Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 03:28
General
-
Target
d721a683f89df4da45af894c54f20032.exe
-
Size
192KB
-
MD5
d721a683f89df4da45af894c54f20032
-
SHA1
acbff8bed9603d69983f8a9d3f336822bc6b5c1a
-
SHA256
65787643d9fd17c5d417b1349c3350de76456cf2dc1ed6d722324d8446422204
-
SHA512
caad3d140e3ca276be14d4525c07a128428d686bf4e78859fe0e2164d715eea57f9879bccf2dcbf0154520c32adc90700ec314fbe808479ba9fec4198e817e77
-
SSDEEP
1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oNl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d721a683f89df4da45af894c54f20032.exe"C:\Users\Admin\AppData\Local\Temp\d721a683f89df4da45af894c54f20032.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F85D0E41-7762-4a56-9601-CC76BF97A3F7}.exeC:\Windows\{F85D0E41-7762-4a56-9601-CC76BF97A3F7}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D4ADA8A9-EC31-48d6-8684-C11C2A9E484B}.exeC:\Windows\{D4ADA8A9-EC31-48d6-8684-C11C2A9E484B}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B7328D15-F0E3-430a-BB99-A290A87B0149}.exeC:\Windows\{B7328D15-F0E3-430a-BB99-A290A87B0149}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D29D445C-7550-48d7-9C3C-73D9B9FA3AEE}.exeC:\Windows\{D29D445C-7550-48d7-9C3C-73D9B9FA3AEE}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{54AA4161-07B6-4891-B89B-DAC83F3F7AE3}.exeC:\Windows\{54AA4161-07B6-4891-B89B-DAC83F3F7AE3}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{73D0D4DD-26E0-42b6-B21A-E3D1E22DDB66}.exeC:\Windows\{73D0D4DD-26E0-42b6-B21A-E3D1E22DDB66}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D281D05E-D53B-43df-BC05-9394AC520859}.exeC:\Windows\{D281D05E-D53B-43df-BC05-9394AC520859}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2D43AA88-E7F0-4ab5-A2E2-C86E95A23CC4}.exeC:\Windows\{2D43AA88-E7F0-4ab5-A2E2-C86E95A23CC4}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A8127AD1-82A9-4312-999E-21F5F3443D45}.exeC:\Windows\{A8127AD1-82A9-4312-999E-21F5F3443D45}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FD670106-9523-47ea-BB2C-EEEF1D062F5D}.exeC:\Windows\{FD670106-9523-47ea-BB2C-EEEF1D062F5D}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{20ED84B0-17F4-43a3-9E9F-E5F940A2E008}.exeC:\Windows\{20ED84B0-17F4-43a3-9E9F-E5F940A2E008}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B90ECA03-7A48-48b5-8763-9DA1ED722649}.exeC:\Windows\{B90ECA03-7A48-48b5-8763-9DA1ED722649}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20ED8~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD670~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8127~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D43A~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D281D~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73D0D~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{54AA4~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D29D4~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7328~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4ADA~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F85D0~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D721A6~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD570b3cf5c0aa31b657d382a8ffbc6c96c
SHA1e19b924b6e7fd04dcc866058d046c31e0ecddc87
SHA256e36eda21bdace8ba2f1536c4357aa9825c29a3978c34733ccd1a91a91e0eb9d9
SHA51260f5a4af048147c077373d0a9d0312a56568f1d39fb5264eb3958526cf5f2c1e43f810c4449bf0c82d7181f85637a6194a284f4a7c894f21bc2f8fe73641885c
