Overview

overview

8

Static

static

3

57a5f42392...0N.exe

windows7-x64

8

57a5f42392...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57a5f42392490b5dc6d155acf13ddce0N.exe

  • Size

    408KB

  • MD5

    57a5f42392490b5dc6d155acf13ddce0

  • SHA1

    60fae277651370c463a6ef7d3463390c6e16fe0b

  • SHA256

    ca0d835257271e992ea65e53003f1e771a341e7ce821d0e02d4057bbbd039a38

  • SHA512

    2a60fabbfbeb23fbc658921c2f3703dce9cfce18beb318d6ae6c27c6966eefe40c318d61f7e2c1ebf64c76ffe0f56da088eb66566e2cc429fd18a470b8565c2e

  • SSDEEP

    3072:CEGh0o/l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG5ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57a5f42392490b5dc6d155acf13ddce0N.exe
    "C:\Users\Admin\AppData\Local\Temp\57a5f42392490b5dc6d155acf13ddce0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Windows\{13965A15-37C6-445a-9932-A0F33B6137A9}.exe
      C:\Windows\{13965A15-37C6-445a-9932-A0F33B6137A9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\{4D3F7E60-4C21-414c-9168-A54FCA715B8C}.exe
        C:\Windows\{4D3F7E60-4C21-414c-9168-A54FCA715B8C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\{B6FE73D5-C031-40bc-8DBC-0E0AAC0F9420}.exe
          C:\Windows\{B6FE73D5-C031-40bc-8DBC-0E0AAC0F9420}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\{5E3697CA-C197-4a9e-8553-3AE91326CFC6}.exe
            C:\Windows\{5E3697CA-C197-4a9e-8553-3AE91326CFC6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\{36321978-8F91-4346-AE46-C810C0BFC313}.exe
              C:\Windows\{36321978-8F91-4346-AE46-C810C0BFC313}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:744
              • C:\Windows\{69EAA8DE-E4E0-4eed-B8DE-A1A6974E8CBC}.exe
                C:\Windows\{69EAA8DE-E4E0-4eed-B8DE-A1A6974E8CBC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2800
                • C:\Windows\{F0642C87-2324-43b2-8F80-22AE3534C414}.exe
                  C:\Windows\{F0642C87-2324-43b2-8F80-22AE3534C414}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2752
                  • C:\Windows\{0F16D37C-C7B4-4fe2-AFFA-E76380FEFC1B}.exe
                    C:\Windows\{0F16D37C-C7B4-4fe2-AFFA-E76380FEFC1B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3700
                    • C:\Windows\{E3C04B6F-F30B-4427-8DC1-B312366B74A0}.exe
                      C:\Windows\{E3C04B6F-F30B-4427-8DC1-B312366B74A0}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3552
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F16D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2008
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0642~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1104
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{69EAA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3688
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{36321~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1072
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5E369~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4288
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FE7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4440
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3F7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13965~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\57A5F4~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0F16D37C-C7B4-4fe2-AFFA-E76380FEFC1B}.exe
    Filesize

    408KB

    MD5

    864fdd3f6e436a7aafc448534d2ff7ae

    SHA1

    b033174c6ca16cddf1ed8969b44a4ca5e9eadd63

    SHA256

    6b084b61cb3faebee1c7f7ed33ea2a6b59b49aca656c450f353c839e1d31354c

    SHA512

    d762894a25caa7ad4128cde72a26b38b8856f638d18db7f214d4bd26fc5c093989bfb39c1ac0289c6ab9606da669cb5ae095c3edc31919eb0e2c514c957ef9a0

    Download Submit

  • C:\Windows\{13965A15-37C6-445a-9932-A0F33B6137A9}.exe
    Filesize

    408KB

    MD5

    3c131f1e03530edac01cfc2f29b5477a

    SHA1

    c54a3347e3c8850ce03f0c9622bea01a51d64700

    SHA256

    55975a2ea0f597a44fcd19c5c3aea5da317f38bf2195a49dc5ef822f437713d2

    SHA512

    ae327e7553928845f125f179e1d0252c033517b51c92ed6c5304e2a02d03b0582ef18df0bff6e1ac6609088158f2bcd08579b669a737861de48532677dad03e7

