Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 20:03

General

  • Target

    328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe

  • Size

    180KB

  • MD5

    78daf397d39aa60d56471f67bacf471e

  • SHA1

    321307f2afdc67b1a63ae9468c4c6e49b314b56c

  • SHA256

    328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983

  • SHA512

    6a2238e98ffeef3d3f8500f6279e876091f8d10bbe3fb83f5e340f043b3b7439472b422756c58464e840de5edce8bd1b43f2259b10dbb8ab19a4fb69182707e1

  • SSDEEP

    3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe
    "C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe
      C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe
        C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe
          C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe
            C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe
              C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4660
              • C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe
                C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4288
                • C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe
                  C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2916
                  • C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe
                    C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2864
                    • C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe
                      C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3624
                      • C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe
                        C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4236
                        • C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe
                          C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4344
                          • C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe
                            C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6724A~1.EXE > nul
                            13⤵
                              PID:1808
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D8BC~1.EXE > nul
                            12⤵
                              PID:4256
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{475B8~1.EXE > nul
                            11⤵
                              PID:4076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{377AA~1.EXE > nul
                            10⤵
                              PID:2456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F3CD8~1.EXE > nul
                            9⤵
                              PID:4796
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A89A0~1.EXE > nul
                            8⤵
                              PID:2592
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8E6EA~1.EXE > nul
                            7⤵
                              PID:1576
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C880E~1.EXE > nul
                            6⤵
                              PID:1020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C5~1.EXE > nul
                            5⤵
                              PID:4232
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2BF07~1.EXE > nul
                            4⤵
                              PID:4736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{51CA5~1.EXE > nul
                            3⤵
                              PID:2272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul
                            2⤵
                              PID:1484

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  dd5f7f1ecf35984973d3759799e7e1be

                                  SHA1

                                  80cb8c95b0c2adb0223320c4dfdd5f79c9f16d67

                                  SHA256

                                  ec55af99e27e91f6367a47e1a99ded0926acd3cc8c29199b08703dba435f4d10

                                  SHA512

                                  16f2af022d1407a66ad090bebb08de6497df2c8e372117c2bd2d6a84623a23fbf9b9c9840ba950cc2efae689f8df8c863a4ba8a600ae28fe5d4d9a9931c1ddb8

                                • C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  fb9fa6901e08ed29ca0e4ec54a27b66a

                                  SHA1

                                  99ac0efef58918cd8cf5225e7338671444a1dc76

                                  SHA256

                                  98b2209488d63e2efafa0bfa4069fd6b36fa32382c3ecd7530d9ce9740a1c212

                                  SHA512

                                  0d664bc91ec44172b4223a10be7666bcdc155230920cd6acf97b771d8c2a14c4dcb2c833d221d0734a90897276ffaddf26657c3330ceb1e8028c5706fe2cb68d

                                • C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  9ab018879f61459b2ade7a4049f3b746

                                  SHA1

                                  68355f5b386fb8dffef310e048ca2ef8b3e7ba58

                                  SHA256

                                  bec32f36f2b1662aa6f56c646d4e5bb236e756295afb4c5d8b909a5f670c7de3

                                  SHA512

                                  4377c6d8ffec6fbd07c9d5fe9e6da4bcfff0c7f17b577efffd79d165a851421859c0909402f588cbb3d87250ceacfc09676f14aed3e129e2dffd399e38a7da64

                                • C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  e6009c9425a572bc42480d766f45c186

                                  SHA1

                                  643845a4e37b0cd54f99a86e84c7d614f34dba40

                                  SHA256

                                  2562b680ec15ed8610d0bfca107a1ee9b2574c4a44b3a3d9b8462b7886a2bbab

                                  SHA512

                                  0877e89127977d3336df22529123f0e418cda75d085656742a2a3b6506b3daccd2ce0aa564066abe24ccdad3ed0787ef2d693bee944f7b66d60fc8c86f873957

                                • C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  b2dc160dc4ac176fab18183229680489

