Overview

overview

8

Static

static

3

09f082c694...a0.exe

windows7-x64

8

09f082c694...a0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 01:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    09f082c69446df67be07b5d5bc4944a0.exe

  • Size

    60KB

  • MD5

    09f082c69446df67be07b5d5bc4944a0

  • SHA1

    8714261efa16652b050a4079b6d4a215422ac939

  • SHA256

    39f02f4a8ee5e1561d78e278f9d91a3eeeb4e7b9533a4d537c8a20b24dc61767

  • SHA512

    fd976bf5201c67b6f3fa7e08a1e892c24c57978b717fdc4e175c29809693b84eee6937f44390988c32b2eff3a5eaa462f36e04d40a74f873c2cc79ff2aa3c305

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroO4/CFsrdHWMZ:vvw9816vhKQLroO4/wQpWMZ

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09f082c69446df67be07b5d5bc4944a0.exe
    "C:\Users\Admin\AppData\Local\Temp\09f082c69446df67be07b5d5bc4944a0.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\{AFF4A6DD-C423-4226-9B61-791B84647F3A}.exe
      C:\Windows\{AFF4A6DD-C423-4226-9B61-791B84647F3A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\{D61B949B-0861-4b64-B29E-C49C053B7820}.exe
        C:\Windows\{D61B949B-0861-4b64-B29E-C49C053B7820}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\{D8CA08FF-1325-42e1-ACC0-C9B3F8B8AAF2}.exe
          C:\Windows\{D8CA08FF-1325-42e1-ACC0-C9B3F8B8AAF2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\{0FEC7F26-31BA-4296-B2D7-A3C36773A02A}.exe
            C:\Windows\{0FEC7F26-31BA-4296-B2D7-A3C36773A02A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\{E46526FA-C272-449c-B54B-5F1DC680081F}.exe
              C:\Windows\{E46526FA-C272-449c-B54B-5F1DC680081F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:560
              • C:\Windows\{BE6DDE0C-7050-43b3-88F8-F92A6F21268C}.exe
                C:\Windows\{BE6DDE0C-7050-43b3-88F8-F92A6F21268C}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1940
                • C:\Windows\{56FE662E-AECE-41ac-89A2-9D9513618BC0}.exe
                  C:\Windows\{56FE662E-AECE-41ac-89A2-9D9513618BC0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1852
                  • C:\Windows\{7E902DF8-9481-49d4-A603-C9CEF44E2656}.exe
                    C:\Windows\{7E902DF8-9481-49d4-A603-C9CEF44E2656}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2320
                    • C:\Windows\{239AA8DD-1A81-4b31-BAEC-120983EE19A8}.exe
                      C:\Windows\{239AA8DD-1A81-4b31-BAEC-120983EE19A8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2172
                      • C:\Windows\{8AA02673-86A9-47b4-8ACA-DF0DCCF5E303}.exe
                        C:\Windows\{8AA02673-86A9-47b4-8ACA-DF0DCCF5E303}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2900
                        • C:\Windows\{B5DBF45D-5AC1-4095-8233-8597DCC31FF6}.exe
                          C:\Windows\{B5DBF45D-5AC1-4095-8233-8597DCC31FF6}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1308
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA02~1.EXE > nul
                          12⤵
                            PID:1092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{239AA~1.EXE > nul
                          11⤵
                            PID:2276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E902~1.EXE > nul
                          10⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56FE6~1.EXE > nul
                          9⤵
                            PID:1508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6DD~1.EXE > nul
                          8⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E4652~1.EXE > nul
                          7⤵
                            PID:352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0FEC7~1.EXE > nul
                          6⤵
                            PID:1836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D8CA0~1.EXE > nul
                          5⤵
                            PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D61B9~1.EXE > nul
                          4⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF4A~1.EXE > nul
                          3⤵
                            PID:2668
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\09F082~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3024

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0FEC7F26-31BA-4296-B2D7-A3C36773A02A}.exe
                              Filesize

                              60KB

                              MD5

                              b7b09fc6e74b1aad88dcf7add08d298c

                              SHA1

                              f4c8173cf021a6e3191e3d40b34fad8496394b78

                              SHA256

                              cf7c72540dca227c4f7afa9eb30bc60347709e71979d2e521c57cfbeed198f8e

                              SHA512

                              16efbd15a617326c1fbc837f19f13765c33484c115c39c128b603fb95d7a0e83036db28cbb05ce053ffe6969cad5a246ade2ed4211c859e935616fae1ee5861e

                              Download Submit

                            • C:\Windows\{239AA8DD-1A81-4b31-BAEC-120983EE19A8}.exe
                              Filesize

                              60KB

                              MD5

                              988152181013cd882fec8d6c07c5b473

                              SHA1

                              292ba309c14948eb0ce1bc309333912c53b2fda8

                              SHA256

                              c90e3c347cfd0fecd30b1e5bfe0ebc83c9d8a1677078c5c1ba597994bd2141ec

                              SHA512

                              8ddaa59fa6a39dbd70e9e73b0e8cee29a5375c79cb3c4b783fb9d713af458ffba28704dca07266bf59c68c1d1b5a91a4640c3491d28b16c867f02a456308ce44

                              Download Submit

                            • C:\Windows\{56FE662E-AECE-41ac-89A2-9D9513618BC0}.exe
                              Filesize

                              60KB

                              MD5

                              653e581c8499f3ec0700e644b8cf632e

                              SHA1

                              89e021c03e9037496c4212c6344860060fb73556

                              SHA256

                              711786f264aef05baa2fb0209fcb051a0017b413b0eccf54e36c055390db6380

                              SHA512

                              19bcbf15721ba4ed5264f0167e9fc886957c45e2d6f5911376005da0cadd729478cb1d8baf6364cf61701e3a2461f671f9e4fb4b21c63f4da2aec93f85c75588

