0c37b9262bfa4bccb86e26d4dac10c4
SHA2568b61759066c5400aafcb0f8445a1601df2d7cb7e6e2631a7502ba13d6a48606d
SHA5122fbcae467d6a098c01eacc5cf71988e35f983189e7f0e6d4062e294a2de0b52f04a2c2ebcbb854b92608152e43dce17754cfb3c62dbe17b3abecdb26d84857eb
-
Filesize
213KB
MD54d94ce42a5e71901699e0416e5eaf7e3
SHA15e0e99c29742cf1b109793a7d23eff2c563b1117
SHA25665bdf8bbf1c84df6c0085f8acc63120ea8e71ec5cc1917d259072395d173a9a9
SHA512adc50db56d64370e9427fd49965fff478a7d206b2136fe37a68479ae1089fc33f82218ad6a8d356c8075e37f32a6d928d954da6e75151f14e3de25a425f668e6
-
Filesize
213KB
MD503584531eaf31edb92eb2a988959e6f8
SHA15e6390e050dea71ad062f4de4a9751b1ae4356c3
SHA256f7e78d224a951ac0594f4ea6f0ba001c3a71231ee4458056c167c8f132819230
SHA512dc47723da6cd88333727aae9bbd401a53cf208c5e96ff22ac9037f5f0318669787de680fd19c5d91642a4e604e6aca9ed64f39db7a2fa8ee07b4c0fbf94d8b17
-
Filesize
213KB
MD52f088c1c285f391c3669bf6e0c2ac78e
SHA1249f255e2b02881dfcdd90321480a61d682b4ca1
SHA256c5308ae1889046a9c62ce056abcc7df4ddaa774a087ae6e319dc29f4103f4391
SHA5121d4a2e1786f176e9ee073d081381dffcee504face0b6d44d6f26b1d0658e8fb97914dd4cc23f0642374304eac5982cf96737642373aa194951b1b2c3a6e1b2a4
-
Filesize
213KB
MD57c099fea533dac6eb964345e96ba5c09
SHA120e4d4a42988c12482e16e54f88caf8f8353b29d
SHA256de4dc60553a2038615db40c4629b5ff22d963b873ed2c0690033b4f2cd690662
SHA512b2ed8130d3e05d980dc083c61d7afaf8783ae54de86d505ddac3388511889cfc15abcc6bceef93d385bfe70f9b2bfc1e0f4dd2ee01a5d9285efdea61c9ea4989
-
Filesize
213KB
MD580c6841838148e0aafe89ed81059a6a7
SHA1265b3e9ab1e955ec019bcb495ca3ca333cf7b7f5
SHA256b683d89a309d3650122ce3748b611d8f84d4292f94c5a1bcd2da0dbe82de52e2
SHA512355a38338c7f2dcaec1779afa3ff810eb23c3dc21b6ad3d2235d1fcf4b51e42087cd1e7e47a961cef8ad870e512fb23bfe2ec1ad524973882b5a521a7570d77b
-
Filesize
213KB
MD5e4c22176a833d8e7258afb00bb579dad
SHA139185fe89ff1dbb498ba288cfb4776143cb7efe4
SHA2562d153a07f31cacaca7f4879b34592aa4dd11e9c322127dea8267e66571ac4ed8
SHA5127049f749114e1971e3d2ac2c4f29c8efb5b9a1e987ae84b5fac141d507b7cd84f9db0e4b8477e23c0409b8a5fe8bdc4b263f7af84630b6d915ed913df346a9ef