Overview

overview

8

Static

static

3

34b44f89d8...c0.exe

windows7-x64

8

34b44f89d8...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe

  • Size

    60KB

  • MD5

    9e924bb39dc3dc7bdd6f49e7a9a9c62b

  • SHA1

    04a64a2b79a18419b47248a9fc4f78c0806a8ab9

  • SHA256

    34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0

  • SHA512

    371ce4f677014790d549a36479fd6b526d845cfd27ad72b584d44463eaaa6ed0a93bffac33659db6b9980edc955c34058067b56689f0edd321d142889de9cdfb

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroT4/CFsrdHWMZ:vvw9816vhKQLroT4/wQpWMZ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe
    "C:\Users\Admin\AppData\Local\Temp\34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\{317D0AE5-74FD-4440-9DB4-2C684866A5D4}.exe
      C:\Windows\{317D0AE5-74FD-4440-9DB4-2C684866A5D4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\{0AD3321A-0C0B-4342-893B-39C093D790BC}.exe
        C:\Windows\{0AD3321A-0C0B-4342-893B-39C093D790BC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\{6EDFEF8C-283C-48a2-ABE5-C970D4F8131F}.exe
          C:\Windows\{6EDFEF8C-283C-48a2-ABE5-C970D4F8131F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\{6B6C004C-0EF1-4bb4-8274-C2DD0982A555}.exe
            C:\Windows\{6B6C004C-0EF1-4bb4-8274-C2DD0982A555}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1392
            • C:\Windows\{6FC14133-05D9-4150-8BFF-E855890020FE}.exe
              C:\Windows\{6FC14133-05D9-4150-8BFF-E855890020FE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\{2BA04863-D3C6-47f2-9468-1B087D8B854E}.exe
                C:\Windows\{2BA04863-D3C6-47f2-9468-1B087D8B854E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2756
                • C:\Windows\{08102070-2722-48c9-9995-EF496607470F}.exe
                  C:\Windows\{08102070-2722-48c9-9995-EF496607470F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1836
                  • C:\Windows\{14BEA690-5D75-4ea9-BD7A-ED609E6965C7}.exe
                    C:\Windows\{14BEA690-5D75-4ea9-BD7A-ED609E6965C7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1044
                    • C:\Windows\{04F52658-F76A-415c-845A-696467352D23}.exe
                      C:\Windows\{04F52658-F76A-415c-845A-696467352D23}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2500
                      • C:\Windows\{0ADFEB8E-C295-4e8a-8D37-B42C92FA7E5C}.exe
                        C:\Windows\{0ADFEB8E-C295-4e8a-8D37-B42C92FA7E5C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:112
                        • C:\Windows\{CFF02C66-F0CC-4187-97A1-4757800FA0D7}.exe
                          C:\Windows\{CFF02C66-F0CC-4187-97A1-4757800FA0D7}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0ADFE~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2044
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{04F52~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{14BEA~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2408
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{08102~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1052
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA04~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1848
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC14~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2760
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6B6C0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6EDFE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD33~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{317D0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\34B44F~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{04F52658-F76A-415c-845A-696467352D23}.exe
    Filesize

    60KB

    MD5

    503e26d76374c164c094f0ceb9ea3bea

    SHA1

    bfa7df08da53742fdbd0d4dead61b5f1a080b9bb

    SHA256

    a36ecf526de314bd7dbee42e3ea6026ac8746a227866215bea34c82942baa686

    SHA512

    458c763e9981fa11183ab3bd74411089319b4f1f070b65e15d21c3d677c0870de20fe395785ecd56c18b1c77f28b10b2f2509ccab9eb88a47212cca8c4aba692

    Download Submit

  • C:\Windows\{08102070-2722-48c9-9995-EF496607470F}.exe
    Filesize

    60KB

    MD5

    a6b42356f849a336a0dcec2f404e5c7b

    SHA1

    68ba44a29cbddb2f388fc320a322ba2e8a932ead

    SHA256

    76a7c04757a59111eeb31ff1287a04de0454e010ea3c4ff02edd0bda91f01c35

    SHA512

    643fee8fffb175e052cdcb6ca5f976e614102009ef0469b66ec84959a28ae52fbe70c9389935da7a731420bc555659df9768303c0e2ecad76dd40391d9bf1fef

    Download Submit

  • C:\Windows\{0AD3321A-0C0B-4342-893B-39C093D790BC}.exe
    Filesize

    60KB

    MD5

    8af69026810fae751811141163c6681e

    SHA1

    a406c2ec3951f5d49c94a567cae7f57130979d0d

    SHA256

    94379e45dfb31e269e71afd119d1f4857dffecc451d95111017adae410648951

    SHA512

    061f6092a671e45406dae6f4d039dc715f0fc1ecebeb76b4a4bf3cd20f20a41e4f4b88dea5ed4764e97f34a5aac13cf2a2c6ca9a2b8d63987704ba7e9bae96e5