                              Download Submit

                            • C:\Windows\{7E902DF8-9481-49d4-A603-C9CEF44E2656}.exe
                              Filesize

                              60KB

                              MD5

                              126e7e75e41e2bb4f8df6fb46f5d26e7

                              SHA1

                              e7bd1046d9b5e6d4f5f03e76fe31118fa7e75886

                              SHA256

                              e8dea065a1a4d688728738a6e0734b9683de02c201ab37e7909b14141de26edd

                              SHA512

                              d456457cd0e2570a381fdcf718dd61b4242a602d7251a56d7c043265797b985446ed25c73a83c76f6a744c096da5820ddf1095de685d6c6244f32081241b789a

                              Download Submit

                            • C:\Windows\{8AA02673-86A9-47b4-8ACA-DF0DCCF5E303}.exe
                              Filesize

                              60KB

                              MD5

                              68c5e908ffe9e651b1f0724123a68d68

                              SHA1

                              925dc5952d73f621326a680b05be71505f88817f

                              SHA256

                              c12c9ce40b51c5bb1d56095b32e11a85d149505af6e983cc4c59000ec2e2f406

                              SHA512

                              7c17f74b76c1d21a23667a0a06a069e0b39be80a152132d885d6cbd698cba5044f7f5d7bdb9955947566ec100a5adc45f0f5d3a856d48fe3ac08e822115122ad

                              Download Submit

                            • C:\Windows\{AFF4A6DD-C423-4226-9B61-791B84647F3A}.exe
                              Filesize

                              60KB

                              MD5

                              4371ac1167ca3f4d292b7cb872042ceb

                              SHA1

                              4e70763b1f5f593e78902ee50edae90213b4c8ed

                              SHA256

                              80ce4986764f43f5101bf4974620230d7b180a482b729e96deff59f50f00f2d7

                              SHA512

                              501d254a4360dd0db0a09deba46cb6fd82834afed002f5fb06c24353813883e46d8620278ecbd73fe94e8007215ecdf7e9288551bf45aacb9ca7b0654f3dd816

                              Download Submit

                            • C:\Windows\{B5DBF45D-5AC1-4095-8233-8597DCC31FF6}.exe
                              Filesize

                              60KB

                              MD5

                              7de674463ca9b80fc6821aa9fa94b29c

                              SHA1

                              da72fc07f982693f526504a4f105f3f80770c60c

                              SHA256

                              81720d464bde547ee2a981f89203bbfc811854266208950a019dacb5e1dafe27

                              SHA512

                              e7cf4e63a77d30e5e65d96c232236c4a4f696b04a3c4e3a394389435405323d3f867d523a85a1643a862d021b5525924ac0c548576282fdf08195389b9304868

                              Download Submit

                            • C:\Windows\{BE6DDE0C-7050-43b3-88F8-F92A6F21268C}.exe
                              Filesize

                              60KB

                              MD5

                              18c0a363a47dd358bbade656428e5f8e

                              SHA1

                              4f05638db7336210bfa3d4981283e43f3fe12804

                              SHA256

                              633d5eb0044d54565368f6801957ce8a617c134071d9556540250ae8143bf626

                              SHA512

                              9a08b0378e8d993a0d71314ff2cf00b6a2ca013d38c6ff554c943837d593fe929ee48c0befc0680ce3cebbc3512edfcb516a56ea6a986386b1e96c5235eccebb

                              Download Submit

                            • C:\Windows\{D61B949B-0861-4b64-B29E-C49C053B7820}.exe
                              Filesize

                              60KB

                              MD5

                              26e8487838a8ab69da3ad0b95cfb161e

                              SHA1

                              d2202b9d618392eb4760abb0ad6921db0c8160b6

                              SHA256

                              7a73cc47ea37273903dbfde82f878c79232c2e85b5b10c3c8eb94f8a66b821fb

                              SHA512

                              19b3257f99d59ef073097a1042ab459f133014bf2eb6f6c765c1d428c8be2d1c9e2f4032b6ac121a6abd71a4eb913722753a1c36a0366cc9f7938f9db93f5671

                              Download Submit

                            • C:\Windows\{D8CA08FF-1325-42e1-ACC0-C9B3F8B8AAF2}.exe
                              Filesize

                              60KB

                              MD5

                              9711484df8aca3199849f9e91295f795

                              SHA1

                              c98d762cae2b0fc062cf4bc6c158b45a1fe47c57

                              SHA256

                              4ad38c9c0ae778b716f4132b6e8a6e919c5fd8306b7c5089e053c82d4d703f8b

                              SHA512

                              c1492e8b3e7ad963227a84631139e02f8084f72bc54fc4d2224b26c74c62014ce2273ea6dc383057cbbd988d35ae2df636a7be7b2a3ea9ec54d89e38810ce5d9

                              Download Submit

                            • C:\Windows\{E46526FA-C272-449c-B54B-5F1DC680081F}.exe
                              Filesize

                              60KB

                              MD5

                              511328a624b30252a579ca1491e751ef

                              SHA1

                              2f53bb84377f200f5fdfa275ff5e84b89b923c2d

                              SHA256

                              05eca5773816a9cd7827178be1a36d2a7e0bad3620ed3960a5e00abc051464f6

                              SHA512

                              7aa273c6ab9fba544200ff3a0c7114f31ee55b7643bbbd7a0a0017e687e27a9d8a4df90ee9024ab3404744d9474759460d9fb6f196f092a70e9c206678d7172e

                              Download Submit