Overview

overview

8

Static

static

3

3456fcd08e...0N.exe

windows7-x64

8

3456fcd08e...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 22:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3456fcd08e30b68e60adfb014d46ad20N.exe

  • Size

    103KB

  • MD5

    3456fcd08e30b68e60adfb014d46ad20

  • SHA1

    475573463ee3527e26fdac3c9c63bd7edd556b42

  • SHA256

    20992c292fbc5a9bb246c7a0f1e69c12502944c86d814772f1c9a37c8b2e937c

  • SHA512

    8de4b45d2d796183f9840d94e79128041ec5d6244711922a276e52f6a5448236f5d047311d7ccd64dff2ce81a780c7770b260aafb6ceafe3cfd5b79f67c3af80

  • SSDEEP

    768:Qvw9816vhKQLrod4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0odl2unMxVS3Hgdor

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3456fcd08e30b68e60adfb014d46ad20N.exe
    "C:\Users\Admin\AppData\Local\Temp\3456fcd08e30b68e60adfb014d46ad20N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\{D4EA7F14-6899-46c0-8011-25DE4B94B0BB}.exe
      C:\Windows\{D4EA7F14-6899-46c0-8011-25DE4B94B0BB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\{5CFFE85A-8AAF-4b6c-BC8F-2EB9BF6BA16E}.exe
        C:\Windows\{5CFFE85A-8AAF-4b6c-BC8F-2EB9BF6BA16E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\{772931E2-F91C-43bf-8EB7-2DD48CA2B4F0}.exe
          C:\Windows\{772931E2-F91C-43bf-8EB7-2DD48CA2B4F0}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Windows\{4C9D5CD5-8B79-42a4-A3AC-B16F9BDA0FA7}.exe
            C:\Windows\{4C9D5CD5-8B79-42a4-A3AC-B16F9BDA0FA7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1124
            • C:\Windows\{F46DC5FD-D019-4c79-BC12-E8250192809C}.exe
              C:\Windows\{F46DC5FD-D019-4c79-BC12-E8250192809C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2104
              • C:\Windows\{ACFDC4C2-EA66-473b-B43B-162D9DC5D7D3}.exe
                C:\Windows\{ACFDC4C2-EA66-473b-B43B-162D9DC5D7D3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4036
                • C:\Windows\{3AD2C1FE-18B4-471a-B4C0-D9733F091F33}.exe
                  C:\Windows\{3AD2C1FE-18B4-471a-B4C0-D9733F091F33}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4124
                  • C:\Windows\{139ADC0D-9A81-419d-A4E2-49D9B6D64C09}.exe
                    C:\Windows\{139ADC0D-9A81-419d-A4E2-49D9B6D64C09}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4456
                    • C:\Windows\{C004E629-C2E3-4228-AA67-5ECC1B50C0B0}.exe
                      C:\Windows\{C004E629-C2E3-4228-AA67-5ECC1B50C0B0}.exe
                      10⤵
                      • Executes dropped EXE
                      PID:4664
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{139AD~1.EXE > nul
                      10⤵
                        PID:1776
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD2C~1.EXE > nul
                      9⤵
                        PID:2168
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{ACFDC~1.EXE > nul
                      8⤵
                        PID:1040
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F46DC~1.EXE > nul
                      7⤵
                        PID:3280
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9D5~1.EXE > nul
                      6⤵
                        PID:4596
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{77293~1.EXE > nul
                      5⤵
                        PID:2608
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFFE~1.EXE > nul
                      4⤵
                        PID:436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D4EA7~1.EXE > nul
                      3⤵
                        PID:5076
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3456FC~1.EXE > nul
                      2⤵
                        PID:1128

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{139ADC0D-9A81-419d-A4E2-49D9B6D64C09}.exe
                            Filesize

                            103KB

                            MD5

                            ee98bb7c822d0383372c0447d3f2d90f

                            SHA1

                            48225b7ef6532fe0ad12de26d2b8056bcfccb49c

                            SHA256

                            7f66f39b17c22586a973e0e331cbab1b5ac5a8ee55c87be5fe7f75df1c6e8ece

                            SHA512

                            675877d953a32b54f2ac3a79d6baabe954bda4cf969c06582cece20aa002744cd30b1df0016044432c355d436990f4260083293663a11ea3c6fa5214cf21d2ba

                            Download Submit

                          • C:\Windows\{3AD2C1FE-18B4-471a-B4C0-D9733F091F33}.exe
                            Filesize

                            103KB

                            MD5

                            19548c49928b53802dc5c1dc0d732439

                            SHA1

                            85e427daa061792cc008fd9677f45b5b15f6cdd4

                            SHA256

                            ff295594a7bff6c5853f6775aadc3336c095bb765a34035886fe2f4f90070fd7

                            SHA512

                            5afd9bf4dea2a675d751e08d896617e73cb20f4e814dc944a7dae827f4e6bb3fd0e1865f243c424069c62d0322ae050cfe86a1606c1cc2ff63285834c9d02ea0

