Overview

overview

8

Static

static

3

a6f982278b...0N.exe

windows7-x64

8

a6f982278b...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6f982278b835b1d59ccef4dd76a18c0N.exe

  • Size

    89KB

  • MD5

    a6f982278b835b1d59ccef4dd76a18c0

  • SHA1

    f4562acac412f5fe6dd53af865ba51d2e30222fa

  • SHA256

    f62f794fe6a73f1ae52b62d1d56b5ede50f416c88e1ad82bba52cb1273d32629

  • SHA512

    2f7186495986242c794c881b2e11a78bb61efd9d395416a0d2c6dd169c99e9a04520e7cf4406f17b5a15837bcc655ebb0fe948930fb79b50cc43cd5cdd5fb7a6

  • SSDEEP

    768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glL:YEGh0otl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6f982278b835b1d59ccef4dd76a18c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\a6f982278b835b1d59ccef4dd76a18c0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Windows\{53468D78-D433-4dcf-9F00-C1387202F11C}.exe
      C:\Windows\{53468D78-D433-4dcf-9F00-C1387202F11C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\{94A1CC5E-C7D4-419c-9865-D3580861523A}.exe
        C:\Windows\{94A1CC5E-C7D4-419c-9865-D3580861523A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\{9D0C6AD8-5609-48e9-9E39-451D652136F1}.exe
          C:\Windows\{9D0C6AD8-5609-48e9-9E39-451D652136F1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Windows\{A8355FB2-CE73-44d1-9061-41CD4313076B}.exe
            C:\Windows\{A8355FB2-CE73-44d1-9061-41CD4313076B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3240
            • C:\Windows\{0519BD0E-4FCD-4a6b-905B-2C4FF99F2AC2}.exe
              C:\Windows\{0519BD0E-4FCD-4a6b-905B-2C4FF99F2AC2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\{62752F86-E854-4a11-934F-B58A1809B08D}.exe
                C:\Windows\{62752F86-E854-4a11-934F-B58A1809B08D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4764
                • C:\Windows\{60EF6C0E-5DA7-4df6-B2E6-ACF42CAC8179}.exe
                  C:\Windows\{60EF6C0E-5DA7-4df6-B2E6-ACF42CAC8179}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2840
                  • C:\Windows\{3E2F8E4D-63AA-40df-8A42-F6D73FBFA9EA}.exe
                    C:\Windows\{3E2F8E4D-63AA-40df-8A42-F6D73FBFA9EA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4972
                    • C:\Windows\{BF87967B-902A-4dc7-9973-B5EB45CC0ADD}.exe
                      C:\Windows\{BF87967B-902A-4dc7-9973-B5EB45CC0ADD}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4108
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E2F8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4656
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{60EF6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:844
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{62752~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4492
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0519B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A8355~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:636
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9D0C6~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{94A1C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53468~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3480
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A6F982~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0519BD0E-4FCD-4a6b-905B-2C4FF99F2AC2}.exe
    Filesize

    89KB

    MD5

    015dfc46a363193f4732c577b51619b4

    SHA1

    33362bd684072fd510fa9104bb2f601b96369b3e

    SHA256

    0bfc40d09109e7669c6efe5cba28bc0e54810e9d1c2bc741f9a21fe171d3456e

    SHA512

    64cba993f22d69eb862fbf9b0afea0d20a65088297ee50132763fd941fa6a274a1a5208140d8a133daea463e220b111766fba50d44722a68d3c5d20ea4235eaa

    Download Submit

  • C:\Windows\{3E2F8E4D-63AA-40df-8A42-F6D73FBFA9EA}.exe
    Filesize

    89KB

    MD5

    8ad8a6875b113113733c53233802e495

    SHA1

    5cd2a048c3527e6726ed89a99a45edcb29b8e92b

    SHA256

    2be193be042cba165da7fc1493364da154e09a8b96b74576181e9fea23e43299

    SHA512

    dff9c9b408d2959a098989adb52fdf6fa84dce05a9741110d9473f7edd65b9e1d75a3eb4b98def679c3a1cc914112c2aa916b9700d36b5601490a5aefda1f0ae

