Overview

overview

8

Static

static

3

8c7560f39a...79.exe

windows7-x64

8

8c7560f39a...79.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c7560f39a16ef0b13199ffaaaf781c5fbe47d2738a42d88360252d748e64279.exe

  • Size

    89KB

  • MD5

    f170b5191fe2546e50d4467d6d1cab8d

  • SHA1

    2f847cf224cee61f3f914bb4252295fa55179863

  • SHA256

    8c7560f39a16ef0b13199ffaaaf781c5fbe47d2738a42d88360252d748e64279

  • SHA512

    862b95d28a3f96ebb4db6f0fdefe0e8311443789f650f4b6d676382baabb63057e375996ad2477191c2d943fa4e011ea25d3f422541cab2a8232e12675a7b3d5

  • SSDEEP

    768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl5:YEGh0oHl2unMxVS3HgX

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c7560f39a16ef0b13199ffaaaf781c5fbe47d2738a42d88360252d748e64279.exe
    "C:\Users\Admin\AppData\Local\Temp\8c7560f39a16ef0b13199ffaaaf781c5fbe47d2738a42d88360252d748e64279.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\{B5611725-17FF-4455-8284-E072F1E12808}.exe
      C:\Windows\{B5611725-17FF-4455-8284-E072F1E12808}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\{3B57B780-D60D-41a2-9D09-FB669D1BE7D0}.exe
        C:\Windows\{3B57B780-D60D-41a2-9D09-FB669D1BE7D0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\{00F64E23-D1D5-4fd8-8B56-9D792B58CC8E}.exe
          C:\Windows\{00F64E23-D1D5-4fd8-8B56-9D792B58CC8E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\{39C5C067-577E-4ea7-86B1-F14C63FAFA2E}.exe
            C:\Windows\{39C5C067-577E-4ea7-86B1-F14C63FAFA2E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Windows\{58F5B108-2141-49c3-86D3-7BA5185AB868}.exe
              C:\Windows\{58F5B108-2141-49c3-86D3-7BA5185AB868}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1496
              • C:\Windows\{7AFC264C-6E09-4198-B91F-3FC183BF25AE}.exe
                C:\Windows\{7AFC264C-6E09-4198-B91F-3FC183BF25AE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:308
                • C:\Windows\{AD9B0A3A-BD7D-4fa3-9E71-3EBD5EA879F3}.exe
                  C:\Windows\{AD9B0A3A-BD7D-4fa3-9E71-3EBD5EA879F3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2192
                  • C:\Windows\{0C578F2B-DE7E-4b62-BBA8-E7E8270A1D62}.exe
                    C:\Windows\{0C578F2B-DE7E-4b62-BBA8-E7E8270A1D62}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2672
                    • C:\Windows\{F9E0F3E2-C5B3-4522-ADDD-4175E6735549}.exe
                      C:\Windows\{F9E0F3E2-C5B3-4522-ADDD-4175E6735549}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1892
                      • C:\Windows\{A298A818-F19E-4acc-A820-80C8EE8E40B1}.exe
                        C:\Windows\{A298A818-F19E-4acc-A820-80C8EE8E40B1}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2104
                        • C:\Windows\{FF8ABDF5-6053-4a5e-86F3-30026D42D46A}.exe
                          C:\Windows\{FF8ABDF5-6053-4a5e-86F3-30026D42D46A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A298A~1.EXE > nul
                          12⤵
                            PID:1948
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E0F~1.EXE > nul
                          11⤵
                            PID:2084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0C578~1.EXE > nul
                          10⤵
                            PID:932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AD9B0~1.EXE > nul
                          9⤵
                            PID:2940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFC2~1.EXE > nul
                          8⤵
                            PID:2588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{58F5B~1.EXE > nul
                          7⤵
                            PID:2924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{39C5C~1.EXE > nul
                          6⤵
                            PID:956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00F64~1.EXE > nul
                          5⤵
                            PID:264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3B57B~1.EXE > nul
                          4⤵
                            PID:2560
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B5611~1.EXE > nul
                          3⤵
                            PID:2964
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8C7560~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2580

