Overview

overview

8

Static

static

3

042cddd179...bd.exe

windows7-x64

8

042cddd179...bd.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    042cddd179e76980a693de37ac6f94c7b7e34605d6fc22e63928abbc05a533bd.exe

  • Size

    380KB

  • MD5

    d7f67f5e053d2943cabd1a645ceae080

  • SHA1

    2c8808bdd5bef7b95016d6f5f54ecc1252ce0ccb

  • SHA256

    042cddd179e76980a693de37ac6f94c7b7e34605d6fc22e63928abbc05a533bd

  • SHA512

    89b56fb034b1e09f6ba536a42dd9e3936661f3cac967cb1ff3c69e5491711f0e6cbe282b20aa7ca6bcbf03b940011ed1a9895d665dfd13a2aa8a6329e55dfcd0

  • SSDEEP

    3072:mEGh0oWlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGol7Oe2MUVg3v2IneKcAEcARy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\042cddd179e76980a693de37ac6f94c7b7e34605d6fc22e63928abbc05a533bd.exe
    "C:\Users\Admin\AppData\Local\Temp\042cddd179e76980a693de37ac6f94c7b7e34605d6fc22e63928abbc05a533bd.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\{112E6797-8304-4433-9F28-797FE83045D3}.exe
      C:\Windows\{112E6797-8304-4433-9F28-797FE83045D3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\{23EEB724-4B4B-4229-A6E8-9B76F26C8705}.exe
        C:\Windows\{23EEB724-4B4B-4229-A6E8-9B76F26C8705}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\{4EC3AC5B-4054-4084-84F6-D6DA8C610D34}.exe
          C:\Windows\{4EC3AC5B-4054-4084-84F6-D6DA8C610D34}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\{6C6E4BDC-B632-418e-95AC-2B75BEE940A1}.exe
            C:\Windows\{6C6E4BDC-B632-418e-95AC-2B75BEE940A1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Windows\{F827516E-4E13-4114-B1C8-9E9DA7832CB6}.exe
              C:\Windows\{F827516E-4E13-4114-B1C8-9E9DA7832CB6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2708
              • C:\Windows\{262463E8-010E-4ba9-9E49-27CACC4A4B33}.exe
                C:\Windows\{262463E8-010E-4ba9-9E49-27CACC4A4B33}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\{A3D90225-FFBC-4ecd-9B98-74A40F6491CC}.exe
                  C:\Windows\{A3D90225-FFBC-4ecd-9B98-74A40F6491CC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3100
                  • C:\Windows\{275CC07A-ACE5-453a-BC14-533BD92554AB}.exe
                    C:\Windows\{275CC07A-ACE5-453a-BC14-533BD92554AB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4428
                    • C:\Windows\{7C1288B2-86C6-4125-9297-FA7CEA1FE847}.exe
                      C:\Windows\{7C1288B2-86C6-4125-9297-FA7CEA1FE847}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1476
                      • C:\Windows\{1319F2D2-66B7-4738-ABEB-FC70243B3144}.exe
                        C:\Windows\{1319F2D2-66B7-4738-ABEB-FC70243B3144}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2784
                        • C:\Windows\{8418EB6F-42DE-4cae-B7FF-040EC97620BC}.exe
                          C:\Windows\{8418EB6F-42DE-4cae-B7FF-040EC97620BC}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5092
                          • C:\Windows\{0CCD870B-0A99-411d-AC5C-2FA8C0C19731}.exe
                            C:\Windows\{0CCD870B-0A99-411d-AC5C-2FA8C0C19731}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8418E~1.EXE > nul
                            13⤵
                              PID:3696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1319F~1.EXE > nul
                            12⤵
                              PID:2508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7C128~1.EXE > nul
                            11⤵
                              PID:1492
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{275CC~1.EXE > nul
                            10⤵
                              PID:1100
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A3D90~1.EXE > nul
                            9⤵
                              PID:1156
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{26246~1.EXE > nul
                            8⤵
                              PID:2456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F8275~1.EXE > nul
                            7⤵
                              PID:3176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6E4~1.EXE > nul
                            6⤵
                              PID:1784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC3A~1.EXE > nul
                            5⤵
                              PID:4400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{23EEB~1.EXE > nul
                            4⤵
                              PID:2020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{112E6~1.EXE > nul
                            3⤵
                              PID:3008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\042CDD~1.EXE > nul
                            2⤵
                              PID:3076

