Overview

overview

8

Static

static

3

22d74fe2a8...8d.exe

windows7-x64

8

22d74fe2a8...8d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 19:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe

  • Size

    408KB

  • MD5

    bdcc607a2cdf3f6c710bcf7fc8477ee8

  • SHA1

    0b7c8e8ecab3d7bd522347cc8456f0c4ccfbf1be

  • SHA256

    22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d

  • SHA512

    b53ba2922964ae4b9363368adeca061698064238652edb0e16457c145276e853aeeb631f5325a15b117b5867f7ae66462749f59268a10231e24b3a8fc7ebb6f1

  • SSDEEP

    3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe
    "C:\Users\Admin\AppData\Local\Temp\22d74fe2a82b7d6831a87754853b5ce6086b820d968491f77504cf1facd70e8d.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\{699AD3BD-6C1A-41ee-99A2-2440EEE33F0B}.exe
      C:\Windows\{699AD3BD-6C1A-41ee-99A2-2440EEE33F0B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\{C478288C-E356-4fbc-99F5-58AFA3699D0F}.exe
        C:\Windows\{C478288C-E356-4fbc-99F5-58AFA3699D0F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\{1F38ECC6-98E9-4cc9-B8E3-3F35A5AC4686}.exe
          C:\Windows\{1F38ECC6-98E9-4cc9-B8E3-3F35A5AC4686}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\{2C6CB159-27D6-4659-9609-6CA83C24FD51}.exe
            C:\Windows\{2C6CB159-27D6-4659-9609-6CA83C24FD51}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\{A626D0A3-1E59-4c07-9FC8-FF2300EE4C66}.exe
              C:\Windows\{A626D0A3-1E59-4c07-9FC8-FF2300EE4C66}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\{1568D133-02C7-4099-99C3-B351FEC6A185}.exe
                C:\Windows\{1568D133-02C7-4099-99C3-B351FEC6A185}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1968
                • C:\Windows\{951F8FE3-4CF9-468e-A320-024FB6E418CF}.exe
                  C:\Windows\{951F8FE3-4CF9-468e-A320-024FB6E418CF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:292
                  • C:\Windows\{27E16512-A2E2-4e47-B905-0DBD91DBAD90}.exe
                    C:\Windows\{27E16512-A2E2-4e47-B905-0DBD91DBAD90}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2704
                    • C:\Windows\{8EBCF102-23EF-4330-AFFF-9C47534B2B36}.exe
                      C:\Windows\{8EBCF102-23EF-4330-AFFF-9C47534B2B36}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:884
                      • C:\Windows\{CAD8014F-37A0-4e45-ABFC-7C284586A0A7}.exe
                        C:\Windows\{CAD8014F-37A0-4e45-ABFC-7C284586A0A7}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2936
                        • C:\Windows\{175EBF0D-3676-47d7-95E6-EF69690EBA99}.exe
                          C:\Windows\{175EBF0D-3676-47d7-95E6-EF69690EBA99}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD80~1.EXE > nul
                          12⤵
                            PID:1480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8EBCF~1.EXE > nul
                          11⤵
                            PID:1576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{27E16~1.EXE > nul
                          10⤵
                            PID:624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{951F8~1.EXE > nul
                          9⤵
                            PID:308
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1568D~1.EXE > nul
                          8⤵
                            PID:2404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A626D~1.EXE > nul
                          7⤵
                            PID:1920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2C6CB~1.EXE > nul
                          6⤵
                            PID:2848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1F38E~1.EXE > nul
                          5⤵
                            PID:3024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4782~1.EXE > nul
                          4⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{699AD~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22D74F~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2824

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{1568D133-02C7-4099-99C3-B351FEC6A185}.exe
                              Filesize

                              408KB

                              MD5

                              c201d0b835791bcadea0113fcaeee1bf

                              SHA1

                              e341e8502d0d2a4f50a9ddc83aba6047d5fc5281

                              SHA256

                              edd267db8be27e981ebaeb65ede0ceffcc18e57c38c4c49af7e90ff1f8699275

                              SHA512

                              1e10770075142b2214b0db8f36d4b318be4781d11cec68a8f50b9226c3eff52568eb01af8d10149fec77dd28b815cb0c49ff8149e83fb9af04e20f1f60a49812

                              Download Submit

                            • C:\Windows\{175EBF0D-3676-47d7-95E6-EF69690EBA99}.exe
                              Filesize

                              408KB

                              MD5

                              ca1ea07f74a3f4ebcfe7c1c7116ff517

                              SHA1

                              3af428329f2ba7abdf63f1f897226409d69b12a9

                              SHA256

                              aaf2eda4a89bf581407efecc0a8a2a42368d9fac21043fa168826b57e8f770a1

                              SHA512

                              6cc187ab576e897c4ea142fcbe61726c8fae2079e43a425008baa98b00888b420e4e67a7582ebf9e62e239c47811915f7744ebb22ea66879df878def07de70f6

                              Download Submit

                            • C:\Windows\{1F38ECC6-98E9-4cc9-B8E3-3F35A5AC4686}.exe
                              Filesize

                              408KB

                              MD5

                              1860753aa1c053182a939fb381312276

                              SHA1

                              a4ea3a2d19816b6ad40db8062ef15325cd2edcbe

                              SHA256

                              1e0f885d2717ed8b0405aed002d646f63723a644a64ebafe3ac972e7162deeea

                              SHA512

                              df277b79ee21a6c156663b6da7604dbb9bd705373a8be9292e084a25948859d8d99ec44af87533458fa43fb7931c030b68b6cb5335a66fc042b10f51e5e6cae2

