Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 11:15

General

  • Target

    ab212332e34ee7fbea0dd19dcabc25d0N.exe

  • Size

    79KB

  • MD5

    ab212332e34ee7fbea0dd19dcabc25d0

  • SHA1

    d951ceda1c2b6fe7c4bd11f1c20ba5ecca17de79

  • SHA256

    2eaf34cb92269f6b509f88b156a2ed547e01dfbe06c5e96c0a2f31b22e095c27

  • SHA512

    e9f4ee211bb5b10ace0d0edf79769197418d017971bbf2579c7e94ab8c27cf6af97d5957063c2d748d4845f6dcdb066119d0d665cfcc76495efc4e8c34297b6c

  • SSDEEP

    768:4vw9816vhKQLroR4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oRloWMZ3izbR9Xwzz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
      C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
        C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
          C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3396
          • C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
            C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
              C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3860
              • C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe
                C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3512
                • C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
                  C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4320
                  • C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
                    C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1372
                    • C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
                      C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3612
                      • C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
                        C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4920
                        • C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
                          C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3856
                          • C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe
                            C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{44DC8~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE6B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2216
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{62001~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1072
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB54~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1896
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A97D9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3680
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{88269~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1152
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B799F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2080
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE21~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:876
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DABB4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{64F00~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3832
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9010~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB2123~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe

    Filesize

    79KB

    MD5

    4b178692426658ea25446067355c29b0

    SHA1

    896946409fe74fa643aa6fb7656a8f3aaa5901c5

    SHA256

    49b6ea6fa06f77abb7c150f71f1965f4b5ab2f29c47e73783484dcd4ec5a26e4

    SHA512

    6d6b36b6fd481654e6ec9843b47c55b0a2f9778335e277e46c405fe7cb0f0c707ac2f1c7b937dbff24daec85c24b346b9baf588c5549122a4f5143048643ce6d

  • C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe

    Filesize

    79KB

    MD5

    11b667d5628e443cd086494da2515134

    SHA1

    cd87dee8c55dcf8aafccc54ed9b01cadff8cccc8

    SHA256

    e5485c7f4a34cd8c0f7dff11a54f56cf4a284777a30a2815098bbfd213cee05b

    SHA512

    c3dd9cdc18fe4f06f64ffe3657571173f0aa17ce2624de50c534ccce640c62afb5182a137ddfed0466863d5f0a47f85bbbf0e43b7d54ea900dfee6ff861c2312

  • C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe

    Filesize

    79KB

    MD5

    8e6afcba3015e7e492b247df9f68842e

    SHA1

    d62136e7a38c119fcba82460812d4793a9db6847

    SHA256

    43dffd96b38793ce8b31ab7122e42c9fde797149bf1a55d9f49d9a65b05ae30d

    SHA512

    1d102d356ed01175157e27378177cd436c54a9a5d73f6de864f287c660973721def5798bf97c5246b53f9ea4b21f0421b501a31bd3b8b950eb891bb2fca85188

  • C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe

    Filesize

    79KB

    MD5

    b1ec35fd0a7ccdffd0641ce41125cc07

    SHA1

    7c7a130c762ad1470ed4b3867bf1dd49294e2e01

    SHA256

    8197ea22f25892c21f706f23b2ddad62d9588580a8cba7018d010f3bef1a223e

    SHA512

    b2adb4b2756be18a1b48812fc2818b48dc2ac289d0f1e198e97cf5e3f30e932a7b5f0027b652672cd172ab3fb5578462c8016a9f84e88bdc47f7e3ae4434c27b

  • C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe

    Filesize

    79KB

    MD5

    c765bc169f948e39900fbf99ded8e802

    SHA1

    c8ad839e16c78b3bcb36715f429bfe9f8acdac6a

    SHA256

    8a554a3baedeb27f17be53eb7e9751247f761fc1f05b8eed1353edddc62bce1e

    SHA512

    e71dd5e72df1eee6ddc7f941f319d7c50c7f2b38642bd872405519ce34c426b5f271025fe8ff830163a7e43fd85530e1c7e953d7c74b563ebc01f48306c96b57