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0CCD870B-0A99-411d-AC5C-2FA8C0C19731}.exe
                            Filesize

                            380KB

                            MD5

                            29c31c4e521dfe6c2758b54a6762772c

                            SHA1

                            7e690c16904b43250795af15443c156018f16a0e

                            SHA256

                            1514da18f3812dbdf09ace83ba2ebbac4c84c66f17dc1ea5f811492031cd06b1

                            SHA512

                            664166d348db238732beec3f4db5879bb428a41b48464ff3589483073d632d6ca890f4b78c56ec662a106fcdea24a1526b105d9f67e5f81f2e4490e4690077e8

                            Download Submit

                          • C:\Windows\{112E6797-8304-4433-9F28-797FE83045D3}.exe
                            Filesize

                            380KB

                            MD5

                            f540a0569ad05aef15dfe186988a6bc5

                            SHA1

                            0a6a611005f52c376e603516e8a0c8d2afea856d

                            SHA256

                            240d794961f18b68b4df97055cb256529c636863ccb2ea1ad87347e3d76e1652

                            SHA512

                            0ccf3511795efc37b79885502a512ff8212b6fc8d6e720e1a895f7b5f6d04e40cef0bea68d7d22839c1e425bd09001efa6497d8b8dbfcb77c7e5d9626f9d9466

                            Download Submit

                          • C:\Windows\{1319F2D2-66B7-4738-ABEB-FC70243B3144}.exe
                            Filesize

                            380KB

                            MD5

                            516089e013618877d11d61e9afe77473

                            SHA1

                            b91ce41c58ea8bc3e8e176d207731a64fd8c7e2a

                            SHA256

                            841d6c9ed6e9fb9383855c54f1b9aaa7a077cb2d478e3039a71709efd9708eb6

                            SHA512

                            d7d9be83531262f67bd9d27c6ea7c8d33403b50ceae2c7001451ae1601f1392d03111d099e7a889be29433b8a4e191812c9955e42f2e89a44249412803709fa0

                            Download Submit

                          • C:\Windows\{23EEB724-4B4B-4229-A6E8-9B76F26C8705}.exe
                            Filesize

                            380KB

                            MD5

                            965b846aaeb623cc1edbc95be69136ec

                            SHA1

                            4495f73212e95ab55d31201135470020c489e045

                            SHA256

                            598a7964d770f0413de559c647898741d93c6277f252a399528b14ceed06240d

                            SHA512

                            5c77f885aaea6c1941c19b9932184d06a4f81ef4e1d0973072ef99f723010700d80ad4cedbac42edf520211f0cc4c9e29d0912e8d4d67a0cfc5f9e1e8cb8dd93

                            Download Submit

                          • C:\Windows\{262463E8-010E-4ba9-9E49-27CACC4A4B33}.exe
                            Filesize

                            380KB

                            MD5

                            c06e497c30a22e795f5113d5a2872a7d

                            SHA1

                            3d2296d615aa0c9e52eb4b2ad33e39cf8c6bbf31

                            SHA256

                            01de83563df16079def5e7c32bd2c6be866d5e38023ffd4ba9c5bc74b87d50ab

                            SHA512

                            e8dd273837c303468f3e3888794b15c1b047cc9ab70a7881aa90a9186a346d410d649f47fba3b58d1732e2e18324d465325197f0f42bb9834c78177ce3757d9c

                            Download Submit

                          • C:\Windows\{275CC07A-ACE5-453a-BC14-533BD92554AB}.exe
                            Filesize

                            380KB

                            MD5

                            aaf8507ae2a8a7fa7abd5e84b6a5868f

                            SHA1

                            8b0f24fda02001cb645906a9a51ca7120c04d9d4

                            SHA256

                            9f1ef6c039ac4e9a265da2fa74c7748998041eb71dc118100d8d08a81331ea64

                            SHA512

                            95e9f147831cb2e8ac9fac907d9f219e6b3a343bdda6554b9bc7876f4b0aa65a5dcd4e79110261fd1a789af944cfe605b75670a1028799696a95dd5333248fb6

