Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
20/07/2024, 00:12
General
-
Target
270a09b8b447549ea62b9817438fc680N.exe
-
Size
90KB
-
MD5
270a09b8b447549ea62b9817438fc680
-
SHA1
dd3327be9eb90fb8ee4160f31e85294f0bb9a44e
-
SHA256
90a87ffa30f01f3c31d3fdd692d6badb289f9e156007d588cc10df20379113ee
-
SHA512
587674b9967ba9faa3e0138a3b0f0b668497cb755e6a8c4969ef4302536886b66bd87222221dbcfd043c92df3c01a9bebf7ae7a0fb84e2cd3440e53d73bc1247
-
SSDEEP
768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7gl/:YEGh0o/l2unMxVS3HgR
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 9 IoCs
-
Drops file in Windows directory 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\270a09b8b447549ea62b9817438fc680N.exe"C:\Users\Admin\AppData\Local\Temp\270a09b8b447549ea62b9817438fc680N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{35F8D1ED-EDC4-45ec-84D3-948D80CBE77D}.exeC:\Windows\{35F8D1ED-EDC4-45ec-84D3-948D80CBE77D}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BF1F7909-7ABE-4dc4-B85B-2A5C9F76600E}.exeC:\Windows\{BF1F7909-7ABE-4dc4-B85B-2A5C9F76600E}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5F6242BF-7F7D-4b95-8C8D-9A063790F2F5}.exeC:\Windows\{5F6242BF-7F7D-4b95-8C8D-9A063790F2F5}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A2A047CA-161B-4df0-989A-D63D0E02AB2F}.exeC:\Windows\{A2A047CA-161B-4df0-989A-D63D0E02AB2F}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9E041AD4-DBF1-42dc-8B93-350EDC2422DD}.exeC:\Windows\{9E041AD4-DBF1-42dc-8B93-350EDC2422DD}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4093A8D4-B176-4847-8B22-B1AC2A94CB32}.exeC:\Windows\{4093A8D4-B176-4847-8B22-B1AC2A94CB32}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{890FF67B-FB8C-4257-8FA7-526601860C07}.exeC:\Windows\{890FF67B-FB8C-4257-8FA7-526601860C07}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{222E779B-C929-4133-9F0C-1AB6B8588C68}.exeC:\Windows\{222E779B-C929-4133-9F0C-1AB6B8588C68}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AB1DD65D-37BE-4fe7-97C5-3EC99780EB38}.exeC:\Windows\{AB1DD65D-37BE-4fe7-97C5-3EC99780EB38}.exe10⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{222E7~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{890FF~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4093A~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9E041~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2A04~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F624~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF1F7~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35F8D~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\270A09~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD52dead930d57ad75c002632862a7ccf93
SHA1020dbe6c1cc017a9ca9ea435a60f2a202b00c847
SHA2562fadd074e4f18257120ada033331f08a9909da5b665fef962ccb1a93f726f947
SHA51207f7875448cf48916bf84ef8fa914b4719b46a1dc4d0eca71cb06a0762df2ce2a85d40aebce2c64d09f021378eff9f989c841a62335b671af17d694fa1de758d
-
Filesize
90KB
MD50e65e16f3f9d49344839885a66eca174
SHA1f1c2f066c681555a234d34c19d651cf4187487cc
SHA2563e8fded9329b166be74f55d4cc479223e9384b72be28b317de3f3a404374fb60
SHA512d61c8b57d60d0de93464526b0e34e59a6f2c820768dcec38d9f56e81dd7a20c7fd2adc0227109635a4756ef6e2bdf4748bcfbe3af740be0cd80f5f307bb84fc9
-
Filesize
90KB
MD5a9589a5b0e4dbde3149259c5669b33a7
SHA14023e4ee225b5baefc3307228d5fe7f17ab1a191
SHA256326fcbc17a93eb78e0de8212340c2bb0148b9a1a9611bba525c6dcbbae6ce35c
SHA51202e389fe70ac81d9582cfbb411734432abd8d6920101802ec2470aa1a8c75d1d1c62f032e2e6821f2245677c501a552c96afe57386bd9c16ebbf1ad9d03fe815
-
Filesize
90KB
MD5c2a7ce833578d567f44768581719069d
SHA1ed0f456c9ef4fc123f34da9c3147f78773645d26
SHA256f31b5c785703f0ec2eb278a545cf349225cab4ace5fbe66af984311c952f832a
SHA5129071d383cf4863d4c74d9ffda144edba48a3e7793a750b70667f435f274ef4be829d1fcac1b66e6a8b51e8c4d1401ec9275528fb313b2318e057e175698fcf50
-
Filesize
90KB
MD5a1e620db6d9b3d23ca1a33e021df39ed
SHA1d6d3796f4fcdda21a71319e10fb63fcf661fa2c4
SHA2563db27623dcb44a76def76e97870e92d72561eb009367fb42143e436fc784b070
SHA512af19e0194cd82df96f1be4886e5eb039614c28d2a89669ab591f46017810c4d30a8a627da972c1936e0efbed02a42379375533a9c2864dc5a3ca3a9f194fbed8
-
Filesize
90KB
MD5c678e6cdfb4519851d5a4b55c85e485c
SHA177b18c0bf6c27679af815e5cb5859c17bf119196
SHA256892dd7e04c1c9a2e55dc030bad5e64f151373b24842631ef0a0f2a9acef9cf3e
SHA512463e6b6f2c3215fb0a2cd83d382696f559ca61852d6decfa92d96996d38a325f18045b0329f14a128da1968b7cb6d0eaa80336543448c6d97651f079544fbbc7
-
Filesize
90KB
MD5a304b6861bc3989443f098db9407af73
SHA1007d4f4374279218187bb8c95f54f1af52019d1c
SHA256c1c48ad5eee6b16358ece8c9bad3b1cc658d6430ecaff20c268daf5fb4f8be74
SHA51292b68fbc3270e152afea28743de8ba7bcd64cf7d64debcd5b9e72f5acb08ba9ad69919808df24b7ad7f69d5b2617e419c1eece28f6f40e218fcc7f6b4be1d7db
-
Filesize
90KB
MD53a458fcd71181cc19dc591c27ed10a9d
SHA10d30f9757c5d7aa7e8d332c38dbbfa11ee749ff0
SHA256ca3eade265ff9ec6cde44dece03021b5e1ba17e6b6da8ffb8e0fcef614b76684
SHA512ed9b600c461bd80d05f3bac46815d8044c93b9b6dff68a47a2a834d506b2ba9189c49bb34a9735ed43f776b420b7737210930bd1a9e266c8f675bfae1c3d976e
-
Filesize
90KB
MD502450bcc3a9711ffcdd80667d549a3dc
SHA1a7cdde149eb8a7cca355d942ad621ab8e38b1fee
SHA256e868540f6089096662188c22f738f7e006eb7ed5e469dec25577ff87d17ec089
SHA512dfbc240b460a9be10560b87427899e6300ed86593c075e5ffd6adce205c0f8527696cd2d0deace3ec8fd0e1a6156b9e4da4c2dfa8b4c004d79de16e18f5cf814