Overview

overview

8

Static

static

3

dd524d23ac...0N.exe

windows7-x64

8

dd524d23ac...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 19:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd524d23ac2dc7ff6679df3652ff49f0N.exe

  • Size

    89KB

  • MD5

    dd524d23ac2dc7ff6679df3652ff49f0

  • SHA1

    e4beb221ea156469a625bc2824268be9597f70fa

  • SHA256

    2fcf555ffeab3230e32fec7de9d2e9de9c2ba436245a14ce86aaba241fc3f679

  • SHA512

    9da24a6a41413daa51e108f18aa74c3750ce0724176709574d910e508d8a874d660d0087efe482383c6ee5ebfcdf3a8154590fa0f51905ff364ab6377aac0461

  • SSDEEP

    768:5vw9816thKQLron4/wQkNrfrunMxVFA3k:lEG/0onlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd524d23ac2dc7ff6679df3652ff49f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd524d23ac2dc7ff6679df3652ff49f0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\{5735BDA2-EBD3-4bc6-9FC7-9F549A014C1A}.exe
      C:\Windows\{5735BDA2-EBD3-4bc6-9FC7-9F549A014C1A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\{EA8EF378-9456-45a8-B3C1-B0984F1DB1E3}.exe
        C:\Windows\{EA8EF378-9456-45a8-B3C1-B0984F1DB1E3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3364
        • C:\Windows\{907C535C-2C3D-47ba-B6F5-E6922FF09E3F}.exe
          C:\Windows\{907C535C-2C3D-47ba-B6F5-E6922FF09E3F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\{A182EBB6-B43D-4cfb-8547-177DC87911FE}.exe
            C:\Windows\{A182EBB6-B43D-4cfb-8547-177DC87911FE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3792
            • C:\Windows\{8CFDFE26-AA85-4964-83B8-1A88F75DECC3}.exe
              C:\Windows\{8CFDFE26-AA85-4964-83B8-1A88F75DECC3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1256
              • C:\Windows\{4D1A1558-EF5D-4d42-B687-6479FEC14892}.exe
                C:\Windows\{4D1A1558-EF5D-4d42-B687-6479FEC14892}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4216
                • C:\Windows\{69417108-04D4-4ebf-8601-5E60A26D3E99}.exe
                  C:\Windows\{69417108-04D4-4ebf-8601-5E60A26D3E99}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:556
                  • C:\Windows\{4913A454-F45A-4d72-ACCE-3A43EC3E7D18}.exe
                    C:\Windows\{4913A454-F45A-4d72-ACCE-3A43EC3E7D18}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1180
                    • C:\Windows\{D590800B-B312-44e1-A548-11A3EC22FF2B}.exe
                      C:\Windows\{D590800B-B312-44e1-A548-11A3EC22FF2B}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4560
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4913A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3308
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{69417~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2112
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1A1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1080
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFDF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A182E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:392
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{907C5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EA8EF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5735B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DD524D~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:220

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{4913A454-F45A-4d72-ACCE-3A43EC3E7D18}.exe
          Filesize

          89KB

          MD5

          ffb327cccdbb04312ce21cdce6f3a609

          SHA1

          7c69be177c5f3599fb894814528ffeb0da01f21a

          SHA256

          184f33fb8da9c60636ee11362a61585eb0b70b9e0ec8e40a0d90a328a1327395

          SHA512

          a11d309ab983bf18ec3c7b88caf8134bec40a396f92f86c27fa396cf845771f3368a974689fb7f34ca70400adf6454e234f20833198c446057498a264688a88e

          Download Submit

        • C:\Windows\{4D1A1558-EF5D-4d42-B687-6479FEC14892}.exe
          Filesize

          89KB

          MD5

          bb4a549d4d5e80b07346fbd5836c5d9d

          SHA1

          e7984904175e95d01b1e0d82df00e12144bfdf4e

          SHA256

          6748f234fae622c5b9407cfc85bc9d6658d8e1d7d962c211e9768919de14b24b

          SHA512

          86cae32b25f3c45f3b1d9fe65cb74573f32810b5f69cd86b76bc3d27735ee407206b7a7cb502ef41a956c4ac6f1a5b92cf49cb4dce8e739285988781af7e33e1

          Download Submit

        • C:\Windows\{5735BDA2-EBD3-4bc6-9FC7-9F549A014C1A}.exe
          Filesize

          89KB

          MD5

          415315edb9dce2292397dcd1a759c850

          SHA1

          4431d7829d078e3f83104c681c4bc9d311a89129

          SHA256

          dfd1b3421e7269c5f8e1b63a06191495ee1d15ab3fcbb3238d651992f0680bd3

          SHA512

          86f5c4298f8147131c58fd86157c40a8eb95bc9940521b155d4a942c3a447e340e8e1fc2720ac50b963ebcb6ab233468c9799bd653fe1ce240ff7d6f23ad21b5

