Overview

overview

8

Static

static

3

95e2fa2fd0...0N.exe

windows7-x64

8

95e2fa2fd0...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 12:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    95e2fa2fd0800c554e216fbc1e493e80N.exe

  • Size

    91KB

  • MD5

    95e2fa2fd0800c554e216fbc1e493e80

  • SHA1

    e41a3c1facc275b4a0b9daf944cbab7997c9bad7

  • SHA256

    439c09f0b94ff1260e5c6b490701b681ca0c1245b21525d8c5584baf5a1fbf1a

  • SHA512

    2b62117aa7316d9bd1ea972b6d37407d6f8fbf17933cdc0d2441acdb720e00592fd291cc36267dcbc5555ad10129c9033ac6970a82cc5f06e7b390a51f607421

  • SSDEEP

    768:5vw9816uhKiroq4/wQNNrfrunMxVFA3b7t:lEGkmoqlCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95e2fa2fd0800c554e216fbc1e493e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\95e2fa2fd0800c554e216fbc1e493e80N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\{B322EC3E-CC9B-4cbb-8D9E-34341641382E}.exe
      C:\Windows\{B322EC3E-CC9B-4cbb-8D9E-34341641382E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\{22B2432C-5FE0-4a02-9E63-5F06A5FC21F8}.exe
        C:\Windows\{22B2432C-5FE0-4a02-9E63-5F06A5FC21F8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\{033296C5-F32B-4394-8A1D-7F1A52F98B19}.exe
          C:\Windows\{033296C5-F32B-4394-8A1D-7F1A52F98B19}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\{594371B8-0A71-4e0c-80C0-8431F41AE066}.exe
            C:\Windows\{594371B8-0A71-4e0c-80C0-8431F41AE066}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4536
            • C:\Windows\{8C8E5816-DBFE-46cb-82CE-C5153872E8AE}.exe
              C:\Windows\{8C8E5816-DBFE-46cb-82CE-C5153872E8AE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3928
              • C:\Windows\{A05FC017-C2A0-4e29-9B09-40E4B50DC852}.exe
                C:\Windows\{A05FC017-C2A0-4e29-9B09-40E4B50DC852}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:528
                • C:\Windows\{0D3F5155-7A18-4dc7-9E6E-F2EA81929717}.exe
                  C:\Windows\{0D3F5155-7A18-4dc7-9E6E-F2EA81929717}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Windows\{00E82F47-697F-42ef-84BA-890278CEB4AF}.exe
                    C:\Windows\{00E82F47-697F-42ef-84BA-890278CEB4AF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1848
                    • C:\Windows\{D7E9F8EB-D824-4f56-B151-A8F0904F161A}.exe
                      C:\Windows\{D7E9F8EB-D824-4f56-B151-A8F0904F161A}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4880
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{00E82~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1636
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D3F5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3512
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A05FC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4276
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8C8E5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3660
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{59437~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:916
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{03329~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:432
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{22B24~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B322E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95E2FA~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{00E82F47-697F-42ef-84BA-890278CEB4AF}.exe
          Filesize

          91KB

          MD5

          c8dd3b300452d90c5d2e5dad88590207

          SHA1

          d6162b774a0f0ab6a44eea783ee5282232a51aa8

          SHA256

          dcda9eb1e54c341dce14be73490012c5889f9c55da68bf5b7365117d76dba8e9

          SHA512

          dd540cf7378e2f46e257d33d929503449865229d27cad816c5e1489bdd606f5eae8f24eb1e9376459ca5ed9c09797168776578b55ee53ceb0b7aef6e33bcec4a

          Download Submit

        • C:\Windows\{033296C5-F32B-4394-8A1D-7F1A52F98B19}.exe
          Filesize

          91KB

          MD5

          36b9b1354cc02c381e3067004b424df7

          SHA1

          57223575eb91244f42596df3b34e0918122afef5

          SHA256

          4875470c2fedd759348b94136bb86786e6e61c542a5d9c91d3a0a12b5c620276

          SHA512

          28baaee0e67bee1da0f70c879d3f7b295f4abe4021f3e24831809efb917860beadc0a6bc9d5efb3fbdddfb9c550ae9c8223f545246e98ed08f04869ec48adb63

          Download Submit

        • C:\Windows\{0D3F5155-7A18-4dc7-9E6E-F2EA81929717}.exe
          Filesize

          91KB

          MD5

          788bd91de016265be78c60478a0a23c6

          SHA1

          20e59c1b95cf4eeeeba05188c3d814207967c7e2

          SHA256

          9ddfbb349f33c7a6f7a2d26bf0c4ab3b5c54ed3b93062f6ab27f3b4e76dbc1fe

          SHA512

          645c5437473f7036752bfe3e153723c3bc7584c63a822253929794bf320880e79bbc9e9108409462a46192c8bbda882e6594771e4ef0a18bb6f59449eb6929a3