-
Filesize
192KB
MD5f87aab852228eaf9ca39e1827d181c8c
SHA1a8983a2630802f1d5e5d3aa235e714d3aa7048b2
SHA256433d41d51b4d5e921b64380d8824220ec6e4cd4581c584ee9643b64136786916
SHA512617ec73d36bc91205cece13b7ef2e8167760831f93e4efebe13a92281379a465ce21be92b7f3ce919bc3e8c87c4122fd1ee5cd65ce0fb4c68d72e5116a155d2a
-
Filesize
192KB
MD56705cadde72c5c7da1b22d83e3574470
SHA1e88c6546b51c8a60af834cdb5785c7c1b2f1cc9e
SHA256bdc5d0e202e73550dd0a24a67378b2d000d811348ebb42718f67bed3033a1f10
SHA512d3dd470ed5ecd145d4b094e3d3103729572e4c5a01641ef78d493190d76e78d65e7994529817682927bc9f6bc208a4e215da79282b81d795250478ca6cda629d
-
Filesize
192KB
MD58667377a222e82a5827add47a875ce6b
SHA153e7ce6bcf81b4392cc71eb6ac546cc94cc13b5b
SHA2563ba849c1b84d0cf8cc858c290c42526b27c86353f6b609c44f05edf7ed37302f
SHA512824bac08d38d0a70661439da24c84da04d1b5033e69398e0cb6b50336b5d430933da1848045b2a7824a2050af616c74f71a979c1124be76abb7fe1d71d1c2b69
-
Filesize
192KB
MD5fe3b2894e65d5f09318de84f1585cbe1
SHA191be5bb1c5c9080223ac7c7eb8ad789d205f1b17
SHA25615f6c497eab6bd7a3c49a1946051a2e9065c8c7d37be0f9376e9de10eeff37d3
SHA512f3dba3c2166586d5be101d28341ccc672ba407f012f83e5be17df8095958160ae6e4e25112fb62e5dd49e21b1ec778d29528d32c85ff2a4c8af2568c0b7a2317
-
Filesize
192KB
MD594577e099ecb92d140c93cba258b99d8
SHA1d5e0eb2568a712a5de1d95429b9d9aae443dcbeb
SHA256fd746f948aced995198aae64f303a69c3d30c7cea2d28c20cad064a78a84c8c6
SHA512ed46f7a21a71e8929a2fb91b41454dc6a38f6e2382abfb7b9600c5b1b517aafb556d859ff1940ca8c3b92ea4f86a5ad2e4792d6f00b533abf7a9e876573826a0
-
Filesize
192KB
MD5a8a892a1980b43c2275c941fac437e64
SHA1d97b1db5da698cf729bee39ae9fd44f32d5945df
SHA25618d77f97efbcc72cd0432dd65c2235f3506c80df029114f1972e0311cda59d08
SHA51218ba44ac7b15c92798158bdf57535b285c7060abbf64afc650a0de0c6b5363afb8637de644faf5b52a178771b7631143002952cbe9d69be55714051e0c9e56d3
-
Filesize
192KB
MD51f7c0baa74f208d6ba585bc94b8f3a02
SHA1eded7d47e4e7e70aa7f1539343125dd082750085
SHA256c0520c5237136d160286c4e448744b17d0b810f3b56d6d38fda24e18ce135301
SHA51220aeea5f0bd49282ff8ceee1ed107bcb629984340b932e2bdc7151598ae5afc841740580352d8eccde2726084f23de435d77502a92c4de37e69cdc1a6567d4e7
-
Filesize
192KB
MD5becff18304c25c2b5c2282f011a28913
SHA15960c4dc1b359d110e7707bc9bb48f0f5c6f132b
SHA2567efc9e870d5edab42d1c6bc78ab9b1ae06b59f8f1905385de34ee257273d46fc
SHA512efa18620a60cb5e16946f2e9273ba676bcad34067292be714680289aaca42d63f403c1473819584ed2f777f594faa07d111919e1b15c11a850d298c6a555be35
-
Filesize
192KB
MD51ac7a77d653aca86a78ab27ed3e644a6
SHA1434c9c5f4b4fc7faefacc9c2b7d9da00463c87a9
SHA256f917cd97b9fff27d9caed7f83345b8d41af99a3fb85b8132fdf77ce04f0ccbad
SHA5126f48895214d2aba82ddba47e33a16d42ec70d4e75179adae7c850869453ee4852044dd46f5998c535fe4a2de88762238aec7c92d15c1d26e7b4819bbdc205f80
-
Filesize
192KB
MD5bc02e195c389f4382d53911f9c8fe590
SHA194cd144ad6ea49adf1cd5a0b13c69413397ab8a2
SHA25615b0a6048693e0bff1937a9c4f7d109c58188c552ad91cac64a557bbcc982e1e
SHA5124678bf30c06cdd7a0127dbf557084af29bc72802527f842212a9d72ef689384a87b0bf98a5a45248fd246f342cd9300e3681305d4f09d2b98275e4c28d18f245
-
Filesize
192KB
MD5a24e534c8197d68bcfb62013905bacc5
SHA144e0c9529d00ed7bea5c64958d5351cfadc0bb94
SHA256c53bc325b5aaf5cdbfe0ed02795901063e3b78a8f83f42dd2266e875eb17d4a2
SHA512fa3d46d7c9ba4f9495638ca4c844b330dfd79cf5a462a61ddcaec89f41e81e7852f8a0a6581e676fe1f132b62941e8453413ed3eae8b0d50c719ff4dcf0422a9