Analysis

  • max time kernel
    118s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 05:37

General

  • Target

    7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe

  • Size

    89KB

  • MD5

    7dd54f5e3ff57a61c78ab4f4f14a7fd0

  • SHA1

    c9e96d8c5b1b7a50b94e63ac5b62939bdaaf68c8

  • SHA256

    6147dfac2f5e920b95703ce7684d4e9ba7f68dcd6cbee332d6fc61d572443e57

  • SHA512

    5eb03204528acb8e23ba8ba664eb27ef9cbda99a1a1d65d02c26ef07e3f380c009036d85c722fd505dadea6f9bf94be86a02ce6da492fc04d9ff097e95a513ee

  • SSDEEP

    768:Qvw9816vhKQLroc4/wQRNrfrunMxVFA3b7glL:YEGh0ocl2unMxVS3Hg9

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\7dd54f5e3ff57a61c78ab4f4f14a7fd0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\{B5AFC2BB-6DC3-434c-912C-8A62C36A7BCD}.exe
      C:\Windows\{B5AFC2BB-6DC3-434c-912C-8A62C36A7BCD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\{444C9F97-8E6A-4e26-B018-3B948835D8E7}.exe
        C:\Windows\{444C9F97-8E6A-4e26-B018-3B948835D8E7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Windows\{C31E1763-6544-4d17-B753-A34007E37D9E}.exe
          C:\Windows\{C31E1763-6544-4d17-B753-A34007E37D9E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\{ACE6DCFD-0FAC-488c-9963-4F71650BC73C}.exe
            C:\Windows\{ACE6DCFD-0FAC-488c-9963-4F71650BC73C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3908
            • C:\Windows\{D5F682E4-9C97-4c90-9D42-6CD455068953}.exe
              C:\Windows\{D5F682E4-9C97-4c90-9D42-6CD455068953}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1720
              • C:\Windows\{F9A90A47-27D0-4990-B1D8-20C5338A4E1D}.exe
                C:\Windows\{F9A90A47-27D0-4990-B1D8-20C5338A4E1D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1856
                • C:\Windows\{97EC161D-F636-4557-91DE-EFCB916E03DC}.exe
                  C:\Windows\{97EC161D-F636-4557-91DE-EFCB916E03DC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3872
                  • C:\Windows\{B02C3904-01DC-4094-8A51-C09E1A207635}.exe
                    C:\Windows\{B02C3904-01DC-4094-8A51-C09E1A207635}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4076
                    • C:\Windows\{88EB1DE0-34EC-4aaa-81B1-5B26C7CBAF81}.exe
                      C:\Windows\{88EB1DE0-34EC-4aaa-81B1-5B26C7CBAF81}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4872
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B02C3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3844
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{97EC1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1964
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F9A90~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3200
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F68~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:936
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE6D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3464
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C31E1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{444C9~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4536
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AFC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7DD54F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{444C9F97-8E6A-4e26-B018-3B948835D8E7}.exe

    Filesize

    89KB

    MD5

    8f7222b3415f687dbe0b417fab6f3020

    SHA1

    56208a736dde9f1b43e0f389f6074062a898e2df

    SHA256

    d087dc4af95570517e297b357ab6799d6a51e31757f4cf80169ffa82b1e74767

    SHA512

    b7611f0bbccf842283b5d705891a95165b345dbbcda666382b3121718660eac031af98713407b7f0e385efb876b2b4bf34651fc1aabe1c2128a2df942ee5b89c

  • C:\Windows\{88EB1DE0-34EC-4aaa-81B1-5B26C7CBAF81}.exe

    Filesize

    89KB

    MD5

    b1ca83b588798ce778e1c25649e5f932

    SHA1

    c14db95a69f0f84c9f56ac1e766ba45b13442340

    SHA256

    89b3aaf0c681cad808805b19bf0b1446323eb2737ee8c53decb6ce5e19292246

    SHA512

    c0666a203f78bfb7066e9196d9ac665039824519f4d591a896bf94d686104cba0ba228ed41d7c6ab032dfe425dca440f9adb7e0d2d9f6d0c81964bab211f99c8