          Download Submit

        • C:\Windows\{22B2432C-5FE0-4a02-9E63-5F06A5FC21F8}.exe
          Filesize

          91KB

          MD5

          d3fe528b09b00e533f306d56ede0f3dc

          SHA1

          0dc802ee0e418c61e5f15ae1d7bb716b5de3db6d

          SHA256

          63f2d18a98371cc4db076528285263dc7a291e0ff20f3eac4bf394ab6039545e

          SHA512

          af9a67a50e5824ee1acf23a1887037ac538616c8ba8da22488bced0ae879c2491388b1afe36d96d517a47862c6431352193fd00b2201058ee7f8e96cd7e21c79

          Download Submit

        • C:\Windows\{594371B8-0A71-4e0c-80C0-8431F41AE066}.exe
          Filesize

          91KB

          MD5

          b0ac8826d566edad12e3cad7db1d2ec7

          SHA1

          7cb304217a9adf0269941d5692476b404941478f

          SHA256

          4d737809eeb6eded5ae35604235d1f00f6b27a2f1f774347734a655cc952c691

          SHA512

          329255ae1569f8e21326aa31cbe17d54d96e900a1d06e2817d004c35be5903311093fee8b97fd5713f09640b03a37575590b96ddc7b6e648b7122f1f9b071c3a

          Download Submit

        • C:\Windows\{8C8E5816-DBFE-46cb-82CE-C5153872E8AE}.exe
          Filesize

          91KB

          MD5

          b41a059a8ad1e256ad847fc22da7ec08

          SHA1

          cf4e7ecb6c83b5d67b36fad980a7be933bbc3184

          SHA256

          1ee42e3ccde248cbc9efa89d90109ed5736db4b5d92aa8e24a2f6a386736757c

          SHA512

          611e962b1d19a9149542a44ca7f389d4a372749682b42916a4dcb6238d3da12a2361a52cf685b0a8d629a04e582e01d7f9670a75c4a757b13efb1846ecbdd969

          Download Submit

        • C:\Windows\{A05FC017-C2A0-4e29-9B09-40E4B50DC852}.exe
          Filesize

          91KB

          MD5

          1ace0c04534d70964e982af5b4c8d746

          SHA1

          40614fb64c5b398450e1c96274ad6097d67445d1

          SHA256

          4965aa6248b33880dcd9c9cd1f85b70f093d3948cd832753bce783cc5a8e5180

          SHA512

          94cdbae774391bd6074efd41b64107e82040edc41a37186ffa39388f694b709bf025b24b2123773e22a16b25bb4f6757909a32e66ef7f2352992ae3b9f3e65c0

          Download Submit

        • C:\Windows\{B322EC3E-CC9B-4cbb-8D9E-34341641382E}.exe
          Filesize

          91KB

          MD5

          f9da2c9d3572232f28ca018b9b359367

          SHA1

          4c6ea82b555cd05fdbbcfeb58b78f07b0e78441d

          SHA256

          ba59515ed5cf1a357a21859b87594963845dffc8061fa43c19e137e21cd63be1

          SHA512

          233d67eda4ddf18eea3d2a4bf325e43d75d662614b6b5b01e2bbc50d664b14fa68629fb950f73d5e5c04ad8c5e679332a9cf24d7032bdd5e9d9e4d8cbac02ad0

          Download Submit

        • C:\Windows\{D7E9F8EB-D824-4f56-B151-A8F0904F161A}.exe
          Filesize

          91KB

          MD5

          a97099ebfa4beed8a9a112e3f7d69d24

          SHA1

          139a419d801998a92a6f543fae54d7118976e7f5

          SHA256

          43391d058d279d75f818898ba375c75363f62e08439a027c06e75096440663a4

          SHA512

          1969b5962a9bcd1fef7ba6642039a2a7dbc3fb0770496910de250b052e0425c11049356d986d63c7716dd6a4491df996f4fce8af8ebd465c976b8ea2ad9d7b4b

          Download Submit

        • memory/528-43-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/528-38-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1632-23-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1632-20-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1848-53-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1848-49-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2488-44-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2488-48-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3152-5-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3152-11-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3268-7-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3268-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3268-1-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3928-37-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3928-32-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4536-25-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4536-30-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4596-14-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4596-12-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4596-19-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4880-55-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download