Overview

overview

8

Static

static

3

d0dfc6b721...0N.exe

windows7-x64

8

d0dfc6b721...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0dfc6b7211aafbc085a81fa9aa42870N.exe

  • Size

    197KB

  • MD5

    d0dfc6b7211aafbc085a81fa9aa42870

  • SHA1

    970e6847a49945081ab60d508d9ac35835f88f52

  • SHA256

    4d6c85079e15457656ffbfa8574d0996774dba41ad71fb7edfd6321205ec2ab0

  • SHA512

    16f33a21ea47c8c64c31926d8cec60b39ddd8b0db0af99dab27bb504512969a55d3eb0f07b8960e4ede09225a102cbf1e653c85385945d7ae57d75a4d1a85152

  • SSDEEP

    3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0dfc6b7211aafbc085a81fa9aa42870N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0dfc6b7211aafbc085a81fa9aa42870N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\{FD0A1E4E-ED5D-4c83-85E9-946BB2997629}.exe
      C:\Windows\{FD0A1E4E-ED5D-4c83-85E9-946BB2997629}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\{35FAA0DE-9064-4e54-BF86-C5F52710870E}.exe
        C:\Windows\{35FAA0DE-9064-4e54-BF86-C5F52710870E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\{8E82C80E-88E3-4859-B507-8EA31755739C}.exe
          C:\Windows\{8E82C80E-88E3-4859-B507-8EA31755739C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Windows\{DDEB8A74-2A41-4290-963D-29EDFF4389AD}.exe
            C:\Windows\{DDEB8A74-2A41-4290-963D-29EDFF4389AD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\{7E982F5B-E4C8-4f6a-B494-F4581ED0CB47}.exe
              C:\Windows\{7E982F5B-E4C8-4f6a-B494-F4581ED0CB47}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3016
              • C:\Windows\{80925146-E1FC-4fc0-A2FF-9A7F1AC56332}.exe
                C:\Windows\{80925146-E1FC-4fc0-A2FF-9A7F1AC56332}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2648
                • C:\Windows\{8FC6F7AA-5165-4c99-A703-9A8FB2486654}.exe
                  C:\Windows\{8FC6F7AA-5165-4c99-A703-9A8FB2486654}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1184
                  • C:\Windows\{189AFDD8-5294-40f7-9DCA-D56F71155377}.exe
                    C:\Windows\{189AFDD8-5294-40f7-9DCA-D56F71155377}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2880
                    • C:\Windows\{6E2A39E4-549E-4648-BDB5-70F9B5F6E52B}.exe
                      C:\Windows\{6E2A39E4-549E-4648-BDB5-70F9B5F6E52B}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2988
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{189AF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2900
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FC6F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2872
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{80925~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:636
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7E982~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1992
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DDEB8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8E82C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{35FAA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD0A1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D0DFC6~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{189AFDD8-5294-40f7-9DCA-D56F71155377}.exe
    Filesize

    197KB

    MD5

    1585033a4761b902662f3eba32fdcb27

    SHA1

    cc55ca4cdd70666357af6fefdc22b4ef85b10598

    SHA256

    e54d15ae74c3b0f158a21988b05be17d980d267ab6da7a9fd146cb0613e847c1

    SHA512

    61ee66bddb5ae54fa4460a05befcd21cc02a397fdd46c92359017db5095a2ac637f8be759f8a2822f7ab69581ec6c4fc47c67f026bffde2dee73cf4bd65267eb

    Download Submit

  • C:\Windows\{35FAA0DE-9064-4e54-BF86-C5F52710870E}.exe
    Filesize

    197KB

    MD5

    78b84b84528a97477a13b60c67e7e16f

    SHA1

    1758fede9a88a2c958d24397339fae0cd45bf41b

    SHA256

    7facc0f9178fa8612458299ad4daea52d250e01a73287ca215391176e0906ac7

    SHA512

    74a114cfe3d5090b15add7456ae3989cb5958bd6a1cce04acf478713107caa790a5c9ab44ab1a0a3d099a142aecedc81a023e230bdd85536fad7baf40f567d76

