Overview

overview

8

Static

static

3

97b7adea8d...0N.exe

windows7-x64

8

97b7adea8d...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97b7adea8d8abbee7a9a0fa44a69cb00N.exe

  • Size

    88KB

  • MD5

    97b7adea8d8abbee7a9a0fa44a69cb00

  • SHA1

    e0ff0a347c150a21af5c38100018709b1d73090e

  • SHA256

    d7b52eae730e74cbffb61c897b6993fdd620d5464d4b69b8b0afc637b68d5aad

  • SHA512

    bb78aa2cbf8b0f25887f9da14aed94b29f231653198799f8629857a2bdd25858a34431e67dcd3821adeba0d0b3b569b68f8ec237273a52ce0624cda53ad90c16

  • SSDEEP

    768:5vw9816thKQLroB4/wQkNrfrunMxVFA3V:lEG/0oBlbunMxVS3V

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97b7adea8d8abbee7a9a0fa44a69cb00N.exe
    "C:\Users\Admin\AppData\Local\Temp\97b7adea8d8abbee7a9a0fa44a69cb00N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\{5DA85F37-6A2E-4e7d-8BBF-3FEA4F984E64}.exe
      C:\Windows\{5DA85F37-6A2E-4e7d-8BBF-3FEA4F984E64}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\{F45E26D7-5CF8-4079-807E-8C0E8D713A5B}.exe
        C:\Windows\{F45E26D7-5CF8-4079-807E-8C0E8D713A5B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Windows\{65890DAB-FF58-41c2-B010-D128DAB5F5A3}.exe
          C:\Windows\{65890DAB-FF58-41c2-B010-D128DAB5F5A3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1212
          • C:\Windows\{6E9D6173-6827-48cb-AFFD-BA1517DD2C71}.exe
            C:\Windows\{6E9D6173-6827-48cb-AFFD-BA1517DD2C71}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\{88627EEC-94E6-4d2f-ABDD-518589E940F2}.exe
              C:\Windows\{88627EEC-94E6-4d2f-ABDD-518589E940F2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3372
              • C:\Windows\{A5CF28EB-EC67-42bc-952E-C5A76944B41E}.exe
                C:\Windows\{A5CF28EB-EC67-42bc-952E-C5A76944B41E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4456
                • C:\Windows\{32196161-73E7-434c-8714-556EE748781E}.exe
                  C:\Windows\{32196161-73E7-434c-8714-556EE748781E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3112
                  • C:\Windows\{1D554011-C658-428f-B4F5-73186DAE71FF}.exe
                    C:\Windows\{1D554011-C658-428f-B4F5-73186DAE71FF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2756
                    • C:\Windows\{18210CF7-BA22-420d-B909-0D2818593F9A}.exe
                      C:\Windows\{18210CF7-BA22-420d-B909-0D2818593F9A}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2116
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1D554~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4548
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{32196~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4828
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CF2~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4492
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{88627~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4440
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9D6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3524
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{65890~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{F45E2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4128
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA85~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\97B7AD~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{18210CF7-BA22-420d-B909-0D2818593F9A}.exe
    Filesize

    88KB

    MD5

    9f0b761bc625c560adaac97fe6e2f8b9

    SHA1

    28fa9c1c3f5f1cf4f7f75721547bf0e70b2aa3f1

    SHA256

    344e0ae93b08865d220faecf3d0d8fc15dcf26176e97a3339bd84f69f6f4e1c4

    SHA512

    6f485a6d994e0a501a2dc4a065ac35026cc429a407702dce6b7c65a027151bae9cd0f618988f577c37545866d6a05c7a3048689a66db3ea5ac74f6acb7280e2f

    Download Submit

  • C:\Windows\{1D554011-C658-428f-B4F5-73186DAE71FF}.exe
    Filesize

    88KB

    MD5

    51010e0a6decd9f71d1d23ba2359bd5a

    SHA1

    cae6a0b23ccae42b9ae6cb061d63dc68875c1fb4

    SHA256

    7bdcc1dd8c6d21365ccc94d4378ec3c39eab6fef716b363d44fc1c65fc941432

    SHA512

    a4a4a489e0356eabbffa3cef3925575c4916d2422803f7c42284be1d21647cafedb4c4d12b576feb6781c876b35ae2c17e760eb05667566a37c3a4c699442267

