Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 02:20

General

  • Target

    56389de1f15f32b25323914f7bd85c90.exe

  • Size

    98KB

  • MD5

    56389de1f15f32b25323914f7bd85c90

  • SHA1

    e82eaebb883e9b227ab2a534e9b1cd1c6d2a1ae0

  • SHA256

    a597ce260fd134394cf4fd1e2550db5f69f31afbec67296c37b8bee90fa90161

  • SHA512

    18fad97a6253c9792936dccd996e158d0eece4f5a12faa4e623ec1c276b0697cbe90a745b8ea576cd883e41bb7d1d9303c0ac35fe7037105fae49cab2452dd1b

  • SSDEEP

    768:5vw981UMhKQLros4/wQ4pNrfrunMxVFA3b7glw6:lEG00osl3zunMxVS3Hgl

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe
    "C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe
      C:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exe
        C:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe
          C:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe
            C:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe
              C:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe
                C:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3316
                • C:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe
                  C:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4864
                  • C:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe
                    C:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2424
                    • C:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe
                      C:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2096
                      • C:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe
                        C:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1624
                        • C:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe
                          C:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4456
                          • C:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe
                            C:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E41FF~1.EXE > nul
                            13⤵
                              PID:2436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0190A~1.EXE > nul
                            12⤵
                              PID:1860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE94~1.EXE > nul
                            11⤵
                              PID:3944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5B8F4~1.EXE > nul
                            10⤵
                              PID:904
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{397EA~1.EXE > nul
                            9⤵
                              PID:1416
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8EDC8~1.EXE > nul
                            8⤵
                              PID:3140
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B60~1.EXE > nul
                            7⤵
                              PID:4988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8E01D~1.EXE > nul
                            6⤵
                              PID:4480
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DC92A~1.EXE > nul
                            5⤵
                              PID:4620
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{57247~1.EXE > nul
                            4⤵
                              PID:2808
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{51DB1~1.EXE > nul
                            3⤵
                              PID:2420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56389D~1.EXE > nul
                            2⤵
                              PID:2916

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0190A239-2DC0-4ff9-B111-3FA7454D893C}.exe

                            Filesize

                            98KB

                            MD5

                            6e74af9554f9c1eb059e0e50c9ed6321

                            SHA1

                            d3e85938e1057c72bdd134aa56a0b947ac305c69

                            SHA256

                            da5af4549e0d393dacf5be5eb749b4613e1de937795bc31e9f5e6c7ebec71429

                            SHA512

                            8f51b015b4fb2882eeff6ca82b4cb85a19f1ce989d81f13e19852b124e5fe7c7db4a311a65ab22b928997320f47ae5bc44c4c6ec1e061dee591201df5232a2fe

                          • C:\Windows\{0DE94E9D-FA09-4a66-9F06-A49DFA80FB3E}.exe

                            Filesize

                            98KB

                            MD5

                            df02bee8f8596b08965116996b414eee

                            SHA1

                            d9461a1c7c8d4e3843fa61824869c57ef2064c1e

                            SHA256

                            5a63781ad86699dcf6642a839714ba7f053d6f9cc15f30ef352cc74a852829b6

                            SHA512

                            c394e8d5a16d5ec43ed7e4962c2d72b69eb4a0ae935187ad615d2894229efdca89f5e907f92995a16d39f1dafed1407aa3f2be49d2b77f1992c02cf1a79a05e1

                          • C:\Windows\{397EAFDC-397E-4fba-8D2D-8692D4AA2728}.exe

                            Filesize

                            98KB

                            MD5

                            16cf65febe1ec1cfa6e6cfb9b4e8d106

                            SHA1

                            138d8f0e538ab4ab49bd0adb781cefeab70c56a9

                            SHA256

                            a4a522ca28787849131e9766aa6ab9b70193aad561ed28250e4c839577daf263

                            SHA512

                            fe0e6c4dc27091237976405a154e3b47b947f94f15edb54b7815aa4b85f2cff2b7e25155efc3e827b43599b56ede873056a7cda4713cd653a4e2d000409cdaf9

                          • C:\Windows\{51DB1728-DF76-4d3c-8494-9A450B045BA4}.exe

                            Filesize

                            98KB

                            MD5

                            66f3a79009978f9cba1e0d82f4ac5ba1

                            SHA1

                            40f5900c8f7b72c3ac48481d5eb625b84a6a3c33

                            SHA256

                            af1f982bc885dc12f55834e44bbbb3d2bfce9b8c6d217950d5142298d59da012

                            SHA512

                            86ad9512dc1c481daf46849bfd1989ac6597cb3c753dcca8c7b05e4c9671c3475eb522d611cfa87e860344f6b9360d771ca2d72ea1c0a4332b25ac4b294cba3e

                          • C:\Windows\{57247325-0D06-4a84-AA1D-7D512228296D}.exe

                            Filesize

                            98KB

                            MD5

                            a952575f80574ae6b20aa9432d858432

                            SHA1

                            7719655688fe63c29f61b5f9e6c4e155c3004086

                            SHA256

                            c0be9d6b0d672b5752368d1834371851d80b90d25db318ca3b681c1463a66db6

                            SHA512

                            2fa9ff9e039e0e237df80aab8249d41503ed81564aed5a6e072f5d9f79b261a30c330b4efa7857fb188845c20f89a20d05c664af3e318c82eab81e617df0e5f9