  • C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe

    Filesize

    79KB

    MD5

    59783262442b897c8c488f6298ffd7b4

    SHA1

    d2c88024af109a4ac63cf871a5c9834de5672624

    SHA256

    782098a18237172b9b6644a5c1d1fa1dd1e9ca03586d158d38f58694332463e8

    SHA512

    53f3b00d5cd82ca761ee3a7d8e373385dd3bb5639b2946aa8be95b55a9daf2fe0a8a4b3e954d2bedce24966acd5d1ee6a57a4874704ecc9c915ad8b1ed1a65d9

  • C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe

    Filesize

    79KB

    MD5

    9580e56aaa36500ef4e0784a16606437

    SHA1

    a94049de1c81a8a8961b34d3777442bf6e5c1178

    SHA256

    70ba153a5ad3c50a3f512c943dab0440e57a836d4bcce2a80e521051c7891340

    SHA512

    38e44f1f8250c1c0da61488cc5bf0da20822cc92270064e8561360475d25b0dd43c02d79b5644f22d25b5c4e0d99795d6726ce54e0a9fe911bb7b0236b5cb50f

  • C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe

    Filesize

    79KB

    MD5

    fbebb7bfa30e7d63a3acbf52fcd5a3a6

    SHA1

    06c64705d98d49c2bf21eba28804e1043a8b40e0

    SHA256

    ac4300582bedc1010730ffa68d86a9485e410b8946f2ce3aba7605bcb1511206

    SHA512

    6e834ff843abe10ad7ebac7a37165d2fd11910bea35e2c7c7554021fc76a4eabd5539b149d53fac164182742dced8c38523cf129bf610fdfabed7a9033ae5422

  • C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe

    Filesize

    79KB

    MD5

    1ce78d6992857c9544aa33ebc8e4d93e

    SHA1

    f3ec8f691f6ae2fb664afb5ac8335eff0d74611e

    SHA256

    8043361831ed839930dd230a563b0f4980523f2a1afeed83201d3a80e23d8311

    SHA512

    d081b8a7cd303e954c378a1e9d1cc3afa927f12f34f32e97047ca739f14c40ffad9e4839457701d63b7d732fb503b931d04750887038e792360e1958dbe9894d

  • C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe

    Filesize

    79KB

    MD5

    59756931f8ac69984cc78ea22c713389

    SHA1

    ed979b871cbf8a066cb7cab7130aa688f182a2ba

    SHA256

    9503db07ea5c8494d905a8b764200c9ab07dff8510cabd64618ec4bae6bbdb20

    SHA512

    4339463369ce0749159d6263e2f5fba70d966d2cf734bf4d66f03fed70c85f4fadd9b2b189c748c746127cc0b2a5d4d471362421fa01859ace6ff30dfa4a2b59

  • C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe

    Filesize

    79KB

    MD5

    b6136dc6acfb52c57374b39ce0286638

    SHA1

    a807e08ad408c0fde1912d685b24ebfb816660dd

    SHA256

    4e9bb04bfa43d9219d001190451fee052507a7af1766722f12e4a6de4adebc18

    SHA512

    9e561bb3f064ac35f3d80724dd2fa4d6a9e73ac2ef929f68ca577d8380f144ddd730bc7837c9a7445dc65a79bbfacc342ca29dadc9efe322ba8ea58574726f18

  • C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe

    Filesize

    79KB

    MD5

    c088ed8413cc080d6e28a4256fdfc1c4

    SHA1

    6bf987a6eb6cc30bf258d7a2c0291aa4659be1fa

    SHA256

    6f9f4482e61753fe4c72fcaa2cb610390a5f339e6852ede70086f137f59cd8f7

    SHA512

    f04951be85eda3c4129b597de625a596fa461b6830541831aed011ee0b59cdeb0fd0ae285547924b4d319d360fe8c705b0ddbedfa20e7753a70a16c0c97a4362