    Download Submit

  • C:\Windows\{53468D78-D433-4dcf-9F00-C1387202F11C}.exe
    Filesize

    89KB

    MD5

    99e10952da40fcc88754d52ad4c8a3b7

    SHA1

    fea007714f5ff99bf64e72ce62df0f2505fea8fc

    SHA256

    ce1cae0381a3851ffcbddbb71cba7a8471dd4ac274d33f24f3febc78e75df6ec

    SHA512

    f5ed4d0fb3e8465d0d4627b458ecd8ebbc86c1a65d89b91e06cc747b9bb35619d8a7a1ef971566683e584ab3908ba2e73b0f323af5c6a09e946273dbc9417036

    Download Submit

  • C:\Windows\{60EF6C0E-5DA7-4df6-B2E6-ACF42CAC8179}.exe
    Filesize

    89KB

    MD5

    f9d7e6cc758d7bffd8b3584c39e694da

    SHA1

    682d1ce916d0ccfbfe4d3f5df337728e539954c7

    SHA256

    161b3602453bbb794a66831f6d6627309bf05673b390c937a11bd94220d10412

    SHA512

    31ee800ca46c1ea7cec8aa3fe9eed06b3a419daf2cc3c7a72196bc95a5310475b5d881b6ccf0b78e8cfd5b225ee8bc383fe9bab213f014b40add46ec51f68b89

    Download Submit

  • C:\Windows\{62752F86-E854-4a11-934F-B58A1809B08D}.exe
    Filesize

    89KB

    MD5

    df7594952542b0fe954a2ce44ff5ad1d

    SHA1

    f75fa2bc12554b19d3ef57efaebf54ed23e7821f

    SHA256

    fcb7949da350a0029a5142420c17316e13b59e2861203aecb110d967fcf8d3f8

    SHA512

    2f87e29aad125519a1a41d701a87aba27f59b169d720c1ca121edf30093a66cf6ee31b82aa81a38d2789adf48424df461344573bd5e5dda75eded144dbbea004

    Download Submit

  • C:\Windows\{94A1CC5E-C7D4-419c-9865-D3580861523A}.exe
    Filesize

    89KB

    MD5

    3feca518762b2151678f40ab8d0d60cc

    SHA1

    c156fa4d5e9562c28efbc8648622bbe3bf9b8057

    SHA256

    67a3d9ef4fa8201629579b77a3c4cbbabe88db29130717d2918c7b376b72803d

    SHA512

    dbd6fc469e9567dedc221e634bb747e603dea3d44ab38d51cd539704aebe3b0226fad19cc617e82b80f006cce009e233ed25bda65d655fcfa8c9d3305f2554a9

    Download Submit

  • C:\Windows\{9D0C6AD8-5609-48e9-9E39-451D652136F1}.exe
    Filesize

    89KB

    MD5

    22f152b8272bf336bec6ed1a26914a02

    SHA1

    29ed6f6aabfa66eb9b0b76ba91d80441604e689d

    SHA256

    dc9f3d06ed8c125bbb3fd55b85b5750c1e454eaf7a1ddbadf1c9d1c3e7dff8ff

    SHA512

    74998323cd85d5946f51fe4ab7749ce91ad24ce7e16fdd36540500435709cae6d46409c33a6d740a21cc27abf255df191c95f38205194bf30455874746bb91f5

    Download Submit

  • C:\Windows\{A8355FB2-CE73-44d1-9061-41CD4313076B}.exe
    Filesize

    89KB

    MD5

    0563fd5a43f34a8b37c51b899444e8f5

    SHA1

    e9d8ff157f76f514e2acd6d04404cc8106e193cb

    SHA256

    e5bc3c0f9f9a63aaea73952a047dde66f0e4e2b127c9dc96fca3e2bdbdb8c12b

    SHA512

    de319eee26aa5d08fbf287769cef3effbc6e17eb80501dafbe3bba6cfeee6840b1acc19f45c88ddfb1730bc03958c8861ab589ca643f2b61eab6ce8d12532a53

    Download Submit

  • C:\Windows\{BF87967B-902A-4dc7-9973-B5EB45CC0ADD}.exe
    Filesize

    89KB

    MD5

    590096b7fd145397058ceedf94a55dec

    SHA1

    12f4c5234926db0476b12ae0da186e7f942c0822

    SHA256

    add4777704e0a37d8f70ce98a7bb077600a947851fffb49359165cb41635d0c0

    SHA512

    d63beec1b0d343d25474ec0b6803bc5a6cc2482bcd1440ecde41f41e4043d1265355df93a1f4e4c6837035ae2675ceb1a56f6718bf53f2cef16cb95b3adb5f2a

    Download Submit