                            Download Submit

                          • C:\Windows\{4C9D5CD5-8B79-42a4-A3AC-B16F9BDA0FA7}.exe
                            Filesize

                            103KB

                            MD5

                            16c523f4a5822f13b3a087eba8b1de49

                            SHA1

                            86bf9325060f7b57d15cbd114dd9d1ffd1c6e406

                            SHA256

                            1b240091b48c8f5b9738fe60fc16a8b2995e780004bfa4053f0159e3fab1f3c9

                            SHA512

                            92060ee248a73899678df1ab949067965777893fb6ad19ea06c97594e3372ab031061a32090e208ecbbddb10c01250c37a9148bdf6fb3f171f663c25eb2d43f6

                            Download Submit

                          • C:\Windows\{5CFFE85A-8AAF-4b6c-BC8F-2EB9BF6BA16E}.exe
                            Filesize

                            103KB

                            MD5

                            b48b0c3f9b98262e0405347e37166555

                            SHA1

                            deb98d0e7ec44432a48c5bf407559820a4771d7f

                            SHA256

                            8e9d0d0e809c640096a5bf3c4ca4151174f2d5603c92b2cb9a1cef7726cdf47e

                            SHA512

                            8b36548070179cdf1a92557e631453137da97dc909f0394ab2deb6430743f01f8b4d884583520237d6bd91157afb0b85f90f045bac9be32bc924b2760f7b7a7d

                            Download Submit

                          • C:\Windows\{772931E2-F91C-43bf-8EB7-2DD48CA2B4F0}.exe
                            Filesize

                            103KB

                            MD5

                            0ab0d0ff8a5d6ce691a8f430e8942a41

                            SHA1

                            accad25fcf22c296e30f7cd1a454f65c019795d2

                            SHA256

                            a9181158031a1d8c5de11c389780a6a315dc9bf94af6254cca7638b9aa0d7694

                            SHA512

                            4d771e5590e7904bfb34e895e66a05e50871e0b5785aee26a235fbf0c55bee6bea52aca01c7cc99a5279e0b0a7f397f8e5ac333cf0b503f72aed72234662fc23

                            Download Submit

                          • C:\Windows\{ACFDC4C2-EA66-473b-B43B-162D9DC5D7D3}.exe
                            Filesize

                            103KB

                            MD5

                            107726d473a132c4e9864abca072ce68

                            SHA1

                            b33d7aedd32be64d0efb574ac674893da2f3f601

                            SHA256

                            5a6ec5e28f7259d3cff9b7bd39434c2cb1d67d8376c7748c9c84ea8c82ce54ca

                            SHA512

                            461a57d89101c9bf724df25ea244b201d6b9841f104aac1244987e09f29db53c1eb30ae8f100a29e4a15614d8eff30a8ab3fa43fe642e7cde5ed2db7af47d8b3

                            Download Submit

                          • C:\Windows\{C004E629-C2E3-4228-AA67-5ECC1B50C0B0}.exe
                            Filesize

                            103KB

                            MD5

                            e0a1be81c4aaeecd6e11b9579328c075

                            SHA1

                            83d2ac5117764956c0c8512936c95af157cacf22

                            SHA256

                            8f35bb76b4ca67150db426c1aa1e15ff174968430883ac01a2c02c14fe4e5173

                            SHA512

                            2e9d762ebb897a15f325db4e7d9cd63118e607abf710eb04bd13af8cdb5467b4c6195e09b216c8f62f1a85353401b1b46f7ebba563ac028e9edcefabad1901d0

                            Download Submit

                          • C:\Windows\{D4EA7F14-6899-46c0-8011-25DE4B94B0BB}.exe
                            Filesize

                            103KB

                            MD5

                            f82969b66b5c3942c2317922efce1420

                            SHA1

                            6410741830326d29bc9a765bdf307c867fbc9820

                            SHA256

                            88fea3508cc1b3627abaf208d867336b5c34604b6a9b9519f64bf68442240c42

                            SHA512

                            79dc7275d6b235c6d7717bfbf0e00b13fb6d50e3b6592cf40ffc9db3184ba9e3f8691f7c17a4dcdde51edcc209adc449ccdfc6bf873f5a9c5725632fffef7778

                            Download Submit

                          • C:\Windows\{F46DC5FD-D019-4c79-BC12-E8250192809C}.exe
                            Filesize

                            103KB

                            MD5

                            0d6e4ebda64a5a3bdceaec10d7d183d0

                            SHA1

                            614b804729350742bb726c2efcdf5005ad0264c1

                            SHA256

                            e90c58807dca53d7b3b166dcc35654fdb03c292932ff80b17a106e6ef6504915

                            SHA512

                            2227a105e3ebb1142515e9b4a6c6e8b29b8cfac00bbe6ae46dc983c80bbae8499e44e415b80d49d1a84de4de922a204c3ec24c747b2bb199dc8b7346b8df0e85

                            Download Submit