                          • C:\Windows\{5B8F49EF-D9E5-468e-AE1A-14482FCB307B}.exe

                            Filesize

                            98KB

                            MD5

                            74b06289fac084c5fb383dd977037c69

                            SHA1

                            4a5e41bcb71e443eeb0501cbd8157880b99bfc1c

                            SHA256

                            d1ead9fedf5a3dd8edac748b01f150b32c41215d3a02cf6f483feda2747dff0d

                            SHA512

                            6e211bd2a1784a1f80f9dbfcd79d41484166ed2e9511decbaca90ad19700ae16fcf3d9fe250fd38c243e4e623ae0963ef6e835c194fe6ec81000806271459199

                          • C:\Windows\{8E01D441-A2AA-4baa-9E7E-763F28516616}.exe

                            Filesize

                            98KB

                            MD5

                            9c7912fe257e83586a8c071d00bd4e13

                            SHA1

                            ef68fcca70196d981d04a2e23609457eb3320474

                            SHA256

                            eb95b071c477688617663fed1f6eb2e24d973b438120c04f867d20765dca6b22

                            SHA512

                            c0cb1d1db5601d6f0d59999961def7756dac7fe022c1e1e0dc4bec0f0a6992d11d162c6a5ef8ea08eb6b6a548c362b0ec117cfddb845f581559af68089753801

                          • C:\Windows\{8EDC8D04-8DBF-4e1b-A2D3-5AABF92C734B}.exe

                            Filesize

                            98KB

                            MD5

                            d2ec1a955ed2e1daaf7dcf61bc19c703

                            SHA1

                            c6ff5cb201b3d1632ba7923967f3052bc877e7cc

                            SHA256

                            5c616da0f950e0055709c28d5719c2b79b76b5f0105a790e1ee04a6b442d9a46

                            SHA512

                            ab7c7da079ebadd04e19b8b8d905ca74e4e1a034ced9b80052b738e8a5acfa30b150d2c14a8628d7ecaf9a3fc3d6a500094c19a8f1addeab4f34f63f13dd947c

                          • C:\Windows\{D8B60983-3CED-4072-B6D7-360435D55D9C}.exe

                            Filesize

                            98KB

                            MD5

                            154157d49c249e9faa30371ebf1afbf9

                            SHA1

                            4cef621d803966be46ad47307609d301351dbb8a

                            SHA256

                            f4d97957f4e4fc02571ea7e6e0cfeb813849bcbd4a8c3e4aa93a6829b546ac5d

                            SHA512

                            49fec4ff7948023bdd4e6febcff5353e841c59791fdf63eebd9697127fa603196c935db427d10d057717e982e689bbeacc8a8e9ca6139bab1b85760c7a9273f0

                          • C:\Windows\{DC737609-4DCE-4450-8A63-5274BE8760DB}.exe

                            Filesize

                            98KB

                            MD5

                            86f8017057b7c03e6126cec3fc9eab22

                            SHA1

                            72c200b87223b5893b9e106052c4c8b0ed81b5be

                            SHA256

                            085a9763c98bb6615d7f1476032848e762ecc0ad9327a0038c43f2dc19b072aa

                            SHA512

                            dddd931bf9e24e904593bf98cbcc371b86849acc47274a6b0e423edb9d4b1eed1ff5a69bbd33a1b5e76055409fcc610862183e3e207d93674beb30aff8246d7a

                          • C:\Windows\{DC92A09B-07BB-4761-819F-B60A39F8A3E3}.exe

                            Filesize

                            98KB

                            MD5

                            0f979c3cbdd193e42c573c71a1f3001a

                            SHA1

                            544483a5733787fbb6fd0d0e4239f3b8c2276ec8

                            SHA256

                            7f7522d4666443c5dd23ab40c5e34b3ddbc7fd02b4373816ed95be7c246c37e1

                            SHA512

                            3130d80d44f54a0819a2a3665ea31089410adfaa94e2b83d981524e906998b5aa2a5951127b672832ef4a1689a85e4b57722652073867bdc1e8b411b980ee477

                          • C:\Windows\{E41FF63A-FC9F-43d8-B63D-0D721CDAD510}.exe

                            Filesize

                            98KB

                            MD5

                            7b465936cbd96656d86173e0f51abea1

                            SHA1

                            1255a4fdbdf9ab3a2d81683b38e22e86c11ff73b

                            SHA256

                            c76dbe34932ca44d6a61e804a2fe50d5ca8dde628098f4a081a1ecb781bfe53c

                            SHA512

                            87674dc9a73301a2248cb15e374cecfb647681f4add1694e141086dbf4ae616612f9991683d94342281712e89e3a78fec62a33d6fc48354454b2d78d89ccc154

                          • memory/968-15-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1624-57-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1624-61-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2096-55-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2096-52-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2200-22-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2200-28-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2424-50-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2548-34-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2548-29-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3316-35-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3316-38-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4456-63-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4456-67-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4488-10-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4488-6-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4724-0-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4724-5-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4864-45-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4864-40-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4900-21-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4900-17-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4908-69-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB