Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 18:31

General

  • Target

    06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe

  • Size

    168KB

  • MD5

    7d0cc5c7e32554c39bba1a4c4990f077

  • SHA1

    5db293c74833611d361eab059423130434a3d248

  • SHA256

    06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612

  • SHA512

    c88b27df34a0583113fb39f0a548ecd90f1a548b5d3330f0add59c53624c4e404cb9b56e2e0895960a48206a6db6fee05869be6cdeab06237d48a7d972ef9a88

  • SSDEEP

    192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwYUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroVr4/CFsrd

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
    "C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
      C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
        C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
          C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
            C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
              C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2020
              • C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
                C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
                  C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2348
                  • C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
                    C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1420
                    • C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe
                      C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1636
                      • C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe
                        C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1392
                        • C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe
                          C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6D2B~1.EXE > nul
                          12⤵
                            PID:1484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A3E0~1.EXE > nul
                          11⤵
                            PID:2432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9BA~1.EXE > nul
                          10⤵
                            PID:2244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC022~1.EXE > nul
                          9⤵
                            PID:1424
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{11F3D~1.EXE > nul
                          8⤵
                            PID:1760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C4E~1.EXE > nul
                          7⤵
                            PID:3048
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7FA15~1.EXE > nul
                          6⤵
                            PID:2640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5BD92~1.EXE > nul
                          5⤵
                            PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{496BE~1.EXE > nul
                          4⤵
                            PID:2732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8B4E2~1.EXE > nul
                          3⤵
                            PID:2656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2356

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0A3E05D1-71A9-4d13-AD77-A168E83BAEC9}.exe

                              Filesize

                              168KB

                              MD5

                              151c1d780567a4e2023e90133a44a5a3

                              SHA1

                              f91121bf089140aa3801bdc939f64e02d48133ba

                              SHA256

                              062eea1d149e226a1cbeb76a9c6eb21d0b7ffb70efa9af1ae1d653bdd9c23072

                              SHA512

                              da75d209d184f167db6a9e4d8919c62a5f1b45b9fcbf7c8c858c9c5d716347c83f7935af5e267d9b7e1ca72fb656d65601391aaeafcb436d2e224062905d4fbe

                            • C:\Windows\{11F3D28A-D8DD-4ec2-B187-35991BA6C152}.exe

                              Filesize

                              168KB

                              MD5

                              b9caf1df98d8d67726541c9037362720

                              SHA1

                              0d310719e981d067f6d2a4d232303a63f403913b

                              SHA256

                              527b4c580715a56768c19a883c2722d147fcc92bc6ed2ea6fcdb62d6836b65c9

                              SHA512

                              fa0467c5fecfd11b71b06d0d86b0ef078ab5f0a4c739fce194a7390d284a715a99d72d41f17894bdfb327f9fa624212e217bdd27a6ec9ce0639c4b836db241d3

                            • C:\Windows\{1B85EE4E-5D0D-4c5c-AD8E-FF1778597081}.exe

                              Filesize

                              168KB

                              MD5

                              7e2b4a3c5fb022a5a927bafe7cb94700

                              SHA1

                              82af7f34e86febc71c20c5dcc2e97d0b70b311a4

                              SHA256

                              4ee60a7473ba929bdb4a24a165e53cca6155506844e0b1d5f64521ad1eff3dd6

                              SHA512

                              7d277554374c3ae8bf051452b682c4de91490c885edb9ce77962128377f7074337857df1f9077dbeeb5d147df570bcd15c1908d168d73b43e93e2f720c20b6f3

                            • C:\Windows\{496BE844-EE47-450c-9802-4025A86DA30A}.exe

                              Filesize

                              168KB

                              MD5

                              5b13c233faf7e20eec8beb6e9dfebbcb

                              SHA1

                              533aa1825e278229de84e56b802dddf6ae6fe86e

                              SHA256

                              8bec9c978d7f3fc66a5c22e31abf79b5b439904168aad904f20bd27c9c5948e9

                              SHA512

                              30241c432c56b358ccdbf93a136bc99a2bc275236b89f18bf9b081055c8c0c55acc4f274d0b2622048537746691081d26aef7496f0a34e5f6f72929b1f65e4d8

