Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 20:11

General

  • Target

    35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe

  • Size

    98KB

  • MD5

    18ee73c98555b308c2bf65ef39a41a5a

  • SHA1

    f1f94cd13f36a4e5622cc9cdfbb362c841df8607

  • SHA256

    35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a

  • SHA512

    42e3d70c5006a5da1b352f8c07626ec6cc28fae86bc62aeb2e209a996b9ed098a837d6e8ffd81c8a1b31617da0ce517dfc6787b9c0046e922c8deb448ff0a8c0

  • SSDEEP

    768:5vw9816thKQLroFL4/wQkNrfrunMxVFA3b7glws:lEG/0oFLlbunMxVS3Hgz

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
    "C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
      C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
        C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
          C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
            C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2428
            • C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
              C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3008
              • C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
                C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1724
                • C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
                  C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2220
                  • C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
                    C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2132
                    • C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe
                      C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:548
                      • C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe
                        C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2692
                        • C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe
                          C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2669~1.EXE > nul
                          12⤵
                            PID:824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1B722~1.EXE > nul
                          11⤵
                            PID:1504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A10BE~1.EXE > nul
                          10⤵
                            PID:2724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{38A5B~1.EXE > nul
                          9⤵
                            PID:540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3CADB~1.EXE > nul
                          8⤵
                            PID:908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EC419~1.EXE > nul
                          7⤵
                            PID:1956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F89BE~1.EXE > nul
                          6⤵
                            PID:1260
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A8F24~1.EXE > nul
                          5⤵
                            PID:2396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F8B92~1.EXE > nul
                          4⤵
                            PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A11C0~1.EXE > nul
                          3⤵
                            PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2928

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{1B7229EA-9F80-48cf-B3DA-BFBC92016B03}.exe

                              Filesize

                              98KB

                              MD5

                              7deb7bb80e8cbf21f45d53ccb6dd12e7

                              SHA1

                              444ec0f4a3892e374520c5eaa1657d83d8831492

                              SHA256

                              44f7b94cf390fac4cbcda79b8e77c214a405664d4cef77feac8799f8acb7c1f1

                              SHA512

                              4c8b0ea59df10ad6570b54aaa2330498eb0021e8921aa4d5dd96f311c661e00ab577f753ce1da989ef4a50e7e750183c88dd9b40bd7520488f6476637fb8cc95

                            • C:\Windows\{38A5B0E4-05BD-423f-AD4A-934D4A6058E9}.exe

                              Filesize

                              98KB

                              MD5

                              7ff2d382b803252a1b59dad72cd9854a

                              SHA1

                              a7d1a54c3fdb27eb2492c8eeed7860b8d64ee1eb

                              SHA256

                              35f35adb731b145d8c8cc5fb99155d5281a301a7d47d155e84d9318a3660be4d

                              SHA512

                              3b0e7079ad0d859cda96277587a00c2e38cf09c250cc9c14b2b36da2b5bd2e2b7e6485efe681657f1ea5f69c8f49e5cc590579782f7a0a992309af01d330e521

                            • C:\Windows\{3CADB709-4AB0-49e2-8030-8965C12B5090}.exe

                              Filesize

                              98KB

                              MD5

                              f025ba68bd814e211c11c583d06058d3

                              SHA1

                              c1f0a7faf2b3d1e9c58441bb581991cdc983c9de

                              SHA256

                              6c3a19298253bfad8348d254db5bc82849bc29e9b6ae8c94249dab52411e70f4

                              SHA512

                              f814d272295c4fc650691a9802f47dd8545513ef00d13934cf17fc394878cdc22fcd5bcca9316205e4136e491d3504044425cccc8e8e13360c4d289f2dbe57b1

                            • C:\Windows\{A10BE9AC-75AC-4bc8-AE8D-2E5706F6E6C7}.exe

                              Filesize

                              98KB

                              MD5

                              ce10e7337ee244c7c69e8a05b1b9b88d

                              SHA1

                              4b5ca0d8816ae383d041f8c2df60bf947222d934

                              SHA256

                              7e3c287d983568dc6b1910c17a592e2dc6e46e504ce33e9046e20a6c67012011

                              SHA512

                              de9f8b39e9693bdb08d07ff28b06ef7d79d5b855d8b42d55461e91c33f02d65624549d80cf5b01390215a5e5989f4a9931ae7c6bae59eedbd2c1898382622d3c

                            • C:\Windows\{A11C020A-32AD-4857-99E0-02B4486DD17B}.exe

                              Filesize

                              98KB

                              MD5

                              6687deccb783fbf2bea37b0738e9efe7

                              SHA1

                              4b31d7ad2c472003ae9dddc678da13dc7456bffd

                              SHA256

                              708e0fbc393aff80c1f0c2453d97d43f985340e50d532143caf7c4c741add77e

                              SHA512

                              8429e306fb61b01556309f7a86d1d6c9d159eb4cd8d23555cfd9bddc3558c274b9b405ab6222210d2738019410e0c7c70b50a9f00c1274d6b0dd09e2a5941772

                            • C:\Windows\{A8F24777-A21B-4d79-9C7F-3EC9FBF984C5}.exe

                              Filesize

                              98KB

                              MD5

                              68cc12b611e8f202c106af112e0d4504

                              SHA1

                              ffc383ec10e1f29765f8d034f646a03cd3cea471

                              SHA256

                              3a6f394ca8950f17c1eb6637519b44f610fef986d84b28f93c3cfa10b2af46e5

                              SHA512

                              e494a33fb39824c5888330a41a0cfdbf15922b40210167ac82adf6c7fae67c41dcdcd33bcba7e5e372f40d1ba74bd3d8627a9c348532cab3eabe09a898adf474

                            • C:\Windows\{C194F340-2985-4f26-B208-CC54E202F18E}.exe

                              Filesize

                              98KB

                              MD5

                              11f8a0d87c55e910fbd5fc6c22460dff

                              SHA1

                              47384d43607f46080982b12194420753c42be43c

                              SHA256

                              ff43506c1d8874725550b4310f24f3f819a883e4037a4a5ea5c1cf3b2074aa4e

                              SHA512

                              bd0a8aa51ef7d65dd4d4da151bdcbf369e875aec4f743d3586fb9b1ccae18fc16de15a23e2a1037f9b44f84f9f4e1e3965edb94b920d6086b0eb8cc9dcfff994

                            • C:\Windows\{D2669C1F-52ED-411d-9D57-6675FC70DBCE}.exe

                              Filesize

                              98KB

                              MD5

                              ba6d5118b5e620bd31ca8d0a5b871d8b

                              SHA1

                              ce970efb68c9bace583d4c851559de24b8e5e85d

                              SHA256

                              4ad64fd14c1115144daeab40b0a495c990a0e263ad6168735db920010519b8c9

                              SHA512

                              2d3143296ead86c75d75a44a291c9e70133d0e522122b8028872dac2088f4d29cf65df36b05e31bf52a9f8b806267976d1e10c256353e1b75843ffff55e26083

                            • C:\Windows\{EC419642-8F03-4ea6-9A5B-E9F2B3CA54E5}.exe

                              Filesize

                              98KB

                              MD5

                              0e7e6212a59610681180ec5c105631ac

                              SHA1

                              0bf1b29e85efa7f882f31d9dcc2150ec9b83f072

                              SHA256

                              40e30d8e2983628aef7bb3741f27b8dec33902a3287c0879e823dc97cab13d75

                              SHA512

                              e81a1c29834df297900db38d53e9c3b7310bcd9816123ac5b0e8df4057eee48a440e6244022ebf0a3ce46e0328e3d990c85b90e0de236146bd5cc7fe988964df

                            • C:\Windows\{F89BE992-56EF-419e-9A60-C0D8F4C4D327}.exe

                              Filesize

                              98KB

                              MD5

                              ba91662474f3d6490fb2194b084ed2be

                              SHA1

                              055dad1ffbbe1536c764a93a3b60325a069cf53f

                              SHA256

                              629ac607a75de4e6817987a6e85f63e0547eafe88470b6b67cad33a440601502

                              SHA512

                              73313297ffe540998c029403fa3cbca7a8e6143fd970fc25ac55bc8f0da26683fb50045ac8e6c6a02dff72d0cfc5e58ebc5e65483ecd56687df362539d24357c

                            • C:\Windows\{F8B925B6-4DF9-4434-A670-35874C97CDC0}.exe

                              Filesize

                              98KB

                              MD5

                              febe5562e6b8e6ea6147cf15e21d023a

                              SHA1

                              3e682e0f6db9e3bbca29ad2a86807274ebaa3623

                              SHA256

                              62e0d40a92d54326212f8d643ada127971bf1813b1d69d1d8bf2858f588c34c9

                              SHA512

                              6c25213642268c2a655f6b804539ebd5b8987c72b0d7f6aef6c213a2fdaa3139c3fa6f190f10466585b0b53b76ff383c5a76043e5d4ad69cf87056368bdc896f

                            • memory/548-90-0x0000000000350000-0x0000000000361000-memory.dmp

                              Filesize

                              68KB

                            • memory/548-95-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/1556-0-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/1556-10-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/1556-8-0x0000000000380000-0x0000000000391000-memory.dmp

                              Filesize

                              68KB

                            • memory/1556-7-0x0000000000380000-0x0000000000391000-memory.dmp

                              Filesize

                              68KB

                            • memory/1724-58-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/1724-65-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2132-77-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2132-81-0x00000000005B0000-0x00000000005C1000-memory.dmp

                              Filesize

                              68KB

                            • memory/2132-85-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2220-75-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2220-74-0x0000000000370000-0x0000000000381000-memory.dmp

                              Filesize

                              68KB

                            • memory/2220-73-0x0000000000370000-0x0000000000381000-memory.dmp

                              Filesize

                              68KB

                            • memory/2428-44-0x00000000003B0000-0x00000000003C1000-memory.dmp

                              Filesize

                              68KB

                            • memory/2428-40-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2428-49-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2488-20-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2488-29-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2544-39-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2544-34-0x00000000003C0000-0x00000000003D1000-memory.dmp

                              Filesize

                              68KB

                            • memory/2544-30-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/2692-102-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/3004-18-0x0000000000380000-0x0000000000391000-memory.dmp

                              Filesize

                              68KB

                            • memory/3004-19-0x0000000000380000-0x0000000000391000-memory.dmp

                              Filesize

                              68KB

                            • memory/3004-21-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/3004-9-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB

                            • memory/3008-56-0x0000000000400000-0x0000000000411000-memory.dmp

                              Filesize

                              68KB