Overview

overview

8

Static

static

3

40b15579d6...0N.exe

windows7-x64

8

40b15579d6...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40b15579d6bc74f709cadebf3d9af8e0N.exe

  • Size

    89KB

  • MD5

    40b15579d6bc74f709cadebf3d9af8e0

  • SHA1

    a5670b35352bf55f3a528ea8dec3857f2f1596c4

  • SHA256

    731015f43c7f27e90928260025a5de730cf2e26c5e9b68479bcaf5350625b609

  • SHA512

    14b52f4c9526468ee7cde533965f15993fe267a77c78270afddd64cde4d6074e472ebb68bf7f3c840815a44f5d5277ab107719b25569b738a33c92e56a8e051a

  • SSDEEP

    768:Qvw9816vhKQLroy4/wQRNrfrunMxVFA3b7glL:YEGh0oyl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40b15579d6bc74f709cadebf3d9af8e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b15579d6bc74f709cadebf3d9af8e0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\{84D78053-DA04-41f3-AB46-05F5309E37D6}.exe
      C:\Windows\{84D78053-DA04-41f3-AB46-05F5309E37D6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\{4BB8795C-592B-482e-82A7-E65DDB96C162}.exe
        C:\Windows\{4BB8795C-592B-482e-82A7-E65DDB96C162}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\{17679EC4-A89C-4412-A6A5-BB78AB18334E}.exe
          C:\Windows\{17679EC4-A89C-4412-A6A5-BB78AB18334E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\{B22C292A-E108-4d42-B099-5AC5A4EDA821}.exe
            C:\Windows\{B22C292A-E108-4d42-B099-5AC5A4EDA821}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\{85BC5396-33A8-4a61-A8C8-F6F042175600}.exe
              C:\Windows\{85BC5396-33A8-4a61-A8C8-F6F042175600}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4856
              • C:\Windows\{349F41DC-3D66-4e9c-A30C-EB879D0F2C6D}.exe
                C:\Windows\{349F41DC-3D66-4e9c-A30C-EB879D0F2C6D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3172
                • C:\Windows\{C3ABFD48-FEFB-45d5-BFF9-114ED50CAB12}.exe
                  C:\Windows\{C3ABFD48-FEFB-45d5-BFF9-114ED50CAB12}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:724
                  • C:\Windows\{A0451AAF-3BFC-4819-82CB-6F9CF40CCBC2}.exe
                    C:\Windows\{A0451AAF-3BFC-4819-82CB-6F9CF40CCBC2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2392
                    • C:\Windows\{06665BC6-246C-4abf-862B-05952B7E2F93}.exe
                      C:\Windows\{06665BC6-246C-4abf-862B-05952B7E2F93}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:388
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0451~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4040
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3ABF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:220
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{349F4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:532
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{85BC5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B22C2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2860
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{17679~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB87~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84D78~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\40B155~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06665BC6-246C-4abf-862B-05952B7E2F93}.exe
    Filesize

    89KB

    MD5

    b3ea620e7b2d124ddc587f52efc3ffac

    SHA1

    54d63a892d7e6a9db5029a0584faf7b0d4de01f2

    SHA256

    4dbda16446f5bec9141d2fed661965818c19898e69395ef10f4a8d23711ca78b

    SHA512

    2f9a993f55cb4c05097c55790f133e92dd256adcd2d1a8a804c4a6ae31c15208b7c99add1624bdf7a3c93670aea0edc665901868a842a4b9a2ffc204b3ff4e66

    Download Submit

  • C:\Windows\{17679EC4-A89C-4412-A6A5-BB78AB18334E}.exe
    Filesize

    89KB

    MD5

    90acb11801db10e0772d89a4fe5107ba

    SHA1

    2f11fa1d77997642a2b83a7f25b16d63dc8b5b10

    SHA256

    0cba9b82db6db18956ec23554fd30ea2a22206653a3bda442e980f58bd21ab11

    SHA512

    19cae56eb3ee100d9a341af3b1ee373188a9fbbc4f150eb43babbda8cfb7d32ecfbbfb905df3ac3ac3d5c58797a96d0c03cc4bd9770a01f6ad28fc9a269e039c

