Overview

overview

8

Static

static

3

c7a01f7c4d...61.exe

windows7-x64

8

c7a01f7c4d...61.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 05:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c7a01f7c4d5cca969bb4d4fef5b64af71a7ce93a6002f5c35fe2188b9fadb061.exe

  • Size

    168KB

  • MD5

    95074c10bc3a8f961a7ee9c8d9de603b

  • SHA1

    700bb0790ebde7295596377bbff4419897d2d8d7

  • SHA256

    c7a01f7c4d5cca969bb4d4fef5b64af71a7ce93a6002f5c35fe2188b9fadb061

  • SHA512

    52c0b8fbc896432a925a979b101bd8ba9d9d607b7670874518e200cd5e61ade80a9e57d344fa5934b0c98459f10021c7d75154f69efa168e80a09a3ef622e9f8

  • SSDEEP

    1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7a01f7c4d5cca969bb4d4fef5b64af71a7ce93a6002f5c35fe2188b9fadb061.exe
    "C:\Users\Admin\AppData\Local\Temp\c7a01f7c4d5cca969bb4d4fef5b64af71a7ce93a6002f5c35fe2188b9fadb061.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\{BA08C432-E6F5-43c0-98D1-A809069C97FE}.exe
      C:\Windows\{BA08C432-E6F5-43c0-98D1-A809069C97FE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Windows\{B1106C43-6E5A-4d92-BE18-3F09523E68CB}.exe
        C:\Windows\{B1106C43-6E5A-4d92-BE18-3F09523E68CB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\{76D096B5-48D6-43fb-A75F-4D57BECC96B7}.exe
          C:\Windows\{76D096B5-48D6-43fb-A75F-4D57BECC96B7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\{6F951E3F-9215-4a79-89F6-577E56D84AE9}.exe
            C:\Windows\{6F951E3F-9215-4a79-89F6-577E56D84AE9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3844
            • C:\Windows\{390CFE7F-8E14-44ae-ABB0-7CE378C9FB5F}.exe
              C:\Windows\{390CFE7F-8E14-44ae-ABB0-7CE378C9FB5F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4156
              • C:\Windows\{1466F107-3FE1-4a07-9F9D-5395D5100A55}.exe
                C:\Windows\{1466F107-3FE1-4a07-9F9D-5395D5100A55}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4624
                • C:\Windows\{116920F9-B2FA-481f-B2A6-BB65048E7788}.exe
                  C:\Windows\{116920F9-B2FA-481f-B2A6-BB65048E7788}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1764
                  • C:\Windows\{557E36C1-4868-4b3a-BA37-F83BF93E41DA}.exe
                    C:\Windows\{557E36C1-4868-4b3a-BA37-F83BF93E41DA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2912
                    • C:\Windows\{50DC5AA3-B0BE-42dd-A237-B88ACE403B1E}.exe
                      C:\Windows\{50DC5AA3-B0BE-42dd-A237-B88ACE403B1E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4160
                      • C:\Windows\{BBCE894E-1AFE-42d3-9D49-00010DBC8706}.exe
                        C:\Windows\{BBCE894E-1AFE-42d3-9D49-00010DBC8706}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4600
                        • C:\Windows\{7F5EFC64-319C-47e6-AEB2-B0E9EA201101}.exe
                          C:\Windows\{7F5EFC64-319C-47e6-AEB2-B0E9EA201101}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:960
                          • C:\Windows\{444D9DA9-02FA-4c44-B010-C97A635E011D}.exe
                            C:\Windows\{444D9DA9-02FA-4c44-B010-C97A635E011D}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1584
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7F5EF~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BBCE8~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3840
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{50DC5~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1048
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{557E3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{11692~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4896
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1466F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{390CF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1208
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6F951~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5076
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{76D09~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1106~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA08C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1456
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C7A01F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4604

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{116920F9-B2FA-481f-B2A6-BB65048E7788}.exe
          Filesize