    Download Submit

  • C:\Windows\{36321978-8F91-4346-AE46-C810C0BFC313}.exe
    Filesize

    408KB

    MD5

    e8d6ac9a280c3735187496dc3e26e4e4

    SHA1

    dd968b2665423d1587f826962b0df778a90b65c2

    SHA256

    4414ee2377de79fbd94f05bc0058b4b54f2db7458b2be9c2f1c8322eb862d480

    SHA512

    a0ab18d68357be27036fcbf5950c3eb7b3fc0dcb6da9ca347806bccf94cc220c4a1fd7aa44a508e46b1732f038d28150f94c12ec0b37a97e606d6bc566cbc085

    Download Submit

  • C:\Windows\{4D3F7E60-4C21-414c-9168-A54FCA715B8C}.exe
    Filesize

    408KB

    MD5

    89e4cb0557ba2179cdd9aef8400e7789

    SHA1

    e02bbc0616fcc1c52e5eaa87c1cee65e68ef8bb9

    SHA256

    1ed2bd71ab8b1f062f2c52da79bc1e5d0894560938e0fedcd72b0b6afda1f098

    SHA512

    97cc111d917c0d51c06111168b8de9b0bcc5e8f9de395312a8aeb43bedb9de356812d55efe3bfff194c323cdf85fe6e2357fa704b35416a14f20bfc31c62fd29

    Download Submit

  • C:\Windows\{5E3697CA-C197-4a9e-8553-3AE91326CFC6}.exe
    Filesize

    408KB

    MD5

    4580a3916268a0c9c8d532b9b849a758

    SHA1

    6c9c954544f74e0a034ef2b1da0b8f422dd33f6f

    SHA256

    2032977eb4cf8c803b6c6c6b57c832a3aa977ec9e086ff40b5e604e5c1e73962

    SHA512

    25f2142a8a466ef69a5c29cfb221aec1561459fe5cc1241877ccc14d27d606af69f0b3ec6798bc4805481cb51b8713f330b538c466dd054d43621a1a8defb0ce

    Download Submit

  • C:\Windows\{69EAA8DE-E4E0-4eed-B8DE-A1A6974E8CBC}.exe
    Filesize

    408KB

    MD5

    e9d3b5b17e31c049a9e739c24b48c632

    SHA1

    3a7f05d7eda54eb386d59e8bd551e37d4fffc621

    SHA256

    85cf664f088fcb3b78a68fdcdd26703955effaa626faf7d0400efc79510068b0

    SHA512

    5b6829056ed0d8e35a1ae1996aea87edaf2a0baf7b1339b428db3e2892093c4e81af6af7aa051456d5e0332bd6abc921d69104b9bb32d2823cb6edf54540567e

    Download Submit

  • C:\Windows\{B6FE73D5-C031-40bc-8DBC-0E0AAC0F9420}.exe
    Filesize

    408KB

    MD5

    483b110fee18222e119e49acb69e66c4

    SHA1

    5a989fec135949160cb0946030af8cd00193054b

    SHA256

    1340a0eeacce03577b49b54701ba9f1490aa18618240d4130ff0ba287191588d

    SHA512

    c4a00a45399e7c7daf0514b4d6bb386533c01a33f0c29629204fa523e42639f6bfde6dc1ff7a5eaeb6fe24de36ac9ad0950b7e476dd4f2167ec31b7052ee5fba

    Download Submit

  • C:\Windows\{E3C04B6F-F30B-4427-8DC1-B312366B74A0}.exe
    Filesize

    408KB

    MD5

    5341933664a7bc78d187f262bf523075

    SHA1

    9cdb31cfacc9c9caab6c668dbb090c258fc5251e

    SHA256

    7423fd631139138a4fb9e6c6676b48f2d5e913093316d5dce40fdb3155e4098d

    SHA512

    f38638bcb6935832ee703b7be11aaa3fe187ec9c636270b23ee0403fd5c0f6c74c2ed6b312ca0b1ef5911177ec70738c87071fbb7a19be209f9ac2f5d1850863

    Download Submit

  • C:\Windows\{F0642C87-2324-43b2-8F80-22AE3534C414}.exe
    Filesize

    408KB

    MD5

    c80271be41c903880fdbb2408c9a72de

    SHA1

    bf8f0b2a9e03d6539cabe7b041dd6b6e62576a2f

    SHA256

    43258a77f1ed5fabe450c75a6c9d177ef877a14755ae2164452eeb3680430db5

    SHA512

    c6f06aa9ea964aa6a1b5989625c3173c9b81ab32f9ce77ee299ecbe7f952638c28b6c9921ce5a038f53f06b577db4fc7d1e9e07f28d9dadc62f8a00db866ce82

    Download Submit