    Download Submit

  • C:\Windows\{32196161-73E7-434c-8714-556EE748781E}.exe
    Filesize

    88KB

    MD5

    be1d1b19b3ee5ef29f5f881f976db5f7

    SHA1

    a0a81c99ad224e77bc3a077db78f32afc70a403f

    SHA256

    bb264fead863db70201bdbea10571cbc632163eb8db9fbf138de7d5e7da13e0f

    SHA512

    2f4c6f2af03aa07f0535c3ee086febb7ba387a357089d2828069cf4bc5c4a45ceda9db02f3e8319475f231c497419b33b17d32e90279cd224251cb71ba91bc4c

    Download Submit

  • C:\Windows\{5DA85F37-6A2E-4e7d-8BBF-3FEA4F984E64}.exe
    Filesize

    88KB

    MD5

    24264ce90878823a2a64de2a15ea121d

    SHA1

    7ab3be1f84c67664e3c0b63dd51114d22bcb8850

    SHA256

    53b5d64a1fba0679f4c5e841fafc3169d51cd67900e31fb0600b4b016a98d052

    SHA512

    aa022704b55a22eee69a38bea9f8537ae251fa51a9480735ef5d28e35c4bfaa01c23dedc94b019216a14e39a3480d3cde261e25ba135eb73967438c58ef6f246

    Download Submit

  • C:\Windows\{65890DAB-FF58-41c2-B010-D128DAB5F5A3}.exe
    Filesize

    88KB

    MD5

    9a4339f5f48852df9863e30fe6ba2822

    SHA1

    6f74037cf0b7f8e422e2abdfa2bb42bd7bd589e5

    SHA256

    e7a93330985127d0e221afc03aed9c1363d69109f033b1051769e146fa670e00

    SHA512

    e3c0a301acac54d22e7196a88a68662720c422e6378a8f6599d503688321ff88df67ff1059c833ec020cedd2cfa5b153f17e2ccd823fd0c8638678c468c9459f

    Download Submit

  • C:\Windows\{6E9D6173-6827-48cb-AFFD-BA1517DD2C71}.exe
    Filesize

    88KB

    MD5

    a5291685db759f3cfdbc5752c18cead3

    SHA1

    b2f1e690df02635b8ef21fba0d871372860e2836

    SHA256

    5ba150c09b91858b1fb7ca7c922f4e484d99f806db1a2e85e8c6bc7c77955700

    SHA512

    b89e829e77a259a68475b055b2268c87bed1d47dff9e567204597a86049ccf55666d4e88f59d199ece63697c74049b3efebc23175a05d18633db6fd0b5613631

    Download Submit

  • C:\Windows\{88627EEC-94E6-4d2f-ABDD-518589E940F2}.exe
    Filesize

    88KB

    MD5

    0447bf91695a394036c917f173593aeb

    SHA1

    286e11055db3d97567d3776ef62685492ac25d8a

    SHA256

    f4611cb9f02863bf304da3ce9788c26b2c5740fb5fccdaa1c67d4cbf1d06cdc0

    SHA512

    d2a28800751ddd11199f33e31242d2e190ebd0b01b10f5a27eb3cd223750065f744a91982a79ef91aa70fa7a064e74f023c8a5a3e7833a9cd4986706c36dd43a

    Download Submit

  • C:\Windows\{A5CF28EB-EC67-42bc-952E-C5A76944B41E}.exe
    Filesize

    88KB

    MD5

    eab66eac0652c8084d4fe78abaf1f366

    SHA1

    38bc1610aed21bcb3951d430313c66ce26b38af6

    SHA256

    ae4c132b4b4bea2581c699d6eb7783d1ca43a0f0785b5bba61a6915a7053cd20

    SHA512

    eac52708f31edd9bf1fb0ab46a5b164f3a1ed07f9c2de3f22b6933ed8a1e89995f4cd3fb8992c75a5498d676306959aa5eb80400fbd2d9357531bef1dbd44037

    Download Submit

  • C:\Windows\{F45E26D7-5CF8-4079-807E-8C0E8D713A5B}.exe
    Filesize

    88KB

    MD5

    d516b4877e66d58300cf2e8f8bfce4ba

    SHA1

    7dc7935a2241ef185c3627653a8d87670666f22e

    SHA256

    e43d37c24f15bf5233026309b49e78545518714d28e479a1c2f5f877c2513307

    SHA512

    26f1186dc1a3953262846ba3aa54ab8266cfb6640ab918dadd7a4ab1d14d845b17de78e4b4a70c9bbe749ff0679d238ef0da8c20fad116a9916b9eae075b1135

    Download Submit

  • memory/1212-17-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1212-23-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2452-27-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2756-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2756-44-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3112-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3372-32-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4456-33-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4456-39-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4668-15-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4668-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4816-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4816-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5108-11-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5108-6-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download