          168KB

          MD5

          b7664b09367e3ca82fd0a24a4496e6b9

          SHA1

          a3b3d80a73b954801fb54e801bae01946e3ab4f4

          SHA256

          2e75241dbf5b1be1b8d202a05109b87e4c93a6686f6b9d95293310abc0b3059f

          SHA512

          c6742733ab2e7cc8e9415e67436c4c75c49caed2561240ec6b3a5a09c3f5d6cfa5acff79af47cda9eaa5f34b4ac79abed116a22b7d93fd32034971541f57dfa0

          Download Submit

        • C:\Windows\{1466F107-3FE1-4a07-9F9D-5395D5100A55}.exe
          Filesize

          168KB

          MD5

          d6d38afd5bdb9c2583a359c00378676b

          SHA1

          015da6e51aa57539bca8015e84baf8b0b72558d9

          SHA256

          afaad3f543c4457ea6c920ba263633c821f023bdd4fa6adf04585ebbd3589ab5

          SHA512

          103c1b70a855feae5b512619cb21b029dc7bbf3c2fe1da5dbc9c7d796cbe39c9bc9574b847b05f4055a85851cc7b029ff3ab4f667c2c9cb38dd272f43c45229e

          Download Submit

        • C:\Windows\{390CFE7F-8E14-44ae-ABB0-7CE378C9FB5F}.exe
          Filesize

          168KB

          MD5

          e96a2cddcd8888e36a312efe7511625a

          SHA1

          c90e9c1660c84db778b967a96ebb00f06b22e62c

          SHA256

          54c742aaa9c3545010402d1c0aeb42e88c07bba9d0204d186de4d3ebe03820ad

          SHA512

          2aba567c1f40b27e69cf60da554eece0517352290ea1ffc3a015daa01709235b4e04a289a29c29b41fa919c9983342fe4903f668c3ad66c4fd7dc3e515dda19a

          Download Submit

        • C:\Windows\{444D9DA9-02FA-4c44-B010-C97A635E011D}.exe
          Filesize

          168KB

          MD5

          e93032bc626cb6cc66dffd12e6970d88

          SHA1

          58bda03f2af6aefa0ebf03ff26c82528483a07e0

          SHA256

          63efaecb87c40196d09e61822137098a0b44622c3c956a95cfee7590a13d39dc

          SHA512

          9b703d1eb396a7bdb96f8761bbc89572ead76f193cd00c055ff8dd14def367a2d14dede212ff057ededde2656c5c049b3aac0f91dfc3392233d5da351424810a

          Download Submit

        • C:\Windows\{50DC5AA3-B0BE-42dd-A237-B88ACE403B1E}.exe
          Filesize

          168KB

          MD5

          1ceffc6087b331ca74418fb71ef4a833

          SHA1

          38dbf8b4198b7886ab5ecfb34e0822e45d495578

          SHA256

          148424df4fbb222b5d47eaa995b754fc35c0615d2c5febda3f95e82193c9bb83

          SHA512

          fef73782b108522cf19083d84a6618731d57beee912dfff473062e4c00f22b3811d3b5dd81e807d1436b3f312da0dc68eb820d6711075e92c657ebd31164675c

          Download Submit

        • C:\Windows\{557E36C1-4868-4b3a-BA37-F83BF93E41DA}.exe
          Filesize

          168KB

          MD5

          f6994ceb638db4d087b90dd5ac7b09ff

          SHA1

          9d799dd944fd1353f03acb2cc674555574580836

          SHA256

          ccd8644558800d106217e4cbd3bbad133a006d5c7278754791cdcb355143e974

          SHA512

          a3c3c3853b5c830f75267d720259506edf5ed18d8f7fd3936f2a36e9ac54c6376cd27fcca4f3f1c9c356a447569583214e56dc4ca3b97b91cf81c792018e9211

