Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 20:03

General

  • Target

    328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe

  • Size

    180KB

  • MD5

    78daf397d39aa60d56471f67bacf471e

  • SHA1

    321307f2afdc67b1a63ae9468c4c6e49b314b56c

  • SHA256

    328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983

  • SHA512

    6a2238e98ffeef3d3f8500f6279e876091f8d10bbe3fb83f5e340f043b3b7439472b422756c58464e840de5edce8bd1b43f2259b10dbb8ab19a4fb69182707e1

  • SSDEEP

    3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
    "C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
      C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
        C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
          C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
            C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
              C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
                C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1712
                • C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
                  C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1496
                  • C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
                    C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2524
                    • C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe
                      C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2272
                      • C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe
                        C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2016
                        • C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe
                          C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{86529~1.EXE > nul
                          12⤵
                            PID:1820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C50E~1.EXE > nul
                          11⤵
                            PID:1264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF59~1.EXE > nul
                          10⤵
                            PID:1284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{91481~1.EXE > nul
                          9⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6E6~1.EXE > nul
                          8⤵
                            PID:2680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57352~1.EXE > nul
                          7⤵
                            PID:2320
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{827E2~1.EXE > nul
                          6⤵
                            PID:2960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B59C3~1.EXE > nul
                          5⤵
                            PID:1528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{570AB~1.EXE > nul
                          4⤵
                            PID:2724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{583F0~1.EXE > nul
                          3⤵
                            PID:2432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3040

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe

                              Filesize

                              180KB

                              MD5

                              3afcf82d1b8edb5c9090abb7753e444b

                              SHA1

                              d9980e74c151c3af9edf1dd67f064aada2d160ce

                              SHA256

                              7a8298e77d312fd5983d6fdc285b14ce2c2840e3a9c790fc01427c7dc9797d51

                              SHA512

                              232f7823907950d8a26a772977b0c3cd6dc2ecae58b817b2d73291b957758d6d089587ec1be20fef5de5fd86900a5901f709daa5467e6e288b22d060591e3847

                            • C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe

                              Filesize

                              180KB

                              MD5

                              977e5dd93f71f11f74d5d4ea816cf6f9

                              SHA1

                              e986745c4d9f188892cc95dd9d8e98f2217bd359

                              SHA256

                              67f2a72a657e7f6073449a559de46f24ce925cb2ef436d5d3c01b2bc70ffb12a

                              SHA512

                              399a53a3b0ded53b43e526bc9c56f8f583f1e9f955313c828e28a445eb998bf482ad2b687b28f6524afc0707636621f4d332fda85e14f6cc0bd2b3966634e199

                            • C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe

                              Filesize

                              180KB

                              MD5

                              8ef79a307c0514f7934efa6ff26356fc

                              SHA1

                              e7f1f3384aa542cd1b8a3c962c187f516e26009d

                              SHA256

                              07734619d188010d73517565655e9aff5a8e5cfb11d337ef2dfd046377ea4d25

                              SHA512

                              f90d1d94642c8d6ba17ded1c57a55c5aa24081b107acfe0f6f96d44e1877a7b6a4bd128ee9af28c228e194af75012f82031ac823bf56f24ed104327e94b36a03

                            • C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe

                              Filesize

                              180KB

                              MD5

                              7e66924e521182f1eb8ae885ddae7938

                              SHA1

                              eef92e542ae9175da4961f84f8ac9ac72daaf70d

                              SHA256

                              9ea41dbb280294aefd2b2ed4993534316fe54e44f7915695b7c3b7c26aec59d6

                              SHA512

                              93aceaf953211ee8343197257b5913e9dc5f5813ae6f2c43812752f598996a0d7e056e4b5bd97fa15b8ad5601322c81c56f7701d9a8c5c0e63effd237f55b4e8

