Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 18:31

General

  • Target

    06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe

  • Size

    168KB

  • MD5

    7d0cc5c7e32554c39bba1a4c4990f077

  • SHA1

    5db293c74833611d361eab059423130434a3d248

  • SHA256

    06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612

  • SHA512

    c88b27df34a0583113fb39f0a548ecd90f1a548b5d3330f0add59c53624c4e404cb9b56e2e0895960a48206a6db6fee05869be6cdeab06237d48a7d972ef9a88

  • SSDEEP

    192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwYUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroVr4/CFsrd

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe
    "C:\Users\Admin\AppData\Local\Temp\06fbfacea349ae3f84c91ed0e504b0148002317590d9d99993972cc86cfa1612.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe
      C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe
        C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe
          C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4076
          • C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe
            C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe
              C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1388
              • C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe
                C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2540
                • C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe
                  C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3956
                  • C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe
                    C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:408
                    • C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe
                      C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4348
                      • C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe
                        C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2516
                        • C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe
                          C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4368
                          • C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe
                            C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CB547~1.EXE > nul
                            13⤵
                              PID:3704
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E63D3~1.EXE > nul
                            12⤵
                              PID:4108
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{116C2~1.EXE > nul
                            11⤵
                              PID:3468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE19~1.EXE > nul
                            10⤵
                              PID:3104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{39D4F~1.EXE > nul
                            9⤵
                              PID:2740
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35FB6~1.EXE > nul
                            8⤵
                              PID:4184
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B4DD2~1.EXE > nul
                            7⤵
                              PID:3284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{91697~1.EXE > nul
                            6⤵
                              PID:1252
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DBAD1~1.EXE > nul
                            5⤵
                              PID:4628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{668A4~1.EXE > nul
                            4⤵
                              PID:2568
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FB72E~1.EXE > nul
                            3⤵
                              PID:3076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\06FBFA~1.EXE > nul
                            2⤵
                              PID:3472

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{116C2D37-F090-463c-8B22-0648C84A9477}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  560ddb9c34043387d7029b77daa3393a

                                  SHA1

                                  12919cec7b98a32837f7f3d5078a100b5dbbb02c

                                  SHA256

                                  1bde82f4b0fee88a8cecef541a0bcb01f9d6b3abbdb7d4126ecdc1f5c69d45e0

                                  SHA512

                                  1d2e1507726d74005b23d8202ac18716d7ff2d4b1ef900069bebbe57041f09dc6999d1c7547c1d5aa23822ede806d01ab4c710136e5ecf2b72f5c275b1140d6c

                                • C:\Windows\{35FB6E59-3E39-4010-A3FE-C84D725296F8}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  832d4c368e3533fa011e83c24cbb0766

                                  SHA1

                                  bc6bca0875d1f1bf9e6484237500144afd2b00bd

                                  SHA256

                                  134654f351b9e0691abb81187c9a5a4bd7b72881fc83908dacfe067060596928

                                  SHA512

                                  17b38c729f3ed6b575ebfcf8ec7945c7f19ac077af285a840335c55ded0f934db16a940ed2f63d777e00d64adfb18b01d74fe9ee6e074c92be7adea7fab2e9bf

                                • C:\Windows\{39D4FE0E-4057-4664-B8FB-B81FA347978B}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  157e292e9f1d7b4144a339c78c114dcf

                                  SHA1

                                  320cb690feb45df718a3ddf34ef5b8d47089fc18

                                  SHA256

                                  883a2e267240d0bc7a4e257c0a4e1f6f7d6207aafff0c49bfa2d988f184c617c

                                  SHA512

                                  1d6f83f3bd142f13e7ab755948d0e107789c1055dd4b5d11e339746c831f69673ee554ce93c9dcfa464e30115671f579f540fd57d42c22c1f33d744d54d7ef12

                                • C:\Windows\{668A4223-EA7B-434b-94FA-A329A407AA7F}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  3077d6bf3f0fa2e8f162c2880fd40444

                                  SHA1

                                  0759c9318243260a4eadc5f5f7bbc4bbc990f368

                                  SHA256

                                  90083b7fb730aa759ab0838bef066ba977609d7859ad0c3e3df50c4e086b09d3

                                  SHA512

                                  ea2567914f1e7868ee639a877130f55d669701ae8d042222828c04aa621af78725fff8f89778a57511238714b779948d0c8f8500ae6b389b7ab1b58fb0bf58d4

                                • C:\Windows\{91697043-EA59-4ef1-885C-D12248315A4C}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  800ce085edb1d8b1ece86dc90dc5aeb7