    Download Submit

  • C:\Windows\{349F41DC-3D66-4e9c-A30C-EB879D0F2C6D}.exe
    Filesize

    89KB

    MD5

    db237cfdb3a81698b85da0dfccac9bff

    SHA1

    5c06c5fd2f7eb6219d286e13ed9d92b2ae5fad64

    SHA256

    1256228cc26ce37d9844e315517b25443cc3446670c39c41ff5677c0fbb5fd21

    SHA512

    a07cd4347c5362b3250040fb83cb77834a6528d86d638798590813e5d9e0c735224a938dec4dfe10e16e0ed11ec21db41e9d53186bc872904a265a9aa90665f8

    Download Submit

  • C:\Windows\{4BB8795C-592B-482e-82A7-E65DDB96C162}.exe
    Filesize

    89KB

    MD5

    d6e019051f80bd2b78e04e388d4684ca

    SHA1

    3bc9a89fa6e0b1cc564613cad075456a142a7f76

    SHA256

    93ee3d4282d2e44e22e670b13755aa65d3b61068cc87a2804690c1f76f6ddcc6

    SHA512

    aa5d2c19ab92befefd62d2de508f27ff5e771807b53bffa3325252af04eaf6930a2cb7e5412f34b138ab1d0eceae65a9ce07ad8146da58dcff190c1e68467cc3

    Download Submit

  • C:\Windows\{84D78053-DA04-41f3-AB46-05F5309E37D6}.exe
    Filesize

    89KB

    MD5

    0268a5a3c5d8cb16596e22a73f7d3b3f

    SHA1

    1663a15f72a0a2dff474f2b3c1e497ed8887375d

    SHA256

    e665731b3591354fc5c574bd985905d95ca44616f7a0a1cc18ab5b292dedba93

    SHA512

    743baee2fe61dba5f9e34f8f212c22c906888fbb1cd573b6eb2cb7ca6ff8c132f0d1dde3018659156c46e713a7a82c8d084593243147a9bcdc06a3f4910410b7

    Download Submit

  • C:\Windows\{85BC5396-33A8-4a61-A8C8-F6F042175600}.exe
    Filesize

    89KB

    MD5

    2e23443ae7b6b35c65e86bf7b965bcbd

    SHA1

    5d08e11fa15584f9682c3cf5c17ca81a5f870873

    SHA256

    00c6563bcd3e9da928941748624f77a6fee94cea5f6003493d7746b7b3b6fc34

    SHA512

    2c2644092dbdde654c843c71dc933eda02739b87c4dc80b6b309fe46ca69778dcdc8bda69ea537608a72be54c1535cd890edaff57b37437766d0e555e35495eb

    Download Submit

  • C:\Windows\{A0451AAF-3BFC-4819-82CB-6F9CF40CCBC2}.exe
    Filesize

    89KB

    MD5

    cd9ecc604a2214e63c39fb5cb9f38abd

    SHA1

    84ac3bf1a5c20d152a67d37665ebf002dea08c40

    SHA256

    d6fb33ee0af5cc6e911ccf11a6647b91ce6efb7e711b57b5f2075040875f0502

    SHA512

    95c658dd58ce4056dd0ce0139e1c9d7beaa0ded6b1c0e69f1b2b268d70fff8495406d7612d091fedabc432e90e912162df00b89e8d7f1b9db3846077a7a603d1

    Download Submit

  • C:\Windows\{B22C292A-E108-4d42-B099-5AC5A4EDA821}.exe
    Filesize

    89KB

    MD5

    a1689d8bf72bf52964582b817e035760

    SHA1

    c78138b067885740e6fff4d2e1697d617c82b6fb

    SHA256

    75d168bfd66670c8318644198960ec12c7e9428c103ce6d986819592d2ec7953

    SHA512

    153750747e3fe69cfe5e70b8d832eaeb081b7bdca90e5b546ed81c78b0d9abd751e5ef558b56ee1ac526f948d313fe734776ff39b8961e69d4c1be963ed2ed40

    Download Submit

  • C:\Windows\{C3ABFD48-FEFB-45d5-BFF9-114ED50CAB12}.exe
    Filesize

    89KB

    MD5

    42da8bede4ec126ad2ab5ffef01a1bab

    SHA1

    f138c5abd378beea621a4c8ebc36dc488b7a337f

    SHA256

    db715d1c2c2389c618b4b6f49832ca1363565342c935b31d2d696a8ed5a2a4c0

    SHA512

    3b799c774840b4d6e93ae6a12e3bd6b914945757b5d5bf32164b1aad99bfa890c80d70323cd0f14161b2bab83b860ff5607602fe9e6c93adfa95b0b2127e11f2

    Download Submit