                              Download Submit

                            • C:\Windows\{27E16512-A2E2-4e47-B905-0DBD91DBAD90}.exe
                              Filesize

                              408KB

                              MD5

                              366cb5a3648b857ad336880e320621fb

                              SHA1

                              8161557ede64a312902bc9923045ff7bb12a72c9

                              SHA256

                              efd6fb18ed90a8a95a9e0aec75c3d82e1d278285855c3acb9e098f912dd9f213

                              SHA512

                              9ac1756789cb9f8514f2174042496bfe1e1df69942638bdc98ac7014be60b597f18a5665d13e271b3d8c92a47798b66e0ae00b5c41977dfefb75beeb33a43b4e

                              Download Submit

                            • C:\Windows\{2C6CB159-27D6-4659-9609-6CA83C24FD51}.exe
                              Filesize

                              408KB

                              MD5

                              0ebfd0ebebc5c8a319e3d4c7d8ceaeab

                              SHA1

                              a0a3f1fba79e1040122b46678247ef39ffe19f45

                              SHA256

                              18c9318ae25d07514f4271ea0ac0300ddd375225ba30272c94766f4358f3488a

                              SHA512

                              005b5fe74ecbc90d387493f6c28b1174fd69c68883fa42bf7b4ed912c0258cc8db2bd7121231a41393fdfa4cdc8594523aea3ce394767af7b8e1c4f2f087c29b

                              Download Submit

                            • C:\Windows\{699AD3BD-6C1A-41ee-99A2-2440EEE33F0B}.exe
                              Filesize

                              408KB

                              MD5

                              9079206c6e7675846d06d99c7e8949ae

                              SHA1

                              3e3aebf03fabd56a4f9ee62afe8cbbb067daca24

                              SHA256

                              4898fd26bd9f72168100348997c772b7a0f1d92d63f1af969218d4875ad906f7

                              SHA512

                              b0947a48c5bf96dc0e28b2f6c9372a35fa54e985da9ae9e843aa3f4f112e6c00f779694ebf994660a1e979709cd39a0f48725c2b441a56e0051873c8db8a0183

                              Download Submit

                            • C:\Windows\{8EBCF102-23EF-4330-AFFF-9C47534B2B36}.exe
                              Filesize

                              408KB

                              MD5

                              2f7b27030d2048893366c6ad0a59f482

                              SHA1

                              dcfdac2038d5fcca9a5352bae2baeabcd08d8a17

                              SHA256

                              44a10dd9232aa2e63466265bbb0805f657c47b770a88e7a6649f983341632f38

                              SHA512

                              5a5c5000fe74756551de2aebb4af3aa835741abcbe6109fe514c118101646914d93e50d984bcbbdbf90e96bfb256d23092711f1463243cbb982d4312155a462b

                              Download Submit

                            • C:\Windows\{951F8FE3-4CF9-468e-A320-024FB6E418CF}.exe
                              Filesize

                              408KB

                              MD5

                              a2c07cd8a5b48641f103705435099609

                              SHA1

                              458f3bdfe11f1313a26694083c21174548799c38

                              SHA256

                              766e0d5e60c66a08f35da7b0e3ea6467dd0c4441e1d3c3f84e59403e8b6fc375

                              SHA512

                              43d282ee7bf4f0dc1000bc8003a012fd2b1c0cd49ef5ee2b13d7cc8e7811b06de7d0fb2fdbf64b8604ad5ba048a470bdda9f0803fda47e9e63ead09d1d06d5ec

                              Download Submit

                            • C:\Windows\{A626D0A3-1E59-4c07-9FC8-FF2300EE4C66}.exe
                              Filesize

                              408KB

                              MD5

                              9ca4432fc0421f19b7f7bd828e0fb7ce

                              SHA1

                              9384e0996fadacf2b93333311a0e92adce757664

                              SHA256

                              b8dba2d85e81cd931e987ca80a1097b36c05a392d8c823cfe5815b3c3c258bb1

                              SHA512

                              e0957967e1fa2107b10d92f56ca0fc1b3a3886a682387c1515bce6b35e84f35e6840569c78d5f5955c05ea7e3c69158c6a117e870762e94ee76d9f4362a6296c

                              Download Submit

                            • C:\Windows\{C478288C-E356-4fbc-99F5-58AFA3699D0F}.exe
                              Filesize

                              408KB

                              MD5

                              10d8aa2988e813bd57d48f81df896ae1

                              SHA1

                              131578112997dbe8aa81ea552bbcfc5b8c0213e8

                              SHA256

                              f6097964c063c0b8e62a0d4a582aa6a35d9a1658b003c00dbf81a08f198ac52c

                              SHA512

                              90c8f024684c5959cd14e8c3ae7d6b3276d14d6674cad552e23b2bc33b9a54f1961001f91998bafdc200e09e99f9282c468c29ed9b3c01a5cd06428dec5351f6

                              Download Submit

                            • C:\Windows\{CAD8014F-37A0-4e45-ABFC-7C284586A0A7}.exe
                              Filesize

                              408KB

                              MD5

                              ba3dae6b4b3b4d54cb864d20ff58f84f

                              SHA1

                              fe660e30c9b5b309db8204964d8a7abc12e32311

                              SHA256

                              9aff5a9e315106b2f93cf3e76baf914a97ede8a3ed8308e70acf7922cb78e597

                              SHA512

                              46ee13c0bbf9a85073de09338cea6f5b83578f8d1cc9e65403a13a43a24fe11c732d9b60704c067254f53b90b5c307ef46d8eaf91dae7070b2bf6c5e4be2610b

                              Download Submit