Overview

overview

8

Static

static

3

522555764d...ff.exe

windows7-x64

8

522555764d...ff.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe

  • Size

    98KB

  • MD5

    075f83ccf1c96e5a0693ade441a985d3

  • SHA1

    71a3883e999cd337f7e50e03c93b0fdff528386b

  • SHA256

    522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff

  • SHA512

    4d83111f4d7a3cdc53a770486591294c765c0e3ea3d658f1ce384a59ed534e0222770866f10c7723fde1a9c1996d87e066af5ab47d434d28fae58ef024438500

  • SSDEEP

    768:5vw98169hKjroy4/wQCNrfrunMxVFA3b7glw6:lEG/HoylxunMxVS3Hgl

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
    "C:\Users\Admin\AppData\Local\Temp\522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\{047A1AA8-B63B-4d59-ABF4-FC4592F28C4C}.exe
      C:\Windows\{047A1AA8-B63B-4d59-ABF4-FC4592F28C4C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\{ABFBCA50-1998-48cf-827A-2AACF1879425}.exe
        C:\Windows\{ABFBCA50-1998-48cf-827A-2AACF1879425}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\{3D04BF70-37C4-4886-98D5-2B8FAFFE58A1}.exe
          C:\Windows\{3D04BF70-37C4-4886-98D5-2B8FAFFE58A1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{F5A8AB01-A8B7-4c3c-8DBF-B34783010DFB}.exe
            C:\Windows\{F5A8AB01-A8B7-4c3c-8DBF-B34783010DFB}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\{068623D9-D6A1-4edf-824B-D72494C32451}.exe
              C:\Windows\{068623D9-D6A1-4edf-824B-D72494C32451}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1708
              • C:\Windows\{4630130F-6481-4b64-BD49-F1403A7E799D}.exe
                C:\Windows\{4630130F-6481-4b64-BD49-F1403A7E799D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:344
                • C:\Windows\{8713C1B4-CC45-41de-9A85-ED4EF628512D}.exe
                  C:\Windows\{8713C1B4-CC45-41de-9A85-ED4EF628512D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1848
                  • C:\Windows\{FD8A4F41-2008-4183-B753-DCA8AAC4C7D7}.exe
                    C:\Windows\{FD8A4F41-2008-4183-B753-DCA8AAC4C7D7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2224
                    • C:\Windows\{FC2C6AC2-F116-4620-AC53-C6A335D90A47}.exe
                      C:\Windows\{FC2C6AC2-F116-4620-AC53-C6A335D90A47}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2088
                      • C:\Windows\{8E1A27A3-3355-45c5-9B8E-46762FEE4CF8}.exe
                        C:\Windows\{8E1A27A3-3355-45c5-9B8E-46762FEE4CF8}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2592
                        • C:\Windows\{B5A956B6-8958-4f7a-A63B-9BC7558D3D7A}.exe
                          C:\Windows\{B5A956B6-8958-4f7a-A63B-9BC7558D3D7A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8E1A2~1.EXE > nul
                          12⤵
                            PID:2240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FC2C6~1.EXE > nul
                          11⤵
                            PID:1660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FD8A4~1.EXE > nul
                          10⤵
                            PID:2244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8713C~1.EXE > nul
                          9⤵
                            PID:2084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{46301~1.EXE > nul
                          8⤵
                            PID:1540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06862~1.EXE > nul
                          7⤵
                            PID:1896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A8A~1.EXE > nul
                          6⤵
                            PID:1908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3D04B~1.EXE > nul
                          5⤵
                            PID:2760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ABFBC~1.EXE > nul
                          4⤵
                            PID:2424
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{047A1~1.EXE > nul
                          3⤵
                            PID:2448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\522555~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2636

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{047A1AA8-B63B-4d59-ABF4-FC4592F28C4C}.exe
                        Filesize