                                  SHA1

                                  8ec186440e344fa0f3b4aa8a25d68ecbd4c4710f

                                  SHA256

                                  b296bfebee036455937a488aec27b2e667d0f06a2417fca4f9f750b195374cb4

                                  SHA512

                                  be38723f1cde4a2c0060c64a6bd5cd9a2f0e18e0b54fb3f07a4eb1d03827208c38badd8630bbaabbf4b804cb79814bb1aefebffa76bf98f94bb7efae1217122b

                                • C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  6d2700d43ab214f5bb945b1109c599d9

                                  SHA1

                                  1263dffd884fa619450524b3058c1eeb0cb5e178

                                  SHA256

                                  58f5647342fb23e52de8e8f4dabb9e02a834b2c6276f62bb5079060675615366

                                  SHA512

                                  1cc8df890b36dbd108b1ca3ea65411b5d1eafbcff4d18632979aa3b5b28469e757e3b26becece3b10056936e4aa9c21ef91a5d4b8fd3fae4547636a6fe6ef7ff

                                • C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  18ea16050465512f9aae2af01e27c481

                                  SHA1

                                  ded90b771c7eca7c77e989c1954713abb8c0a69b

                                  SHA256

                                  22079bde503d3a6ead1cb044a84c9d751892f82f999d4952d48aa363c8fce2ba

                                  SHA512

                                  86ef288b784d69528278b82c608d50fb7b6c1fd66c5b988c2eb19c9c483044f0d4bcd2a057218230433b9ff3600877abccacd82f7914017d246191257f278dc6

                                • C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  21f0859469d4b20a5fae45dd36d97681

                                  SHA1

                                  54a22929f240db0a65a28576c1211b1637d2cf56

                                  SHA256

                                  cfb8e2a8fbd7ad3e75498d7784a123871987f6b989b1d319bbb5610d3c8f1016

                                  SHA512

                                  113f8419f540966943c269be871e5764a914d188b5eb6fd0cfdbdcb9c316a42bee7569909f9efe50662643356c2c9bedb070b9d71e52434318c39e141e954b81

                                • C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  2310ec4b0e5a155db4071feda377c54b

                                  SHA1

                                  fac5f67df40339ec44915781c45aac5b81932320

                                  SHA256

                                  8a984ebccea2244e1c204830e5f1bbce70d76adca0a3ee3501452d230020e6c9

                                  SHA512

                                  9da637136be898192af27c5f8473dafc19aed9a89a324890b20f9174d85ca185f88a763e8bba2401ad1ed974e56f8b0e88f32920482bf2a2db8d36290b42ab56

                                • C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  a281229ec9b9ebb9ef4a4e33b820b90c

                                  SHA1

                                  920dbf3bcbe109e43cec76fe8ebec74a8c1b9ae7

                                  SHA256

                                  55dca7929eac6405eabc62adde148538b575849772d269db273fa253bf931e45

                                  SHA512

                                  4039c1d72508f6bddf103613669ef4f92c5e4ce578ddddab71c1a3b1af28d3100bae9892c0d271f37700156477b3804ef9a3328487f13bc5b6d861da34a8694b

                                • C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  d6fecf1449760d73a4a3ab18b2b8c220

                                  SHA1

                                  1d0e8f33234b401390f00cef3193921493144808

                                  SHA256

                                  c42ab485d30e8a13b81ec73f9fc3e775baeed5e08cb2538f67a1d0b0147893dc

                                  SHA512

                                  b86b980fda3d40a44d688979a91fbc5a55d3010fed1f48dd342a38a3619bd51b4a9f0a7556b9232e59e858c3299d0ba66552044082f97172274b2dbb1fc366c5

                                • C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  31b424f2aeb7f298585b569401b805e0

                                  SHA1

                                  ad7e98bcc10175b6ee1a5fd37a24d66e12158397

                                  SHA256

                                  4dc964f34d897e3b9223ba062f4c6d1999a7e3414f682fc3e0830a39887b1ead

                                  SHA512

                                  018587a261d58e0aa91adbd30cca17309a7b51486fe08f0076f1fde0580f9d3852ee6c55568b1b3f19585594217df38b872992263c3fd81ce2c06755759a5f7d