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{00F64E23-D1D5-4fd8-8B56-9D792B58CC8E}.exe
                        Filesize

                        89KB

                        MD5

                        5e7492ca81c62823c8559cc4f70eeb5c

                        SHA1

                        a3d165ce9e7fe8e7a590d8632382a7734bb688ef

                        SHA256

                        b97bc54a5a06a4f33877bc53c76fae945e8b691db22679b2dd4ab1c8cbd45e80

                        SHA512

                        b93acc378590130fe9177bed4eac49c1ce9cc2bb42cbf5bcd4d2eb71e19cc5eed7faa26559ec6251f186ed67bb2f683f010b3d896163b9975a0f81cca92ccf87

                        Download Submit

                      • C:\Windows\{0C578F2B-DE7E-4b62-BBA8-E7E8270A1D62}.exe
                        Filesize

                        89KB

                        MD5

                        3db21c1145e258063316beacce6a9dc2

                        SHA1

                        672c35bb9975166f126ebf1a6c61d329163a2696

                        SHA256

                        6667897bb6239694b5ad8956dffacbbbbb16649b8e6d9b5a0d682576addf5128

                        SHA512

                        fb681883d3b14ab2160ab6f94d2c24e44343137ee39d4e5e671a2c734bd203df27a95103af0da4edb4b014d6a61b33ab8ec54abc160d0501c1ba74fa632dc681

                        Download Submit

                      • C:\Windows\{39C5C067-577E-4ea7-86B1-F14C63FAFA2E}.exe
                        Filesize

                        89KB

                        MD5

                        87c42df2ceb2938854799965e0bf7c54

                        SHA1

                        2d25f9824ad8b17f0aeec616fae8fab11d061947

                        SHA256

                        91b52c39770d27662043eeabc380f6b0100b15809c4c4021c987a0af1e776e85

                        SHA512

                        970d22fc151733981970c025a46cdb926d1d759c656705a382fc7a999111c63a51f44c5f18271a17a02bc8d6946691854a72a6a35673193e9e972ca22b9d8303

                        Download Submit

                      • C:\Windows\{3B57B780-D60D-41a2-9D09-FB669D1BE7D0}.exe
                        Filesize

                        89KB

                        MD5

                        f6247689ff5e02bf2866868d2fd34300

                        SHA1

                        6522cf09590d1d23cd42368d88e03c0387c97566

                        SHA256

                        2db55e68cf4c827a857a5b81175872e0dee52646ba64b9df8db38ef012a3fb33

                        SHA512

                        a4583cb76688ed62d93f46bd38c87ae54c97278f9b5f06a6b2cd28dda352f332711a2f5e7fc572f01d57aae61d67e85aea785b397ae0ef64fa2a915c35a2d822

                        Download Submit

                      • C:\Windows\{58F5B108-2141-49c3-86D3-7BA5185AB868}.exe
                        Filesize

                        89KB

                        MD5

                        514fdf5deb18beb55e7a9f6b6045caf1

                        SHA1

                        21b8a642e3a714530a41b618fa369667b1a2f298

                        SHA256

                        86c870c9badfa6413a14d60061a8cabb1393d8e2e64153fefdc9885f45b65df8

                        SHA512

                        9c5adb0aa6e1cb8fd6d5f713bde40babaf93c0cdaf519feb7bfc9b170e28edace5e569d93bc0e15d01fbf92f13b2727c8aefd16f42cd04b599292b792293382e

                        Download Submit

                      • C:\Windows\{7AFC264C-6E09-4198-B91F-3FC183BF25AE}.exe
                        Filesize

