Overview

overview

8

Static

static

3

92df5546da...44.exe

windows7-x64

8

92df5546da...44.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe

  • Size

    80KB

  • MD5

    f31ce28c80ba0a9c9e2134dc93b853d6

  • SHA1

    e368fb95e9c0ee10d9dcebde39a86e47c94a50e8

  • SHA256

    92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844

  • SHA512

    f540cd3f52c2e1253585f9e625655d051fe78bca257abd946af9d273435d3c14163f37d6f8acd2677f0a2eb61b7bf9838b318874368f83edb183eb2c1b84af5e

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroT4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroT4/wQRNrfrunMxVFAi

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
    "C:\Users\Admin\AppData\Local\Temp\92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\{FBCE9252-B028-4a1e-A12C-14EF5AE3BC03}.exe
      C:\Windows\{FBCE9252-B028-4a1e-A12C-14EF5AE3BC03}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\{6DE5EE12-B518-49de-9CFE-99E2E899F6E3}.exe
        C:\Windows\{6DE5EE12-B518-49de-9CFE-99E2E899F6E3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\{B434D6FD-326C-4c7d-AE40-15E238C8ADAF}.exe
          C:\Windows\{B434D6FD-326C-4c7d-AE40-15E238C8ADAF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\{8BB55F9B-FFEA-4413-9782-D38F90289531}.exe
            C:\Windows\{8BB55F9B-FFEA-4413-9782-D38F90289531}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\{B5A4A9EC-8BFC-4eef-9DF1-8BBF9EB1802F}.exe
              C:\Windows\{B5A4A9EC-8BFC-4eef-9DF1-8BBF9EB1802F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2952
              • C:\Windows\{A8EF132C-F2B2-4f2c-9625-E83373594FDB}.exe
                C:\Windows\{A8EF132C-F2B2-4f2c-9625-E83373594FDB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1940
                • C:\Windows\{C904F271-7D74-4986-9378-D15CDB5AC332}.exe
                  C:\Windows\{C904F271-7D74-4986-9378-D15CDB5AC332}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1564
                  • C:\Windows\{4CBE5EBB-CFEA-4334-A8E6-FCD86313A4F7}.exe
                    C:\Windows\{4CBE5EBB-CFEA-4334-A8E6-FCD86313A4F7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1104
                    • C:\Windows\{F963250A-58FE-4448-818B-CDC88AA1909A}.exe
                      C:\Windows\{F963250A-58FE-4448-818B-CDC88AA1909A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:976
                      • C:\Windows\{6F2809FE-3D7C-4e47-92EE-1742A4E8DF82}.exe
                        C:\Windows\{6F2809FE-3D7C-4e47-92EE-1742A4E8DF82}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3064
                        • C:\Windows\{9FF5CB2F-5874-439a-9ADA-ADEEA2CB96EA}.exe
                          C:\Windows\{9FF5CB2F-5874-439a-9ADA-ADEEA2CB96EA}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6F280~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2376
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9632~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:772
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CBE5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2772
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C904F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1840
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A8EF1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1876
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B5A4A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2476
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB55~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B434D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE5E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBCE9~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\92DF55~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{4CBE5EBB-CFEA-4334-A8E6-FCD86313A4F7}.exe
    Filesize

    80KB

    MD5

    13644aa60692a0e459340988d711da3e

    SHA1

    07d29da7f84c1c51830504d94537a25a92341532

    SHA256

    f186ab88209f4315257223e62ac69f56e7014e6bb7f56ee20dd332b418c81a71

    SHA512

    6a241a7753045a47e2d124042f8fad56147082694ef674a01cd994ff06b9b1e4d67b91a6c327d51e2fbd1f2d7c86fe068679d2b86c40fdcaeb8c0e32033eac7c

    Download Submit

  • C:\Windows\{6DE5EE12-B518-49de-9CFE-99E2E899F6E3}.exe
    Filesize

    80KB

    MD5

    165c234390c39683bd1e59ca591a5bce

    SHA1

    78feaf203a5f1cd7efcb8bae41d76215200412cb

    SHA256

    678c3b0344773f20972f59aecdd5c1536eda413b2d690cbd817b08e305ce575a

    SHA512

    2e502af8fb048a695f95a4ba40bcf6a9e744a862193ecc8f66e703fa2fe797368890fd134f5d97f464b29d0c95b528de6d9bdb662d9ed74d7a782f6f9fd31ef1

    Download Submit

  • C:\Windows\{6F2809FE-3D7C-4e47-92EE-1742A4E8DF82}.exe
    Filesize

    80KB

    MD5

    7fbb80ffff3baa07b6391989af56fa50

    SHA1

    c74f4df9e7c62225ed2f014d7a3d1e5f0a717fb2

    SHA256

    cb5db50869eb9d9625e08140ef0f3f28d199f36cde57a02bd88a78ab8f63269c

    SHA512

    86b4f461baa3dedcbf0510f2803a585c330801eafd0d624baa5477c33e22f1bc669dbd32988e59e579ba72c7cee49344819cb4f8d89575f21e894f41ad934c5e

