Overview

overview

8

Static

static

3

34b44f89d8...c0.exe

windows7-x64

8

34b44f89d8...c0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 20:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe

  • Size

    60KB

  • MD5

    9e924bb39dc3dc7bdd6f49e7a9a9c62b

  • SHA1

    04a64a2b79a18419b47248a9fc4f78c0806a8ab9

  • SHA256

    34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0

  • SHA512

    371ce4f677014790d549a36479fd6b526d845cfd27ad72b584d44463eaaa6ed0a93bffac33659db6b9980edc955c34058067b56689f0edd321d142889de9cdfb

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroT4/CFsrdHWMZ:vvw9816vhKQLroT4/wQpWMZ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe
    "C:\Users\Admin\AppData\Local\Temp\34b44f89d8123b335fe064d7b38ebfdfde0370a3c06bb00b3758a7fe16341cc0.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\{C6CE7989-E410-48a9-948A-B806932EE7A8}.exe
      C:\Windows\{C6CE7989-E410-48a9-948A-B806932EE7A8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\{5975BF96-DE54-4532-82FC-77E9F1452589}.exe
        C:\Windows\{5975BF96-DE54-4532-82FC-77E9F1452589}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\{73BC2608-0F8C-48b7-AC34-5D6C42C4170B}.exe
          C:\Windows\{73BC2608-0F8C-48b7-AC34-5D6C42C4170B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Windows\{FC42199A-77FA-49eb-A9D8-087D4A86A605}.exe
            C:\Windows\{FC42199A-77FA-49eb-A9D8-087D4A86A605}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2944
            • C:\Windows\{8341CEB7-66D9-4a66-BD64-EEC75B43B497}.exe
              C:\Windows\{8341CEB7-66D9-4a66-BD64-EEC75B43B497}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4452
              • C:\Windows\{C916892C-BC43-4acf-BEF5-A16BC8B1458D}.exe
                C:\Windows\{C916892C-BC43-4acf-BEF5-A16BC8B1458D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:924
                • C:\Windows\{84510101-AF3B-4cd8-9E24-0E7B47D3659A}.exe
                  C:\Windows\{84510101-AF3B-4cd8-9E24-0E7B47D3659A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1956
                  • C:\Windows\{C567E8CC-23F3-47c0-B1AF-5E6BFE8C7E24}.exe
                    C:\Windows\{C567E8CC-23F3-47c0-B1AF-5E6BFE8C7E24}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1260
                    • C:\Windows\{2BD0E09A-04EB-41c7-BF49-ED4F12673F2C}.exe
                      C:\Windows\{2BD0E09A-04EB-41c7-BF49-ED4F12673F2C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1988
                      • C:\Windows\{56B31342-E499-4127-9148-030728BC372F}.exe
                        C:\Windows\{56B31342-E499-4127-9148-030728BC372F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2448
                        • C:\Windows\{DDBE6AE2-A280-44b5-AAB2-46B62CE956B1}.exe
                          C:\Windows\{DDBE6AE2-A280-44b5-AAB2-46B62CE956B1}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:644
                          • C:\Windows\{AA760144-3A6B-4601-AEF1-B75B8E448851}.exe
                            C:\Windows\{AA760144-3A6B-4601-AEF1-B75B8E448851}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DDBE6~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56B31~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4712
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BD0E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2492
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C567E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4840
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{84510~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4156
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C9168~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2348
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8341C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3208
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FC421~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{73BC2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5975B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3248
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CE7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\34B44F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
    1⤵
      PID:3504

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\{2BD0E09A-04EB-41c7-BF49-ED4F12673F2C}.exe
            Filesize

            60KB

            MD5

            4cb38f8d861052993d89d09bcbb2acf7

            SHA1

            84f63cfdf7f1ccf736cdedad6b8599e0f2e21005

            SHA256

            f972a1bb51067156d85f07332ce866ac60aee2fe2e501332cddf5d71cd75f434

            SHA512

            4fa345e79331ef282c033ff4ffb182698f6a96b4dcb8d81b4f1c3848e1ef052b75affebfe4ffb819c351da7d549584f45989f14b206018c6cfed750e7b748e5d

            Download Submit

          • C:\Windows\{56B31342-E499-4127-9148-030728BC372F}.exe
            Filesize

            60KB

            MD5

            22c4f1465591b122db1d59bd780f96f8

            SHA1

            e45cec95c1e2e02241a7cc4b9b7411100c9f50a6

            SHA256

            309eb6f48f71eb7f230ff4b13c5ff56f03473ccff77f03bc3aa9e59bd885ca44

            SHA512

            02fc3dddccdf49599cc5e6fad8ad74dcfc96f4e41b70e7e633a140ed6028220470e0d03c87113c90d993e30b0a89feed39e709b093e7de5191331148ef98e717

            Download Submit

          • C:\Windows\{5975BF96-DE54-4532-82FC-77E9F1452589}.exe
            Filesize

            60KB

            MD5

            eef1645effb5b6c66accbd71c49288d2

            SHA1

            1f61863fd0a95ca5e0347c7da420fee109c305ad

            SHA256

            5403b027e83667367ba5d1b00605bc04bdd2665cc73dec47e331ff36ea897120

            SHA512

            8f79773653a498fd79ef2cedf2c9139887bf0d9e4fbd1d6bff8195791aebda71e33a296d448f6ccaf12ad74e3e3fd5a06317a5f2a38c9bb396e082e0670fdd22

