Overview

overview

8

Static

static

3

c74b3ea314...b1.exe

windows7-x64

8

c74b3ea314...b1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2024, 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c74b3ea3149a236a727a0567e6cb3bb1.exe

  • Size

    344KB

  • MD5

    c74b3ea3149a236a727a0567e6cb3bb1

  • SHA1

    83a35334dc3f651c27cf9388596f33d1d96a7a3d

  • SHA256

    9a822e4946ec6848bed838e5642dfceebe0331efafa740a063b265cbc5428526

  • SHA512

    a56be4868f27aef1b267e43dbc2b10ccb573ba4fa5b2cea2ce4e684a0de4422c9f4a02c8074b4b48b4552c42fb7a58c3e2e9d239539695f98ef9f18ff8fb0f68

  • SSDEEP

    3072:mEGh0oGlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGUlqOe2MUVg3v2IneKcAEcA

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c74b3ea3149a236a727a0567e6cb3bb1.exe
    "C:\Users\Admin\AppData\Local\Temp\c74b3ea3149a236a727a0567e6cb3bb1.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\{11067962-299C-4b20-8452-60C6ADB23246}.exe
      C:\Windows\{11067962-299C-4b20-8452-60C6ADB23246}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\{F99F9D7D-1736-4758-BEEA-FC1F7AFB84CD}.exe
        C:\Windows\{F99F9D7D-1736-4758-BEEA-FC1F7AFB84CD}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\{EE9956D4-157A-43cf-9462-6AF1A409C973}.exe
          C:\Windows\{EE9956D4-157A-43cf-9462-6AF1A409C973}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\{94970598-2693-4a7c-BD5F-CB4D35C508C7}.exe
            C:\Windows\{94970598-2693-4a7c-BD5F-CB4D35C508C7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\{A101D423-EE2A-4618-921A-84DFD239A74F}.exe
              C:\Windows\{A101D423-EE2A-4618-921A-84DFD239A74F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2988
              • C:\Windows\{9268709A-53A2-42b1-A29C-6AB7D1FE7E2A}.exe
                C:\Windows\{9268709A-53A2-42b1-A29C-6AB7D1FE7E2A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1348
                • C:\Windows\{2180A8FE-1AF3-468c-BD38-0B6DF7BE769C}.exe
                  C:\Windows\{2180A8FE-1AF3-468c-BD38-0B6DF7BE769C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2796
                  • C:\Windows\{A54BCC8C-27E0-4f7d-91F5-CA2744E57F11}.exe
                    C:\Windows\{A54BCC8C-27E0-4f7d-91F5-CA2744E57F11}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1412
                    • C:\Windows\{C4B00F63-BE67-4889-A68A-539AF208A656}.exe
                      C:\Windows\{C4B00F63-BE67-4889-A68A-539AF208A656}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:600
                      • C:\Windows\{1E8AF14A-9C09-4259-ABB8-DC9C0A8A1025}.exe
                        C:\Windows\{1E8AF14A-9C09-4259-ABB8-DC9C0A8A1025}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2056
                        • C:\Windows\{16BEE960-BCA6-429f-B9C5-0AA268CC567C}.exe
                          C:\Windows\{16BEE960-BCA6-429f-B9C5-0AA268CC567C}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E8AF~1.EXE > nul
                          12⤵
                            PID:1936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B00~1.EXE > nul
                          11⤵
                            PID:2288
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A54BC~1.EXE > nul
                          10⤵
                            PID:1632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2180A~1.EXE > nul
                          9⤵
                            PID:1980
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{92687~1.EXE > nul
                          8⤵
                            PID:1688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A101D~1.EXE > nul
                          7⤵
                            PID:1164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{94970~1.EXE > nul
                          6⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EE995~1.EXE > nul
                          5⤵
                            PID:1244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F99F9~1.EXE > nul
                          4⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{11067~1.EXE > nul
                          3⤵
                            PID:2560
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C74B3E~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2740

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{11067962-299C-4b20-8452-60C6ADB23246}.exe
                        Filesize

                        344KB

                        MD5

                        b64befe692f360de83f830c1e3b8e4e4

                        SHA1

                        898fba019047057167ae9909bab347e489d367ac

                        SHA256

                        f6fb35be7ef8fca3fbda84bede28c414e5e0328f99ff76423979dfd325fba071

                        SHA512

                        399f5fdbe095e412f54e609f7ab899a4a3394f7cc61fb6b223c361d18b8a0201637b577be2928f7735e6b2947cb72c199c56f134d8ddb169162b01c2fac77265

                        Download Submit

                      • C:\Windows\{16BEE960-BCA6-429f-B9C5-0AA268CC567C}.exe
                        Filesize

                        344KB

                        MD5

                        892c56b3424bf3795b20ceb47eaf7440

                        SHA1

                        81ba5af3c7da5ae73812621add9cdd4ab6c0e179

                        SHA256

                        2fd91de486085064d783a502bd6b78929b719a14e3549859e342714678a9bd19

                        SHA512

                        eb91dad2ad9afe4ee365e17bb8d075d0c301a91070a1eb35ea2665ee9813adaa74a55d65f40212150e55aee402780f478ad99737ac16f9b4a0248a2bf5273107

                        Download Submit

                      • C:\Windows\{1E8AF14A-9C09-4259-ABB8-DC9C0A8A1025}.exe
                        Filesize

                        344KB

                        MD5

                        9e9a155d314404db4913e520b43cc735

                        SHA1

                        28a7e75a81e11f6edae1a13e7155b5ff0ed42399

                        SHA256

                        f2cad5ff4ae1140d2cc019de572a254ef3782e49a4972c0d7c8d0cb4b1fdf33b

                        SHA512

                        59d3f42556825a53daa48c175a32b73fcd5cbdb30e3825a0dc6f57c286bb3534a070674234444c38002c5fd74eb12ab6136a003fa419cde3fb5f313af790d19f