    Download Submit

  • C:\Windows\{8BB55F9B-FFEA-4413-9782-D38F90289531}.exe
    Filesize

    80KB

    MD5

    2e348a2bfe31422cebe74a33aca60b3c

    SHA1

    1401a74775f2f999d52787bef5d1ca7c9a5f1513

    SHA256

    d7d968ccfd5e35200bd81c30145d61c4d3e61311017fd60a5bc81913e47e0dae

    SHA512

    af7a2ed01eb96b7fc25af52ecdfa9288c678dbdc9267e8a7de304997a69cafd01bacdd78cf818329d44723bb8b98d986a1aa5efe4272b85321a017626423691c

    Download Submit

  • C:\Windows\{9FF5CB2F-5874-439a-9ADA-ADEEA2CB96EA}.exe
    Filesize

    80KB

    MD5

    44ef3bae4247ba7fc557c2896e6f39dd

    SHA1

    5eb461fa0fadcd722ed9c7c2197fe9ed6680482f

    SHA256

    5541cf9e73596107358a2b8ebc1eaa970af44e0a146cbf6b6fc7f73dd1aeff87

    SHA512

    30b711809f6c3f40f78c0020992e4a5c99eb123b4ae5e30912505303e7f1e40c1ddf4e8c21af6fd2e8c54045e8ff524270966a98ab619262abaccff321a6d7e4

    Download Submit

  • C:\Windows\{A8EF132C-F2B2-4f2c-9625-E83373594FDB}.exe
    Filesize

    80KB

    MD5

    89c72275033bf5e633a79cc5a95e0f8f

    SHA1

    362a1b7bfaed783d24ca7c946e28ede6645818ad

    SHA256

    5ec8d6c3dde9826e9e0516a48b94920d08a382e4c4b9c6d12c5e63fa737da2d6

    SHA512

    47163c2edb8b4af2c50951cd07322cf1476d034e35b91fde1a0dcbc98c6a0d60c4e3bc9a2c071d48ea80ee27d75a3dbe0f0e7dae7c52a80e53f65b9f68698a01

    Download Submit

  • C:\Windows\{B434D6FD-326C-4c7d-AE40-15E238C8ADAF}.exe
    Filesize

    80KB

    MD5

    34f852a5089ce1ed6a1289d3e209aaf2

    SHA1

    a5cf71745f649bb22837e345fe1c9459232ff04b

    SHA256

    5dda95ac521b9010ea7a16debdd0083a2675694ba60988c7ec5ab45d93c130a4

    SHA512

    67ef7d4894f53d99772ca52504811290a70417aefd60bb9ba30ff4f58d3092eab6dc29fa7ce6d0622f937169e3347db9d14917ca2ddb2623c9048a7c9cfbce00

    Download Submit

  • C:\Windows\{B5A4A9EC-8BFC-4eef-9DF1-8BBF9EB1802F}.exe
    Filesize

    80KB

    MD5

    fa7fcce0338ae139b34d102b3b089900

    SHA1

    f86853884eb0238bb234ef85c1dedcf10fe90a8a

    SHA256

    5cdd3c952de90da37bc2daa05accf6430128aa0475fa3f5f955575ae558b9dc9

    SHA512

    0aa11fb9f926ad26ab748ced9e6db56f9ef0e87afd0e5637e800df23f866bafa311f14812d5c41d88be967e2b624e6472ca5152a02f57f0446b837ff19b60cd0

    Download Submit

  • C:\Windows\{C904F271-7D74-4986-9378-D15CDB5AC332}.exe
    Filesize

    80KB

    MD5

    1332a4a2826e2c39f4545dbca1d6ffc2

    SHA1

    a8597e3dbe6eccc12d9e8e3a62b72a568b76afa1

    SHA256

    999565c4b7f84759726ee73ba170f1658b229f46f8edf18abdcbd4a101d603fe

    SHA512

    b792eb80d3041a94d6967b854065ba4612d6e2cecf916ee3ace852da57776d66adee4e320a5845a341cb801a9c620b3476e823e083fb52caa844aad0acc32b6b

    Download Submit

  • C:\Windows\{F963250A-58FE-4448-818B-CDC88AA1909A}.exe
    Filesize

    80KB

    MD5

    08643705e6f375b639ab2adae70e0219

    SHA1

    752c5a640819debe25c945f218353c27b46b1cfc

    SHA256

    26134053be303f41e24a5b7c6d0e5a4a5477066fe4c9a54696368dffa47ac796

    SHA512

    c69dae8508aa02890604fa80d40dcb9d6801e488b9c9eb2d0edb036a2fc6525e90ad1f1d45fb40fced0f74a75e6f5b9d53e75125df6e9fda52e496c18372f762

    Download Submit

  • C:\Windows\{FBCE9252-B028-4a1e-A12C-14EF5AE3BC03}.exe
    Filesize

    80KB

    MD5

    bf0ba273ddc80e0c3b8c8ee17d8b6955

    SHA1

    772ee1f953f650fa32030e7cfa02bb915d6e89e0

    SHA256

    1462874598f13bf4d09cec99c2c7a207924c9298336c4677e354dde59e030508

    SHA512

    75e3ede8ca92f71ff66664b46144b1ac7cc56a3de29e692e3d4c5029fd7ea762512cec9846dff1428a0cc51a832d80b5f4987cdb9fa4bac4fd15c6b75aefb2d2

    Download Submit