          Download Submit

        • C:\Windows\{6F951E3F-9215-4a79-89F6-577E56D84AE9}.exe
          Filesize

          168KB

          MD5

          95a3252dd36646396258d152c5f21265

          SHA1

          3e2dad78ac90e6375b93cf1fdc28fd9973d6eca4

          SHA256

          e59144b2f94a5dd4e743eee129b175e35e41ba024e805569e2b030678592bfe0

          SHA512

          54516059a85256b1f7205b8a14f197d095bf04bae02e45d1c234aa4988b0224072a0ca9eb8662b60ea9e9e0536a0921e37236304463923a10f0290abf366a010

          Download Submit

        • C:\Windows\{76D096B5-48D6-43fb-A75F-4D57BECC96B7}.exe
          Filesize

          168KB

          MD5

          9733a99c99b81b3be2def6f837430cc1

          SHA1

          a55bdf10c0b6c9c8a934aec0e83e13591217d0e6

          SHA256

          1017746b1137a9f629c73d02cb843ebd63a627b7985bfcd7a5510b835da0ddee

          SHA512

          89b4a6e1a33e827f5f63d586fd5f9c0fc84b627d75456bdcb7ceac4747919d3cc4de9158b530e1a3a8772323724bd7251a18a0cd2528db5fba16133920524033

          Download Submit

        • C:\Windows\{7F5EFC64-319C-47e6-AEB2-B0E9EA201101}.exe
          Filesize

          168KB

          MD5

          6374ecb5cd06d9edb19c0a55476e59c1

          SHA1

          60e2b0bcd4a71a5f416aa69a44754d65340846b4

          SHA256

          c9aea5743d9509d5ebbc967fb242cb80523de912380a14279c4baf1b24b5d3c0

          SHA512

          79b8cd94c6118558b1e07a798c87f845c280ce006d531391f9c4e4d61feb9cc9e8ac0e437443a439576b56c20009a77d5f4e14f5cddee4449195446ab28358a4

          Download Submit

        • C:\Windows\{B1106C43-6E5A-4d92-BE18-3F09523E68CB}.exe
          Filesize

          168KB

          MD5

          9250687898c4b952337d75d777c60876

          SHA1

          425ec379b5e722120a1b6b8ecd2738d559f1e7c8

          SHA256

          0a3c6ae6b3558f101b9e25e4ba0ed61d1a6a5d0ed71caccad28dc9d6d597b17c

          SHA512

          0a1d8a2ed5f0f366dc39f4c4eb53fbaa205c00b30663ba3050f8925f82d9ff2dcfbdb3b4a192a1537e79da153f6953b29914c555d72dfff4d4d46455f4dde061

          Download Submit

        • C:\Windows\{BA08C432-E6F5-43c0-98D1-A809069C97FE}.exe
          Filesize

          168KB

          MD5

          9cc800276218c616fc6775fff71624a4

          SHA1

          d52df5f699a15a6aeb87a09971a7191da15cd6ef

          SHA256

          fcfd37d0030fa23cea91ae14c85630d60a481d4264a33b4d951332a8d75380bb

          SHA512

          4004fcfb9625e6c376b1b4a517c3b8e6113bb7e21d31040276047e6f61fc3f1e4a8558db7a941b228b620aff56429885cca2388739ec7db2934c92813650837e

          Download Submit

        • C:\Windows\{BBCE894E-1AFE-42d3-9D49-00010DBC8706}.exe
          Filesize

          168KB

          MD5

          c0e83cc844208e42073491a5d50c898c

          SHA1

          bacfc14059d5ebc5485caa0dbd1098c8f26cf4bf

          SHA256

          3af4e4ef10764dafc3a7cd7e7495799b444b1b8ab0242dc6e1eabcf9429e9292

          SHA512

          c7634c8e1a3bcb18903a6df2f5f2470815858f3d0685d57d22684074e4bf8e6cbf6eff1ffd69430ad1b43d5918bd9f8308f5bb396ef2e73cf0fbda633ded5aef

          Download Submit