            Download Submit

          • C:\Windows\{73BC2608-0F8C-48b7-AC34-5D6C42C4170B}.exe
            Filesize

            60KB

            MD5

            0f8129c162d6d74e8d56cbf6fad70270

            SHA1

            1e4fb79852086552c145e014bf4a72427ca49337

            SHA256

            dafb2a524f8489472a12d54ad23e778084e02d5b8829b2586cc0728bec98fa4e

            SHA512

            7466b3ba72c00cf0c6e5287aefffae97b1b390f702e6f5391bf90f46f71d56e0f434220e7e0c3075213ee083267063fa8a459834138eb206b188e12fe723e86d

            Download Submit

          • C:\Windows\{8341CEB7-66D9-4a66-BD64-EEC75B43B497}.exe
            Filesize

            60KB

            MD5

            a141202ba0513ba803d9614477b8d322

            SHA1

            1d27ab31ec466f48943bcf1c968c4efe762ceb85

            SHA256

            cd551aef3d3a07496742630b21656437778bc0ca122f2d3cd2eae7c68907badb

            SHA512

            fc33265a1d6b03f1de549a320a3f1387d2175462e273ea3ddbb30a7eb87749ac97957472643e2c79013aa049e15d72e048331118e59aa89db980fea3734ed30f

            Download Submit

          • C:\Windows\{84510101-AF3B-4cd8-9E24-0E7B47D3659A}.exe
            Filesize

            60KB

            MD5

            9a657be41bfe0896cbca549efd6cf803

            SHA1

            2c8c7dd99501eef6b06a3a08b15731e39f5afb18

            SHA256

            7229b4cfd62819e0872dd2465dc78647091072c21a6e9c93cb29f00edc5524e0

            SHA512

            283e0224f1a20890d0809a8c23ff8f108465b8064477c0959cdb20a58b057f53ca901974be12368474b9f2dd8783216f56e9d4962baa5923b54326559420debc

            Download Submit

          • C:\Windows\{AA760144-3A6B-4601-AEF1-B75B8E448851}.exe
            Filesize

            60KB

            MD5

            4beed2e0fc286632a3ba236ccbef0c54

            SHA1

            0a53715d824e51e5eb3d73cba826758c9a803dbc

            SHA256

            9ae8cdd1d9e2f76f5f6dd66a694d2b5f8a2ed755e1b83adc79826c7fbaa3f4c6

            SHA512

            ac72d596582ef0347bca6a9d785eabcf12debc95a56cea8a8f80427e71f80ffc084cd489cf6726fcc1a5e0377d6bd34b2dac928c060d8f2a4ca051a02d1281c9

            Download Submit

          • C:\Windows\{C567E8CC-23F3-47c0-B1AF-5E6BFE8C7E24}.exe
            Filesize

            60KB

            MD5

            44824aec46ca0520f022aa620a980497

            SHA1

            38c34f6513257415252ac5d99f31d86e62e345c1

            SHA256

            0231d9019a86acbdd5613435af52b12f3f3777895690e276b5d2a543d425fc04

            SHA512

            4eb0db9b616895633064ccb2b1447846a6b11187f771d6ac7b4882d629015f08789cf7d6d5f16745be48c079cfc7cc9d20cb0bcd397a1fafc91df1fd5fab9537

            Download Submit

          • C:\Windows\{C6CE7989-E410-48a9-948A-B806932EE7A8}.exe
            Filesize

            60KB

            MD5

            263f843ec7301ca83f72558a5af5b012

            SHA1

            924db1ed8cd6d99a73fd9e579186bd6321575ef4

            SHA256

            a3e2f7055afd110bdf9712dfb3e05efca50e5d852a86cf1358dc7c39e0c968b2

            SHA512

            b5e26f7279aa22a1e0b13045802208ef6fd59c2afd1332b74595486baeea76ad5dd375d3d2f769c7cea99a2b07cdd720063ad2d50d0cbc7a9ecafd316b8e4de7

            Download Submit

          • C:\Windows\{C916892C-BC43-4acf-BEF5-A16BC8B1458D}.exe
            Filesize

            60KB

            MD5

            c423062a0a541553d4f29496df03acef

            SHA1

            ef910b8125f054dc4b99d7d7ec131519cbb98952

            SHA256

            db5434f4199088ff9541df44f63ff752a1d3cea55978c5aae8f941afe98d9b9b

            SHA512

            ed3d4f5a9608bb060d0cf7d3dad074829e7971f1ae5e48e8e6a36de2f5d93878fa95596da3bed53116ff510cb0014258d474ee983ea17162ad29d410606a6ef5

            Download Submit

          • C:\Windows\{DDBE6AE2-A280-44b5-AAB2-46B62CE956B1}.exe
            Filesize

            60KB

            MD5

            d096d22372eb6d805fa340eabd1dbd90

            SHA1

            f9b7ea271798069503d34e61eb917aa7d04d4a36

            SHA256

            5926a118e23470e4b25970576b991e15929d507b90a0134fe64295e75891e955

            SHA512

            b1216db84791f341ccf26d48627e334e07efa61c192193c9b7ce7fee53c15dd49738c13ede627c12be916d9ed02d1b3e1dc68b8b1f56a4a0453aaa8b583175fb

            Download Submit

          • C:\Windows\{FC42199A-77FA-49eb-A9D8-087D4A86A605}.exe
            Filesize

            60KB

            MD5

            98b9709fc2ac260841df739b922b44d2

            SHA1

            0feeec07d15cc280b0904ce17ada11eeb065b8fe

            SHA256

            aa7ff1e185ad33747fa26ade74cd03876c55c6cd5952b182562a2c64de970040

            SHA512

            be80e6c02a5e8836df52ce6629126b0be85e38f22087a79594c19316a64fc56c737578228c9b757e48d1a131988984141edc1bee9fe91143f0e80600f9f0b6dd

            Download Submit