          Download Submit

        • C:\Windows\{69417108-04D4-4ebf-8601-5E60A26D3E99}.exe
          Filesize

          89KB

          MD5

          c12e37f165de206c1ff4efda9b5ab0f2

          SHA1

          a97de3421bcde92e1e8257793e37480da2e0918b

          SHA256

          618504d238a8b6c01148cd3a62937dad63aba231e4ccee90d8a9d1a39d9eb84f

          SHA512

          4653c4b9db6a512b3fde061116e2dc02dcac6f63d4aafb3a40e0243ae33a634cb4fc1e35c754f3ceb41fd37e72f009eed581a85f1b64383de935171d75ca9fec

          Download Submit

        • C:\Windows\{8CFDFE26-AA85-4964-83B8-1A88F75DECC3}.exe
          Filesize

          89KB

          MD5

          e198aafc7115e19af2253904dc14c1f3

          SHA1

          1d04b8f625ae837c7151f5ece9d0d44c78b464e7

          SHA256

          e5f28f2cbd935f97e1273c9d444ddc28f177e7d3095b34b800ac6f00d6256b2a

          SHA512

          098830e21feeef7090f50d3d2e4ed137c987f130323424132f61a62f5ab52b3c96a2fe7adebdd5a82768c15e54c5a6e52b0ba99d0b41fe9df468b8b8cdc127a8

          Download Submit

        • C:\Windows\{907C535C-2C3D-47ba-B6F5-E6922FF09E3F}.exe
          Filesize

          89KB

          MD5

          7d0a4706d9bfd12f806c91dcd242cd39

          SHA1

          fc563708569a62e986006a756b422e9ddc13f6de

          SHA256

          a1bdfdd39ecb2be633d7dc223703c4252a8dbd00d62ec8087e9bbc9183b66849

          SHA512

          2e81c4daaad69409aef12b2071ac8360fd103216295f5c18d6741162be2dcb6f84bc1cd984296d6c1ca43f79c403cb7a9f3234c0e58ab25217d73689f40e4716

          Download Submit

        • C:\Windows\{A182EBB6-B43D-4cfb-8547-177DC87911FE}.exe
          Filesize

          89KB

          MD5

          cd5eeb9117878aec82305428e42d6fed

          SHA1

          ea92bf3f3f54cf7f1dc0d1d3f20dac6b33c56b59

          SHA256

          9e622fdfb2165cd177784c23af0ae46a616f1688575405008ba53e232816673f

          SHA512

          a71b01ecdeeda6ff39610480c7fee45191261bcd9b28010bf9ea53560f1a29d4d715549c51e875be8799ab064dbb090b75cdc93338d9858176c673e09662544e

          Download Submit

        • C:\Windows\{D590800B-B312-44e1-A548-11A3EC22FF2B}.exe
          Filesize

          89KB

          MD5

          4704f0936838b3a71403e49bea387057

          SHA1

          9a407c6c1e81cc85558e3941bc13e67fe52395d8

          SHA256

          d87e23602cc0fe06736b54a7ddaa42d0a9ca435ac571928503d67f4317f5aacb

          SHA512

          65a172d4aa93438a098e77c166ce71a2d49e7baa2376634fb2bd02ff95b83ca3f6c0152b0dbbe90fa696f293d05e4aefa93aff58ca0bf932a075678ddf0fb285

          Download Submit

        • C:\Windows\{EA8EF378-9456-45a8-B3C1-B0984F1DB1E3}.exe
          Filesize

          89KB

          MD5

          e2ed3fc7c0f2c8ebc4faf28fc78ad4be

          SHA1

          8ca2fdab54eb55ae432df54de4249a84b4e16f24

          SHA256

          72f4306aea702ee6fa2848217cd301a675e3e87c203b6eba6c0795a776bebf34

          SHA512

          4e8ce901b796d9cec3bd21de7c3d97adf041e4637a86ee5f3390373451c95b6994b87421e998f40a0fc27cd40c9b8caf9251e6bd0b6e395d9b7ddcd244b8e2e4

          Download Submit

        • memory/556-40-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/556-44-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/896-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/896-6-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1180-45-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1180-50-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1256-32-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2740-21-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3364-17-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3364-12-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3792-28-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3792-22-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4196-11-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4196-4-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4216-37-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4216-33-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4560-52-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download