  • C:\Windows\{97EC161D-F636-4557-91DE-EFCB916E03DC}.exe

    Filesize

    89KB

    MD5

    9ec73793eabaf0e525fa295e3bf93504

    SHA1

    ec4a6160b17f3e279230efc3c6e4b8c8234575e0

    SHA256

    7507a9758ce42a379de9d014c00aaddc163260d0e7cacf4094e105fadc423d8e

    SHA512

    8df74008da26ffaabaf8ad04cb02e0c509a8f29106e6d5ce73290fb10add76eb430303dce0b58accc3c652b22466ea7c324b587866f2c558d4dff64cd2b3dcc0

  • C:\Windows\{ACE6DCFD-0FAC-488c-9963-4F71650BC73C}.exe

    Filesize

    89KB

    MD5

    824e3b1e1062dd5fa870098145412998

    SHA1

    7c7e8da34d3b35a7a338314381efda3a4f411ef6

    SHA256

    9b2718e127770ff59188e838def2ad0d0b73608255e2b4b9e86ec67c3840961f

    SHA512

    24edb7e550a48b016c38ddcca63872861eb33d97f065045490db48b5599ce9b2cc092b5c4990031d0b2620e1b39e83c4f959eeef3e6f4a2e49b2068ab860f475

  • C:\Windows\{B02C3904-01DC-4094-8A51-C09E1A207635}.exe

    Filesize

    89KB

    MD5

    2b61213b46b6ac554820a8f7a59fbdcd

    SHA1

    f556d739e0ef2280677b5f1728428b76e258759e

    SHA256

    d61882cefda695ad6f4817fed164d3c07647cab02067953722c940f7ec017146

    SHA512

    348bc1efd85ae003e0fae7269c76cf5b092b2e8402b9e771aa08b075a89cf5d489dbc97be6e20e618b44bf93152495c40234e0b9310a9834535706b205d84b07

  • C:\Windows\{B5AFC2BB-6DC3-434c-912C-8A62C36A7BCD}.exe

    Filesize

    89KB

    MD5

    ccb30599edab95956ae89e958c7c6035

    SHA1

    3363ae0623f33f6b0766e4abe94c2dec0ffced91

    SHA256

    233e0d146b655af44876836af5ab58cbf28f31d1ea9e1f0a3c6d7c4384161ff0

    SHA512

    b80dfa03b04a3f22231edcb8eb22584146a15c5108062b366e3207995275c416278aede0e541971279a87748292416a44f3c85febd633e41e78214a5f84da3fa

  • C:\Windows\{C31E1763-6544-4d17-B753-A34007E37D9E}.exe

    Filesize

    89KB

    MD5

    300943fa74b82ae4bd0ddacd2198ce25

    SHA1

    07b84f6e877dd7dac705cb40046ecb99c7360bc5

    SHA256

    45beb67bcc35e44487942dad1340490fd453a4aac47ce4f20bfb2b1396366060

    SHA512

    0cb08534ad67938b603617cb3dd4abe1dde1e0fc0034600e83c14bf54596e981ef2303545538bd2aa07061a904ab23779991aebf3d0d06cf72beafe01e9299a3

  • C:\Windows\{D5F682E4-9C97-4c90-9D42-6CD455068953}.exe

    Filesize

    89KB

    MD5

    852556657097dc0cd4ac2e84613cbf28

    SHA1

    2c20e4848b98c0e326f1947eaf01dc858e51674b

    SHA256

    2afc9bbb81b33d237cf0682a503d775c6736cf119707dc69569c87daf342e93e

    SHA512

    99fcff1d549df23da49fc231bb5ffa1a5cafe82d57444c9461be15a5738a161130086a085b600d8156fc357ba93015a5be00d2b94ebaed96aa3f9c429aed34ea

  • C:\Windows\{F9A90A47-27D0-4990-B1D8-20C5338A4E1D}.exe

    Filesize

    89KB

    MD5

    245288157cd2f012ad368e7261680c50

    SHA1

    915fcba0f02708a6a79a4ac79645a2fd3163a486

    SHA256

    e543a216d08d1fb11918355f82cddc8d9ba50422968b78960501d7fc17d2b2dd

    SHA512

    d29729c23689b0c721c5299e4227b16c514f4a02bf8ef923d2e4ea73a508fb62f96ca504c4e9b004eb8ecb65405122f2c20c64868f7d62c22672ab0dd5b143e6