                            • C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe

                              Filesize

                              180KB

                              MD5

                              31b404dd80336db87af8e143e4861a89

                              SHA1

                              33ad0b796161075cee4a8eddec7c1552c20a7a5d

                              SHA256

                              c0255909237a8666a8001f37ae7d1384ebe4b949c2cf443defa93367f9fbf12d

                              SHA512

                              8ff7027db772dad7751fed0f4089d862c6264d07f0933282966e9902f75230e719f2394252d9d114c9c69ce49fe500846c2ae88723eda59aedbae9537c6e63e9

                            • C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe

                              Filesize

                              180KB

                              MD5

                              6943f16399b2a8d5e125e001809383d7

                              SHA1

                              13f2efd26bee2a7f51eae69d3dbc88863f8f2ca4

                              SHA256

                              657bd5f41c575ba61ab12d6b0c40fb50199feece7d9755caa994dcc35ecac670

                              SHA512

                              e68f4fd31458f53ea26e3ab33cc1c99a2763d620416adf396e5ce1b07fbc436674f539ce71254132aca940d19ab3611afe60635e79c3473090f644b25bdd3cac

                            • C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe

                              Filesize

                              180KB

                              MD5

                              988418e4add61b65a248160e1a56a428

                              SHA1

                              495dd4940359038d5b3e53aa74534163aad270ba

                              SHA256

                              5add6355bfcc0bb0c879bb88356b929794ddf97bce632377da690c8f657b4377

                              SHA512

                              926b59c7868108caa467fb6b9042e0850bff243a7eb4fa64dce2b7bec81da05c67c05815173ebaba417e4e3567096b7059ec26acac2facdc0acaeef8322bdee9

                            • C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe

                              Filesize

                              180KB

                              MD5

                              51211d298ef322603045acbe6e77f5ac

                              SHA1

                              44e76636581a54fe0a26c2884c29f01a2c2a05ee

                              SHA256

                              04d001b7a94318308d066e0852008e5fcf28cb8682f99da7262032065a60c6de

                              SHA512

                              7de8ffec4d2bd4f798d4f55424bd1675ee45b9ec4f7e0b85978f89d89d090558749fe37b99f9e5c3b161927ebff1f729ee91591abbea91490e4bb2359ed77b61

                            • C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe

                              Filesize

                              180KB

                              MD5

                              4f49d3221b169d0f443a764c561282cb

                              SHA1

                              3d07752cb308995a80cb876766ed74711d9b7ddb

                              SHA256

                              af591d9150a425cba862abc06f4ec24f6903a71cd324861d2532f3e8d31f3387

                              SHA512

                              b45d528f4439eaef642a4a2c8918217d2586b51bc8357ca4bee6d811dd35d9d8f0193a366b798a77ff22176038596faf2c850d44acf0c8d187a8b40174b73f8f

                            • C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe

                              Filesize

                              180KB

                              MD5

                              72c09f7f23d748277502275714aeafa1

                              SHA1

                              81803bbe706c107a69404fad679ea370338808f3

                              SHA256

                              00ad61d000ac006e238111f34d0613dda329514a69f61b3cb07614ab3c5cb8c2

                              SHA512

                              819c6a18538e5e25856917f45674926a1de94d53ed1ec1e313860e9f277c765a5e606dfc61728a38fd37ed1fbc99c14c7ca4d05e6e449c92ca93367a7f7f2584

                            • C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe

                              Filesize

                              180KB

                              MD5

                              abe565f508e135d0e5c6379e4a4fd601

                              SHA1

                              9eda7b23016c4f44986c4eaa3fe4babdac400238

                              SHA256

                              723ced98d1c460592ff954c38636466cc855cabad779689b890b3d986b9bccd9

                              SHA512

                              cd0e1c55d646f93755eb45c00f9fe602dfefe0fd9b893636db72ef5560157b1be23a0450e6af8d363445450f7a4ee9a8400fc30340a5c4fd8b67890f03bb0e29