                            • C:\Windows\{5BD92855-6260-465a-92E4-C08D9F837A87}.exe

                              Filesize

                              168KB

                              MD5

                              384fd64cd09db2c32b2e247a183167f9

                              SHA1

                              0fe4528ef8ff070218c198359ef42dfa62ea9bc8

                              SHA256

                              281b05ae56253a08d2fa940e1fe4674914c102b196aa0e281e73d26df20a40aa

                              SHA512

                              8ee1737ccab921e8e853dbacf8165188ec758c6f1c9787746d394eb8a9a38dc83dbfb7a321da6e9f9449aa9828597b7f16be04ec9a75e2949b5a71006609496d

                            • C:\Windows\{7FA15A01-554C-4695-BB78-8D1AE9377523}.exe

                              Filesize

                              168KB

                              MD5

                              b5f7dba88f84c4b8fc306f34b4a5ce10

                              SHA1

                              e3dd0970aa82ed221985105d0ec655457188097e

                              SHA256

                              d464a2141ef9b08261bd03c27747055ef49f51b7b8e467225536aca7c57141a3

                              SHA512

                              0355e3398f98d3552702a343262ef247920c74770a11d0c2ef1e61def72697e46be50eb4922bb6495e8bd1db64f5f27d5d7bb3d9e82d6e604dfa294e0c9cf008

                            • C:\Windows\{8B4E2C29-54B0-4035-8E78-DC83FA93EFAD}.exe

                              Filesize

                              168KB

                              MD5

                              79797b5ed8f13d93e5c00e120903b6d6

                              SHA1

                              2493d2fa5444064ed4e767fdff1e078e2fa21621

                              SHA256

                              1b73a318753598e01325b01b45bdfcb356de48e64bff8b6057d39a8d290d72ca

                              SHA512

                              613cc2eda48df39258062a2e7d724fc0b9e42bfaeb06d26dde49bcce83581aac179ea04245bb2a70d622f608d619c7972fe32f3b682f200713df0225545417f7

                            • C:\Windows\{8D9BA8E8-D0A8-49a7-87FC-9477ECA02857}.exe

                              Filesize

                              168KB

                              MD5

                              3e4a0a2b8c41dd98e9eb0af750b8ca2f

                              SHA1

                              b97242c1330c10decd29d6e8fe4a99e5201a0f31

                              SHA256

                              b1875ec7ed36f40e18efe1289dd8cdaf18cd390f1d97a2137f2ed515ded51725

                              SHA512

                              405076e0e10ddd7bf6144309c9cd88dd7ea20ea93cf2fbf3781dab62218461464ff02199bfd207dcb9c600afd6b66fa8facd7f2f811d06d5059d7671ff19a832

                            • C:\Windows\{AC022B3C-2B92-49aa-9ED7-BDE9C102EB3F}.exe

                              Filesize

                              168KB

                              MD5

                              2c4466b8bc1137a516d14ef041fc340b

                              SHA1

                              17e4776539dcfe8f1d48a5b6201e082cf4d921b1

                              SHA256

                              f5c7d67b07a2055c0a9039cd8fecf67989cb431cbcd27843aee1934ac3ec9880

                              SHA512

                              e3950e2bf4cdc49d7cdd83c42cc66819e2a072028ad104d8d9e51f91b74fa0ecb813bf71527cc9ae237d8906ea977d0ce14a247ef1c21b902f5e17fab92ff707

                            • C:\Windows\{B3C4EE7C-8AF4-4116-92CD-A6434FB15366}.exe

                              Filesize

                              168KB

                              MD5

                              295435613d33e1f61e3f8b3bf8633974

                              SHA1

                              4c27a8b2fa03c7d03a182f9a9acf6b25c27ccc8c

                              SHA256

                              c430dff9a693477c0740640320c92e8dc6848ccfb3cdab444f0ed6abefabb973

                              SHA512

                              de3f41a7f09f6132b12e01c09aa28f23b0b71fd4fcad5369f9aafd0eded9664dc5277990363f39045521bdcc5e567dca08f9f9666122c36cd94d170c14a973dd

                            • C:\Windows\{C6D2B692-3324-4778-9749-F6DBDE9DD3E4}.exe

                              Filesize

                              168KB

                              MD5

                              97e1cb6a3c2dd585e360f20e061d9653

                              SHA1

                              33e725d5786cafe5d8f24663690bf31122d0fbe5

                              SHA256

                              49c91de8f0b3d092877a4b0aaec690d563ee77d496b401dbf389f118e5c9fc1b

                              SHA512

                              52923cf04d1e350e6c492fbfb4257915815934b3a71df79f8d444136483c96e326af62638c61a84fafdc2ce5fc09ec77b0a970abe0d38e1a28fc5637c830f9e8