    Download Submit

  • C:\Windows\{0ADFEB8E-C295-4e8a-8D37-B42C92FA7E5C}.exe
    Filesize

    60KB

    MD5

    3bd20cbefb0b9d69b81e55504cc1ac6f

    SHA1

    eacaff82da7ba33c674086f302433775c6cc95ea

    SHA256

    17a7fd0cd9dbe6af63d61b064f284e572fb7fb4cd244b5c12ef16d2742652725

    SHA512

    549891605c719c616c39d660cdc4d6c8a5f0b4f1ee8496c20cce29c972afb6a443262cba4d0af46a221a8e173efbf426c98ac8da07a878ab2a179a18dbe362e5

    Download Submit

  • C:\Windows\{14BEA690-5D75-4ea9-BD7A-ED609E6965C7}.exe
    Filesize

    60KB

    MD5

    23ec68ea8ccb002de03f88544dcaa4bf

    SHA1

    9859f227d3da530a9c5b2a30372018d4014822f8

    SHA256

    382e87337d7a05696024c5b52d9b3fdacc5394e88b065d85b409089b10b4c797

    SHA512

    f530ae0c91b626bcf5cfd36361b4cdfdd1051110a8d4581ed9470e2ea773fbcede91fa102bff3c1eab2cdb703ac1dfca6ab67d4fb4c2b1639207639bacac36e0

    Download Submit

  • C:\Windows\{2BA04863-D3C6-47f2-9468-1B087D8B854E}.exe
    Filesize

    60KB

    MD5

    9a693f807552d69704c75d45889b285e

    SHA1

    961fa8c4c6b146cece6706c77251107e7a60c8bf

    SHA256

    7bc58aa2226ce3716c06481a39b1ecca86707424c1e0a42d527317eeb5fd4b38

    SHA512

    042c1cb0738e83763b22decb4c4c9e46adc85e196fa9c05dec43c783954261986d415c744b8f762d5f6e4315e298618eb757bf2211d4292cd39b9e058175e71e

    Download Submit

  • C:\Windows\{317D0AE5-74FD-4440-9DB4-2C684866A5D4}.exe
    Filesize

    60KB

    MD5

    c884202524d83870f74ef74c8fecfe60

    SHA1

    f680f6dfed84011a4acf28cac9193c7f8bfecf02

    SHA256

    6b5576378cd04c51ea1aa917f36551c6ebe60e0e1e1c5b38d0515e783e6da72e

    SHA512

    e9dcc9d90116b649f78a646f9c67b6f2753d54ba2893fb9f3634951031fa7cdadba4a80b34df829af84a14e59f197860a419f82b20910f4b8d9860e0970034b4

    Download Submit

  • C:\Windows\{6B6C004C-0EF1-4bb4-8274-C2DD0982A555}.exe
    Filesize

    60KB

    MD5

    b3ef51bb9b96e0ba0bb21f7b7a06051f

    SHA1

    ae3c83ac883920025c1dc4c82d83714ce361c596

    SHA256

    9a012ebcc5fabaf607baad59eea65c70ce2950f19ff2efd7ca52e52aaf8b5803

    SHA512

    def3341dcf392f0832a7b2258db99a05e75171898348eb8fd835f4dc49ed655fae4b0236cca0513ec102649d4dcbe2ff6e4eab0c416bb0f9b1c8051a9e5147b0

    Download Submit

  • C:\Windows\{6EDFEF8C-283C-48a2-ABE5-C970D4F8131F}.exe
    Filesize

    60KB

    MD5

    799abbaafa13c91b47be9d5c5ac835e4

    SHA1

    1bc22ad3eab7fd8b9ddd3332b187cfe1ebd34e50

    SHA256

    2e1cdcfa1f9d5addacd4a4dc325255110334bb461d432b20c4a7dc77f4e0c14c

    SHA512

    00afbfa448f4fd8fcea79a811ec3cada971126b300cd7191d240611f491e3dc4d779645e0563180a3cd5a744bdfd76191f7d35acd9ba8aca31331c4321151dc5

    Download Submit

  • C:\Windows\{6FC14133-05D9-4150-8BFF-E855890020FE}.exe
    Filesize

    60KB

    MD5

    61eb894cfd3208001c0ef64347169eb7

    SHA1

    84b35f22f08186d495bc0cc78b0a2a5b1c29b961

    SHA256

    2ce5e85c53fbb888fa11df118e49359ee1feb87a0a0a4388cadad8f0c387a14e

    SHA512

    29846a025504ece3b1e157c20139dc976e5d80d8b702c3171c4db60756ad0e520d3d6a05541c6cbce55b79cd2b25f94f95f90ca8ba3484fad3f4f3264920eca2

    Download Submit

  • C:\Windows\{CFF02C66-F0CC-4187-97A1-4757800FA0D7}.exe
    Filesize

    60KB

    MD5

    5dd683aebcac06768f16c8b3a03818e8

    SHA1

    dfb3a4f8ec2e8f05c33058f70036d5058c26177e

    SHA256

    cac647e7418c883eb1bd7ae33183087e7de1c31e962c6fdf5d8d0a074d3e4e14

    SHA512

    33ca470bc111530f027bc3929b644bbd578437641d120d089d0c11dc8b69aa67f6967264356677b1d99f20b321d7b0f6973cd7df1c23c8a4bc89960c9994d6d6

    Download Submit