    Download Submit

  • C:\Windows\{6E2A39E4-549E-4648-BDB5-70F9B5F6E52B}.exe
    Filesize

    197KB

    MD5

    e1d421173bc3c6b5ebc4372fce7d759c

    SHA1

    f420a460bf77aa3b2826054bcd07f2b8af6660df

    SHA256

    6bda06bb0b95405a7301ac6d91b06797b21817b6cb6ac5434dc1d5a58ea74f3d

    SHA512

    2d5ad6ef202c01c7af4af0d68ddcef99306d215beabfb566ca1aaadb243ea461ba11f0944aea0fe11be7888466b2251a85994b22dbd5d2df3c65a3e31608f009

    Download Submit

  • C:\Windows\{7E982F5B-E4C8-4f6a-B494-F4581ED0CB47}.exe
    Filesize

    197KB

    MD5

    a36fba590611d49a067cc410c9b19662

    SHA1

    479bdc05319ae4b91f4cbc346367b0b6f3d732c7

    SHA256

    7458c2c90e83db2b020c06a6ab1172b4f768b86e0c3c70dce530d5f80392531f

    SHA512

    c129e9226c73d7492eb9ac558c6593c25e4f0f1ce88f9186333f496668281513ffa801bcae2567c146cf732ef57a19beff5566da50c35f64fdba42f706e0c490

    Download Submit

  • C:\Windows\{80925146-E1FC-4fc0-A2FF-9A7F1AC56332}.exe
    Filesize

    197KB

    MD5

    a483f9ca254eaacb82589af2839d7539

    SHA1

    b782e58b569dace9ad12dbf3bbc275d2267458df

    SHA256

    fe5b0c07b39966557a04454e9c0a0fdd64f3a3b94e1fbe909d462e86e6b90f68

    SHA512

    d5b9516c9bf3b103ed92be7240d1508e481f10b1475f30e674d6d8261699f0f1f5acf2e913da811e153d55e68a778dadcfa6fdeb7fa9234622ce6e0fd741852c

    Download Submit

  • C:\Windows\{8E82C80E-88E3-4859-B507-8EA31755739C}.exe
    Filesize

    197KB

    MD5

    7b5db91362d533c02a94f27410b25e08

    SHA1

    7478131ff9bc6af57481ab1e043c0a01cdd6ea53

    SHA256

    9cf9029623816e620dbbcf53ee685c47a8fd273bab068929c74cdea2544fd335

    SHA512

    959713fab1c88e3bf93719eee746ff1b817ec8d5e84c3826177d4390fd83731c7f3ee66660d234b006d09fddaf8f6a050f3cb535225eb2c442723abb9e6ae162

    Download Submit

  • C:\Windows\{8FC6F7AA-5165-4c99-A703-9A8FB2486654}.exe
    Filesize

    197KB

    MD5

    ee0d2cb22089e9090ff6bd78cf8f4051

    SHA1

    db0231bc10400b423ae9e5887d81082d37a9f54f

    SHA256

    f329b6f062c47cc1e475ce5c1b8b9c038e3b3a0293b93c8d6bb72d11e0d9b6c6

    SHA512

    fdd9e9eba07e5dc7707df01638152d929b6965ac0a8022da3da470aec380f7d7dcf4316ecb54c96e96f730457007122d250d9a14cf6042abd586e0d568366a71

    Download Submit

  • C:\Windows\{DDEB8A74-2A41-4290-963D-29EDFF4389AD}.exe
    Filesize

    197KB

    MD5

    b2e2e313c415f8598a247392d4bb6399

    SHA1

    2587d93b39be7c11c56b699635ef129f9c067a70

    SHA256

    fa77adbe6273ee950f0a1902bcaeb25ea9d06fc492083c1e09d93ede35ea843a

    SHA512

    5d43e9252b16c88556bdb1f3eb55ca8090b3456c96a9e8a9c7ad48df8056f746e74b9ecec3b7afdb651320f410a69c5d811fbbb2d41fc24b16b1893af6af34a1

    Download Submit

  • C:\Windows\{FD0A1E4E-ED5D-4c83-85E9-946BB2997629}.exe
    Filesize

    197KB

    MD5

    e398290622770c20883721ff9dae2173

    SHA1

    af5a55a264d8ac026c58adefd5ed418db0d320aa

    SHA256

    3fe2c3b9a4d5e14d26c70060f99dd53acf7f9b31c4504a982503a055782f677f

    SHA512

    d41bc41b624d9159016bc1e4cb1936093ab42d23f29ebc319496a8668df778d174232aa9acf46be2375f0d3068f7b66848adf268b887b9da214437a3cb884e3e

    Download Submit