                        89KB

                        MD5

                        92eb7bfb42a60118447999416cb97a91

                        SHA1

                        8d43128bc6d431bd79b67eab61c2846c3f126f93

                        SHA256

                        3fd54016047ebf365de5995c301d5d8553ce97d4cbae1cbdcf10a89b8a3c3462

                        SHA512

                        bddbf1ee2923c054470bf7f800830716c0eb84e82a17ba5535115af078b49700135f5375d4449c7ea2b80a8545367fbdb8feeb49677df071c81c79057d14d911

                        Download Submit

                      • C:\Windows\{A298A818-F19E-4acc-A820-80C8EE8E40B1}.exe
                        Filesize

                        89KB

                        MD5

                        47064eed08591f84041d66ec58725c71

                        SHA1

                        f65597c42885730fa2bc49540c1378646a4d593b

                        SHA256

                        9d5566010c857c3a463d9d0b265f80c773b5c7d250a4274974da7d342e28caa2

                        SHA512

                        99d2046f251df97a562abec4daeb735a4dfd0cd88b4dc1f108333706c2e86ce2269bcfbd2627c0528c525e90b2b3ebbef5d6bdfe2ec873354dcc85b87c82096f

                        Download Submit

                      • C:\Windows\{AD9B0A3A-BD7D-4fa3-9E71-3EBD5EA879F3}.exe
                        Filesize

                        89KB

                        MD5

                        5e0775df6df32f985f378265b10112a8

                        SHA1

                        f306e2ea1160fe29e104623845d5b5a5bbbee84d

                        SHA256

                        01b92b273f4f8bd0f9eb3fa236ba7d9193463983e6944bb1aca916b2f006994a

                        SHA512

                        f17c8243e105c10b07bf5c19a3c4be96c212565dd321ac2128f3b4f6d15beebb6825a8246dfca4cf9893b70450aeee4e1f8a1cf876fbecff50e5ef117646698e

                        Download Submit

                      • C:\Windows\{B5611725-17FF-4455-8284-E072F1E12808}.exe
                        Filesize

                        89KB

                        MD5

                        7f337a01a23b50f91110beccaa03cef9

                        SHA1

                        47c2302bb7904506c34ddc94653121b43eaca669

                        SHA256

                        521c153ffff395b8372a26b3f929a3c9cf2e81e32a6a179c1d432cc2c09f268a

                        SHA512

                        e2354a763f27ba1f251d6228b006ba01da586afc09a7367b62862ae1724c1291b80e3103b46fc1069500858cec77daf85f68a48f2135a8a164bc0f7c517813b9

                        Download Submit

                      • C:\Windows\{F9E0F3E2-C5B3-4522-ADDD-4175E6735549}.exe
                        Filesize

                        89KB

                        MD5

                        976577f5075f1b95bc7a7a571d2dea78

                        SHA1

                        e1b6c546d764d3b0519a5855c1747a4d8a8901f2

                        SHA256

                        e7b08fd45d0f1bc64c3d96ebbec981ad94c73d0ded18d73026a2922582dd3c1c

                        SHA512

                        891aefa40b8879ee7a60e1f373cc24e84e4a9f900a097440f946b934ec26b102b71cb17c57be4394a4de6b4a24615808bc033059e2e16d474ecd75c6ab3fb7c4

                        Download Submit

                      • C:\Windows\{FF8ABDF5-6053-4a5e-86F3-30026D42D46A}.exe
                        Filesize

                        89KB

                        MD5

                        59d806ead4cdb45a4a0ec1598b16ef60

                        SHA1

                        e9ab483c842f5456b9146b31057dba1e5b2e8c81

                        SHA256

                        25140fed80740f64cdac8fef199c74cb0342615229614b7a4482d93924214c50

                        SHA512

                        d874dbe7a989ee59340654a5bb3e38a6f19a0646d6f7d0cf023cc2061bc4f9f6145b0528429b61abff38f58725e4b0624c44ad0f7070731330352604aa367252

                        Download Submit