Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 20:11

General

  • Target

    35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe

  • Size

    98KB

  • MD5

    18ee73c98555b308c2bf65ef39a41a5a

  • SHA1

    f1f94cd13f36a4e5622cc9cdfbb362c841df8607

  • SHA256

    35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a

  • SHA512

    42e3d70c5006a5da1b352f8c07626ec6cc28fae86bc62aeb2e209a996b9ed098a837d6e8ffd81c8a1b31617da0ce517dfc6787b9c0046e922c8deb448ff0a8c0

  • SSDEEP

    768:5vw9816thKQLroFL4/wQkNrfrunMxVFA3b7glws:lEG/0oFLlbunMxVS3Hgz

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe
    "C:\Users\Admin\AppData\Local\Temp\35c65bef185469e7e943d3e59347cabcece006f20349a22cf00dd6645dcde66a.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe
      C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe
        C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe
          C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe
            C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4944
            • C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe
              C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:908
              • C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe
                C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2044
                • C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe
                  C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:592
                  • C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe
                    C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4996
                    • C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe
                      C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4508
                      • C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe
                        C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2836
                        • C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe
                          C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4024
                          • C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe
                            C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4208
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C067~1.EXE > nul
                            13⤵
                              PID:1348
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35354~1.EXE > nul
                            12⤵
                              PID:2600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E4735~1.EXE > nul
                            11⤵
                              PID:1752
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BD081~1.EXE > nul
                            10⤵
                              PID:1160
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E5989~1.EXE > nul
                            9⤵
                              PID:1704
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{92F7E~1.EXE > nul
                            8⤵
                              PID:2068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{562E1~1.EXE > nul
                            7⤵
                              PID:3312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B52AF~1.EXE > nul
                            6⤵
                              PID:916
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A2579~1.EXE > nul
                            5⤵
                              PID:4780
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35B29~1.EXE > nul
                            4⤵
                              PID:3484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D352~1.EXE > nul
                            3⤵
                              PID:4516
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35C65B~1.EXE > nul
                            2⤵
                              PID:2844

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{35354BD1-1F4D-4f09-BB5A-1A7727B92009}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  befe102344d9c421ea29a787a00a3ab4

                                  SHA1

                                  8e51d2b654d663072df6ccaa4d91fa188b90758d

                                  SHA256

                                  f17f66567c22bad3b834c1a552b0077d05b6fcf14feb0dc926bef778ecfb772b

                                  SHA512

                                  10766795bba9a4b44ef24aabb80c46b9499ba8112dfae2513cb18b650ea5ef3656ee5157b71c364cac330505d9e842bfb838d1810967a72480f2b44037c0fd7a

                                • C:\Windows\{35B294F4-59B3-4210-A7E5-08AB595C334B}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  9d5e941ec1ce5fdf42a5e75b4214cdf5

                                  SHA1

                                  13ab04047abfd2441f737e05992cb963f5eba649

                                  SHA256

                                  faa8aed34b19a1272ea21e7f13c8a5538da8080dad433b3fb51af1a459c2d240

                                  SHA512

                                  a192ba679486f49cf2f79f1a2d80a0efee9d27cee18f2651421a6e4fdc81d5ca920022897eb4744e105271967a66c67cdc762fe87f3c562523a4c457f9099009

                                • C:\Windows\{3C0678F4-4D21-4abc-9D67-8A9B5CF6B627}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  d396d55d03b75879e64a2a1ea6c79e1f

                                  SHA1

                                  c1f2b2c8669995b720f85ea4c32a46f4ee23abe0

                                  SHA256

                                  91d63a0448241c010ae7e4e647dd8ff7df7d56442fa6cec40b050b4af416d4d9

                                  SHA512

                                  4069eeb12c85ce28236b716f13c266c29fef8bbb0c831600ac63f0e007c2e74881db8c44c26ab41ff05dcdc92558bc65ad8c5fb758f24f5312e96446916da210

                                • C:\Windows\{562E18A3-4EB6-4a14-8ADB-FA03CD79DF48}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  268fa8693908e82cffe3af9321a481e0

                                  SHA1

                                  733ecb128a819044283af4bd4ed96d19def199de

                                  SHA256

                                  ff88c824de3f7762b1d5f1469b5a40984941572f240d0ce66c5ef17280ae6759

                                  SHA512

                                  f366dfce8991432dbe41658902da0494f7ab542b2b81a1dc27068e2007fa1a3649e3c9b59590687b76914afaac2e831c8b22b0683f68dca8ef355cb109d6b360

                                • C:\Windows\{5D352423-EF38-4244-BA75-0804A572F504}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  8ef9638833800624c72d8cca83544f69

                                  SHA1

                                  a9a693977186c1ae20b5899f90ebbf6e1d6f8921

                                  SHA256

                                  8355b5c524b18cbfb3431fca14393990180a4f89824e498b6b44517c998eaa6a

                                  SHA512

                                  0a894f7ab20b376d5c1559ad72aaa20348d11d115862d27b202a32a57c9d9c27dc4f647e48bb821eb6d818fbf627136de119b367843331ba9f580066aa94c163

                                • C:\Windows\{92F7EFD6-FF9B-49b1-A619-56CA33E09DC7}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  1f8a0aaf93b480635b1dbe196de6968f

                                  SHA1

                                  3ff783023a4c455d1b54c03946b9ba1acbffb424

                                  SHA256

                                  91688642aaff8a56953b2295f73764916f94686da646c51af70d74e69db55a23

                                  SHA512

                                  a8a9b8e4a73fef7ea68eee26e2d573dd124cd0c9bb9c0a04ca50fde1238a11f294c5225ab424e12e30bc6552396421e60613a7c762111b891b6ecb7ddbb53219

                                • C:\Windows\{A2579456-2C91-48dc-A7D2-28FBFEC4E82E}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  0f3603f73d0ed9218f3a889a06cd4480

                                  SHA1

                                  e4ed3b1d8cad65e734d4efecc7a5fcf69136eeae

                                  SHA256

                                  7897a04fdf8f28cd4fc05aefde78663b6d065f37b703429a65f33a9ff5a6f81d

                                  SHA512

                                  e6e506bb843704c6071a81974319997bd103a33431e903bb41114159f407d547a58e77cb96f5e0722968c9192f6ccb56992fecb4abe525f3230e61b5d7900e1c

                                • C:\Windows\{B52AFCF4-334F-401c-970B-F2FB224E0225}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  8be65cb347f3795b15d12eee700ccc84

                                  SHA1

                                  8ce9513c8658a7936650e9c28009fba99d48b8f1

                                  SHA256

                                  bd05cd4a8b4cca3484035c9f7a65c996faa04b7345d2a492eaf2e8c76e8fc7ea

                                  SHA512

                                  2f78d3c563b2b41031b3cf5f8b256fc76a5495ea16ec7377412905ccc82e7157b287152ec7e4cc607137ba9b1deb70e3117a9e8653da21de3f7830bdf9aac27f

                                • C:\Windows\{BD081BC8-A4D9-42bb-80F4-DFECA33783D0}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  163c8ea6acd7b62c4d7ddc21a4bd4628

                                  SHA1

                                  da56145f159e53a4f1bd5958ae03e1ec9b5c4ccd

                                  SHA256

                                  6f0951d2b4ebb377c535684d593b19843617d750739a4fc438b9e8fead46c294

                                  SHA512

                                  44bf9c1507351dc87d3c77ffe5a75b50a7b37dc494bbf0dc73f44fc89e9336769abefe886990a21b77dbb1e72eb3ec664dd56d81130e99c341b45593777c0d0c

                                • C:\Windows\{D10A8CC9-4EEA-49bd-9BFC-9C2B6F491887}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  59aa121a2ac6d3d9df8c45f7d34cf417

                                  SHA1

                                  d9819b01e0d36998c44b93fb888d24ea56869113

                                  SHA256

                                  bc714638869cf47d7930cf3debdce514aaf72feffd57e498311ded3967c50057

                                  SHA512

                                  96170f99b49076145594826772f80af610ce58287ef86a53747a5c507877460070101c707cb2fa90e51d6fbb33ac91bac302f64ce0b369ffbfd6a39f6c23bbde

                                • C:\Windows\{E47358A5-9ED2-4262-958A-59D6C7CD205E}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  8e210b1a91253ad83835d7e89a5be2bf

                                  SHA1

                                  022f06b95b42e4dab0cab8536dbcddd8a3de238d

                                  SHA256

                                  b1de14b4b775cc162763a9c5ad2c76361026ef8ad1766294f0b73e718e071aa9

                                  SHA512

                                  9a1e141828f23c637baeb44f4ac52fa9a72210f435485727eef57dc798263d42ac2e9f07114515fdd4f7c0ca7addce315e82b98867a507645c16a7e0732434d1

                                • C:\Windows\{E5989A06-D50E-477a-966B-5F93C1740C38}.exe

                                  Filesize

                                  98KB

                                  MD5

                                  e2b47d702bcc9a83b35529e382fd6e35

                                  SHA1

                                  82878f6b97d69ab6b0a161b071696cde8df78d0f

                                  SHA256

                                  68b559b3c83ddc8af1af4483ee24bba686ed228322947d045e5ac8912a12d91e

                                  SHA512

                                  58df57c5ba2941ece6955f8a9109dca3b63b124a89dbe5204e7191ed5e8a0c11fc6355e133ceb9c598cb9cd7fa181a79d0824b31cd90ed638b33239cc28a1eb6

                                • memory/592-44-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/744-22-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/744-17-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/908-30-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/908-35-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2044-41-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2044-36-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2088-12-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2088-16-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/2836-62-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4024-68-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4024-64-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4208-69-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4508-53-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4508-58-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4620-10-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4620-4-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4744-0-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4744-6-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4944-24-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4944-29-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4996-51-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/4996-46-0x0000000000400000-0x0000000000411000-memory.dmp

                                  Filesize

                                  68KB