                        Download Submit

                      • C:\Windows\{2180A8FE-1AF3-468c-BD38-0B6DF7BE769C}.exe
                        Filesize

                        344KB

                        MD5

                        fa1c7ce1b051ae8b82bcbe449a71e09c

                        SHA1

                        f3778081a32246e3b42b63196f81b639062555db

                        SHA256

                        7d913f16711d0c4c9d87cd25ef1b5e69696498e0fe8d6c0df9cd6d1cba8447b8

                        SHA512

                        efa51d1073a80e9038315380b0cd782359d63d6863e54de06bf84047ab1fee5e76fafab7e82acf74862627e2ded74d0af16b4a03c5f9d5f2015d2517b4995876

                        Download Submit

                      • C:\Windows\{9268709A-53A2-42b1-A29C-6AB7D1FE7E2A}.exe
                        Filesize

                        344KB

                        MD5

                        20c2020bd5b2977def0be6ac9df053d4

                        SHA1

                        f510ea667d27f8e174d98e54bc5d5cfc456405ed

                        SHA256

                        4fff550f757af8ba659bed5a23e92b2ea07ead468b7048acbc6ecf9f0b58f4d1

                        SHA512

                        dbb752ebf78364ad025ab68389c01e7184059608d32fe34fb3696c6d35ee822125e2c41acd6a3a3b34e55dcfa4386105216d248a5225daffaf5b68fe6a7c10d9

                        Download Submit

                      • C:\Windows\{94970598-2693-4a7c-BD5F-CB4D35C508C7}.exe
                        Filesize

                        344KB

                        MD5

                        d5711b674abd704760591da3599a0940

                        SHA1

                        1a8bb3e41a00d4d2edf73883c25fd114ce396106

                        SHA256

                        cb965f2c0e8a55a642fd6faeb3104898e5116eb63d29c7d745a2d0befa32e464

                        SHA512

                        889c118cb52c3a635da1d11fbc81275f32cc7ddb319ab9df5d6649ecc5a81c68853f34667a4f0107e0400df29e93a5608154578d135b477e8dee579ab0d9961b

                        Download Submit

                      • C:\Windows\{A101D423-EE2A-4618-921A-84DFD239A74F}.exe
                        Filesize

                        344KB

                        MD5

                        4a0a7b2fe042d369a6c1fef6834cb9dd

                        SHA1

                        8cc4c622fc5a4f358e3393ee1e25be48a6d108b1

                        SHA256

                        1ea7f720e9d505fdd679bcb1a1b2dfc1d11a7261c1a4b656ae5fcdcd80b23a74

                        SHA512

                        06e3f2f52739fde54ae66116fd4469bd2f996f5d13147543478b924bf3edb31fda43cc768593f29b6c4cf9854b3bda5528415f1d57e9e275a6e3fddcd1c4930d

                        Download Submit

                      • C:\Windows\{A54BCC8C-27E0-4f7d-91F5-CA2744E57F11}.exe
                        Filesize

                        344KB

                        MD5

                        a6a38aaf29731926f60f426ea181fcfa

                        SHA1

                        07086cfb21f6081b5c3a7dd171088a45c09845ee

                        SHA256

                        bc7f4238800c90d21778c564c6f798f39cf35d66fc25a8171673cac261b6ef37

                        SHA512

                        2dafe3529a9cab63895d8135cc0d0a45627e4ab407974c34795f93db5e12ed0f88715bc2be533c2b46ab2b27f4195b01a066dc7f450d56aee1df2e8319d13b6c

                        Download Submit

                      • C:\Windows\{C4B00F63-BE67-4889-A68A-539AF208A656}.exe
                        Filesize

                        344KB

                        MD5

                        11db247008647ebedb7878475825408e

                        SHA1

                        6691dee37f4ddfa815986a06b88e9fc48f8b7959

                        SHA256

                        8b6c2b72f6357e4664a438ee5714bf360195bd74228fad2b198eab9e9711b43b

                        SHA512

                        3943c4a007882ca2579b1c56b8da99177bd17a2ddff73814ad1d6547e8865f7944ffbfb01b8d7a38545631925e46ec63237847c498a526e1a2c75b0ec2a7e877

                        Download Submit

                      • C:\Windows\{EE9956D4-157A-43cf-9462-6AF1A409C973}.exe
                        Filesize

                        344KB

                        MD5

                        03b7c2729c2a63a49729d1d5e4b4f895

                        SHA1

                        64a7bb8667f2b327f29244d16144d25cc1239a7f

                        SHA256

                        803a54f6b32cb3046245c72bce06b2c3ee0f24dcae7d6685985098d22e8c3d96

                        SHA512

                        32c0279c0aac7f9b7123b91d19a7f46a106d0def42816333ae5dc15900025a80acb74fbee84942248068ced11f012982ea2f7380816a04edd7d2746a74851f62

                        Download Submit

                      • C:\Windows\{F99F9D7D-1736-4758-BEEA-FC1F7AFB84CD}.exe
                        Filesize

                        344KB

                        MD5

                        dc36a5554ea2c23c9dea71513304ef90

                        SHA1

                        40f69beb498a6c87b33a18a305bad17c4f1d5379

                        SHA256

                        60c848f4c56844bf4470de05415a7d293edb1e2efba55156ffbb1342b19eb627

                        SHA512

                        1cf4ca01d57d3083b125114c5d620138880a4faa9775506305fad4fb2d576efed7e35285a4626f75f8d3261cd0cd5b8db06ea4766f23ffb92c010f6ddd8152ce

                        Download Submit