                                  SHA1

                                  1ef1a806ecb7df9df3f146bd55f7595e0d0970f4

                                  SHA256

                                  e70f6c47a82501844acf57e618358bc136805c0321aa3e9c506d08cd7b7bee24

                                  SHA512

                                  a4b19d19403a17be6466dc27a44b478300e2a9b6344e46a99b4da13c617e781c51281cd153959063f0a734f306631e67b9c88a23d3ae7009556fc20f29459300

                                • C:\Windows\{9207E61E-E895-45b0-9272-7E4FD4A6827F}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  0d88f40deeb776f26217cfbd4dbf9092

                                  SHA1

                                  cf13cb872e35f051e846cb04ba8f439e73b93371

                                  SHA256

                                  083a592b2b8e0c20857be3cc2edf632ecdb763006f208c0c5d1ce45efa1e05c5

                                  SHA512

                                  328967ce78799f53a91e8f9687783012bfb5bcf340b3fd43dae0feea74fe2e84d7e9f4bc7620e103c11348ef45818be47aa4e6e069df81c2ec602bf4ce4d2e44

                                • C:\Windows\{ADE19830-1173-4c5b-ABC3-6FD420129889}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  80c394ffe199e423b5ba645f876eaa1d

                                  SHA1

                                  2159393a2858eb7ea0c0180237d0bbc85122a051

                                  SHA256

                                  6ccd638c1f4df47c938ccaf63de9c1a6aa0ebaa7f1d758c9e45f567cf3e8647c

                                  SHA512

                                  c5c48da979cea481771619a1a762462f12ee2a1b17b8f4807fec4a4cde8fd05821397da6fe6ccbd3dacb3c177855816ba49bf298be70d124e4a85541d5366ca2

                                • C:\Windows\{B4DD25BD-2067-47bb-8C96-5F6297DD7965}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  e8fa048bab164e9ca6ea138d1b45b7bb

                                  SHA1

                                  1130861882f230d2b234bed11d8a51062ce6a071

                                  SHA256

                                  cf631501cfb12d789b98e12b106c9ba0488feb9547d646c9527dc257bf43ff42

                                  SHA512

                                  b202cbe6e0ebded7e0342bd268264ea41317c8db940403ee0f0499e04bcc0c5ed25cc8862136aa24bc2b34e9948f19d28c7be94c46f30eacc97320bd9fb31100

                                • C:\Windows\{CB547CEF-33A3-44a9-9D99-B3472DEEAFFE}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  fbc2b8bc47d3764f576e4e1b89910762

                                  SHA1

                                  41fd78d48c9a5c8a634131ace12bb6d303792e77

                                  SHA256

                                  6573b7883b339cfc0b1e40627140ffa6edcc7017cd6dec0162c743a403d8083c

                                  SHA512

                                  d49ee44084b45ff440512fee88a462405670df081be36952028af2f6fe4b2818a666db0dd3c0945a202704e373b851784ce82491958980c8f56dc1a0c4109b32

                                • C:\Windows\{DBAD188C-DFBE-4cb3-B5B3-DE7C3AD4E11B}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  4b9695a187cc7a43c4dae7028ed414fe

                                  SHA1

                                  54e4a93088c84be1185460822a96d56c234fc52b

                                  SHA256

                                  7045364e70c74679629a69cc095e99079687a4b7cf275cb41bb9f0ce799e6cb1

                                  SHA512

                                  baa6eb44fd16165599538c9a174a680c31f24097fdc489047286fcb78977ee3a8daddc9be11f7d583e946f5df61b636ede809857a8c16ca4e165c2b53c5ea776

                                • C:\Windows\{E63D3C8A-7EBD-4d1d-8A1E-877BD07E893A}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  056fcb88b5b00928325be9b1efd222ad

                                  SHA1

                                  c3ccb693baf91481a759ecedd75d63814d56c2b8

                                  SHA256

                                  5043a2007174a3312773ba872e7add2aed5e7b08bb337b3aa9d34f0bfe319864

                                  SHA512

                                  2f2881a4be0455e61a295a4a4da22cd7190986a3766fe2a588bbe8a1b41a962adc7fc4b4ff985dc2b0c69dca3e04dfea6e44a167c5fb45840937e91c160808a1

                                • C:\Windows\{FB72E0C2-2B50-426c-B8ED-15D41772A202}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  d131fb6c931a307da56ef4b780f78144

                                  SHA1

                                  6a59a0aa3c77d8d040fda58079bed7dad935bac3

                                  SHA256

                                  e51c4b8edb7526ceaf9752a784b04de716f0ca7fbb04e0cb479846dc4bee79c0

                                  SHA512

                                  82d828e9962f2d911f4105a3df8135db87defe8c69e672dd0822541af5b8ced2f928a71e5e4756a55cfc53aedb0d8457c2c9498607ada6a0ebf1e5aa8187ca0a