                        98KB

                        MD5

                        5937015aa0983983b3cf2ed22bf676cc

                        SHA1

                        f48801ba9a514ab20da45224bc4259e8f12a7121

                        SHA256

                        a1f92d4a9fba55bfa087fce865667a03fb48165be6dc108889a11495683016c5

                        SHA512

                        0f09cb90bbb77f71b1f8446788a7a425befc66bf9183442be171f5cd83f09431687618a2d83ab58674c4a87cc7e5927b64c4342cff53732265d0164471e69207

                        Download Submit
                      • C:\Windows\{068623D9-D6A1-4edf-824B-D72494C32451}.exe
                        Filesize

                        98KB

                        MD5

                        c6ed19d90aeba1b3d940aeb01f5d8d44

                        SHA1

                        06c4ed6b6bd709bf9b607dd0a9c7caef27ca66da

                        SHA256

                        508ef3c66d3de6b30d7ee23c41aa9c8e5099d1331d3f834b7828ba74ab881866

                        SHA512

                        239de669eb3d89a31d5fdd61c513844c4a9ac7d8b91e6ce3937467636c114a4d3200ccaa15eeacfe3032020a4b108459311b4487410e2ff41eab717febb05565

                        Download Submit
                      • C:\Windows\{3D04BF70-37C4-4886-98D5-2B8FAFFE58A1}.exe
                        Filesize

                        98KB

                        MD5

                        5965a60a9506fddc52383efe84781ea6

                        SHA1

                        36545f7eef63cbac7dfcf5cad91aaa8bd37ed959

                        SHA256

                        bcaccd3bb209b3ee6b5514f2a2b9273e39cbfa8379f8b57c5775a53373ea24b0

                        SHA512

                        639acd0f473d82bc47253c5c8ecb06c4db759ef620f4cbb70798faeccf73775809f1d344ed7ba95a7bc96a39fe21a30cdbcfd70bd40d8853cc3b5989dbf91c28

                        Download Submit
                      • C:\Windows\{4630130F-6481-4b64-BD49-F1403A7E799D}.exe
                        Filesize

                        98KB

                        MD5

                        967fa7a75e0727e2bc33f75a2265806f

                        SHA1

                        2370a6e0c2242415e140ce828d5f17096a9eafc1

                        SHA256

                        67ded979af632e591885a6a0d922ee3e11a7961f9730ec816b20695469c66535

                        SHA512

                        40114c41354d8739f30ba70c83d6bb1cc6c3683513420e47f9ae110470fb9c50b160bfbdf8c08be6748108c39dc5624db9e8603490741e1322e5c0a3a30e124c

                        Download Submit
                      • C:\Windows\{8713C1B4-CC45-41de-9A85-ED4EF628512D}.exe
                        Filesize

                        98KB

                        MD5

                        3727c488c2936f2a1f5a0f1fc0d66fa7

                        SHA1

                        f5a1f049183f8ac46a782fc1cb2e933cb2146727

                        SHA256

                        7a971d0b0cc5b7b4dc7dfdb00ec3fe3d173d1957f1958f6b8ea178b819c2e65f

                        SHA512

                        aec46b523cbbdbba1da8c0444163c639d4917fb52d1da674ce5edab50c00ffee316bab92b65d85d952e3de7b24898d486e6b09dc209b09de0f8192bf3a9f7886

                        Download Submit
                      • C:\Windows\{8E1A27A3-3355-45c5-9B8E-46762FEE4CF8}.exe
                        Filesize

                        98KB

                        MD5

                        9b36350c0a716d08e6c2c2515f514c3c

                        SHA1

                        d9b2c1cca6e38bf345f49309cde3b140a1ac364e

                        SHA256

                        84bc02c9b4175e12681637f4170c932a9cac5a2bb5c40026add95c9a9a3ef972

                        SHA512

                        1532af026f738672af538fa310b97167c84c4d8dc0bfa5ebc54bebdfa7f515fbf5d35ce80939e79d4d72431a0bdc236a281d8657e9f1cff6fa069f6b585f3cec