                            Download Submit

                          • C:\Windows\{4EC3AC5B-4054-4084-84F6-D6DA8C610D34}.exe
                            Filesize

                            380KB

                            MD5

                            2c508948e3990fcda1f8a05f11b44c6a

                            SHA1

                            a5da83b8b9ad19814d5b83228619f5a805c1f054

                            SHA256

                            739d3910f9815041013b1c7d494375a6ed69782c5a23391cecb4fc1649c29094

                            SHA512

                            e30f01cbaa4e28e9bff36bc2c6062aee0b782008f450f84a985d820a10d990d3b2166c5a306c145d72bf085cd3f7cc3c10998da1c40e6bcb843f6b9c997f7d10

                            Download Submit

                          • C:\Windows\{6C6E4BDC-B632-418e-95AC-2B75BEE940A1}.exe
                            Filesize

                            380KB

                            MD5

                            9c0f4b81d18cf508ffdb460c007b652a

                            SHA1

                            eb854687cb0169d9c6e0200086c137ccb0d054fe

                            SHA256

                            3ed864ed05d36b87017fc16ab8fd20867621d1eb6a483192a8ec1f0614bb4458

                            SHA512

                            fb3dd1ba1efe43ba188b8c12ccfcf06e8f538bc4041b4c8bff52faad474fa8738275f96db5ae61bf5e44a66d399df589ba395bedc4e4503bb0637a5a41d77cfd

                            Download Submit

                          • C:\Windows\{7C1288B2-86C6-4125-9297-FA7CEA1FE847}.exe
                            Filesize

                            380KB

                            MD5

                            25d55e5251c5831354ae1f0b6d7abf78

                            SHA1

                            60a43b4cbcafa75299e35091e0b9c2b479db722d

                            SHA256

                            57e118b27561ee45b07d4180d58138e5a39aa8513cb2403947ca5dd5a6280e74

                            SHA512

                            feaa5799ec2fddcb34ebb961c6bd6eb1ca32fe3c0ec610363135d27f32df843f64b2eb04da52917c209b34ddf9a18cfcda8b9a18df6856402a58dbd37ef80c79

                            Download Submit

                          • C:\Windows\{8418EB6F-42DE-4cae-B7FF-040EC97620BC}.exe
                            Filesize

                            380KB

                            MD5

                            b330a0ecf85706ffb91c97552a25ecde

                            SHA1

                            732904d660e4f8d71b38bdf17f121d3aedec9a35

                            SHA256

                            589d967b664a388bf4503abe5808b816c94343d2fca9c1a0e6c43afb87655b50

                            SHA512

                            1e95e91fd99b7842206a77bdc54fdddfa94c955ab2e04da21f12b73f0ed4e94d2379ba5fde0650bb61407efd1a7de188cf795007bb90f981470abd457f9f6ba5

                            Download Submit

                          • C:\Windows\{A3D90225-FFBC-4ecd-9B98-74A40F6491CC}.exe
                            Filesize

                            380KB

                            MD5

                            40900b83395a6bce041472aa227bbd7d

                            SHA1

                            1eba3b84dca68a66b932fa7dc1dc182216cdc0dd

                            SHA256

                            63ec1ce98540a3b2c1e22c29f2be66fafd37289613a4c0d3c736e95859305310

                            SHA512

                            bda335f0cf1195d7c8413c1ccad0f611de213cd9312bfdcd89e9aa8406a1e210eed73d813c3fda7718ea508bb84eb62c88b54a66bdccfaa7dd396f19b1798701

                            Download Submit

                          • C:\Windows\{F827516E-4E13-4114-B1C8-9E9DA7832CB6}.exe
                            Filesize

                            380KB

                            MD5

                            26fd9574548901484e9624e0c7534e35

                            SHA1

                            8cb05a62675c1d2d537b18868b5129b82621dfcb

                            SHA256

                            ffed738255ac3eb5a123c883c348f08220a4aec486be4002f9ff0956aa1d7b1e

                            SHA512

                            7f9eca19d653ce2f8578e7770139fe281a9ad2c9844ebfcd20e5010f1747e8b9e3f12c37c82b7c1d69981327496eacbf363c4e368b92ed5ce93d0f22721aa9ac

                            Download Submit