                        Download Submit
                      • C:\Windows\{ABFBCA50-1998-48cf-827A-2AACF1879425}.exe
                        Filesize

                        98KB

                        MD5

                        b4f51621e015ed394123cca1a1bfa67d

                        SHA1

                        855cf3e239b036a707968f46bebeaea3b6478851

                        SHA256

                        c6841e9705cf37e9bddaad707ce435bb36f9271406d49d744b86d4a10fb81c44

                        SHA512

                        d8299b0c93f7f8c20c61ba6382adbb9ad07b83deaf04f83a02b87adbddb8be9381b0e4ba2cfeb25f1a50ac728bf45297393385be67a6f1f7b06012233d088a4f

                        Download Submit
                      • C:\Windows\{B5A956B6-8958-4f7a-A63B-9BC7558D3D7A}.exe
                        Filesize

                        98KB

                        MD5

                        ebd8bb2ebe6f4dabeb950159cd1b156e

                        SHA1

                        fa5166cd108ddbe5efc86925839f2cf4425bddba

                        SHA256

                        517674f008d4b6250adab9956616ba3b8be845e4ac0cdfcd272c6984fb752012

                        SHA512

                        1a682767673d30f066f99b975304cb2a6724e005d0ab30b3ddc9e6d1eca7a3dd1567089016fbfffaf0a9044513f1c8a45d1cbb83e7466f88fcdc4c743844a025

                        Download Submit
                      • C:\Windows\{F5A8AB01-A8B7-4c3c-8DBF-B34783010DFB}.exe
                        Filesize

                        98KB

                        MD5

                        a69defe6e65c574fb693f9b24693bfce

                        SHA1

                        4d3c7d041d19a5f5ec2d475e04f6f995b945a15a

                        SHA256

                        066e0eb083abf80cb5fb862adbe4ab65de8661954e45c878b9584db5e69fbe21

                        SHA512

                        56b1dbaabef69cd04eb38e01ff3dc0244e448f69700f9150eb27cfb20b6e0e84f47f0cd03dec318bd422512a6042063261d08c980407c860cef3a7f7baf8481e

                        Download Submit
                      • C:\Windows\{FC2C6AC2-F116-4620-AC53-C6A335D90A47}.exe
                        Filesize

                        98KB

                        MD5

                        3dc171c1c59534b358c93ee7a09c021a

                        SHA1

                        6a4e38ad882655c1df3fc8ac72fafd2ec458b219

                        SHA256

                        060b5f121defb2dfa1537c84be7c6ab0eea3e8a586dd6e721fee5e9add0faa3a

                        SHA512

                        88597b92b9a275fb3ff2f49a822bc6980e70af4f8e6e17333727bab6de5d7ea9816627e811ddc3e9d9693adb0dc35a3142f3b24086fe8ce9620d62201c6fc85a

                        Download Submit
                      • C:\Windows\{FD8A4F41-2008-4183-B753-DCA8AAC4C7D7}.exe
                        Filesize

                        98KB

                        MD5

                        f4c0c19e076407e055309763bf881af3

                        SHA1

                        655484df01be2656824f340a0bd1b8adbd59d8bb

                        SHA256

                        b79bebd6ef8cfd21d1f508868a00dc89a55fac40d9e4e8dca50f9e41e1a1cee6

                        SHA512

                        d22b677805562ac0554a2062ee56c902559c8504cc1263f6cb713419bcd1a4821069b526e83b6aeb82d517a4bb478268e1fd27cab156a31cb0d124bce41d9f12

                        Download Submit
                      • memory/344-61-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/1708-45-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/1708-53-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/1848-62-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/1848-70-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2052-8-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2052-17-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2088-85-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2224-78-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2468-34-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2468-27-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2592-94-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2772-43-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2772-36-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2824-18-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2824-25-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2964-9-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2964-0-0x0000000000400000-0x0000000000411000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/2964-3-0x00000000002E0000-0x00000000002F1000-memory.dmp
                        Filesize

                        68KB

                        Download