Overview

overview

8

Static

static

3

2812ff6d68...b0.exe

windows7-x64

8

2812ff6d68...b0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2024, 20:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2812ff6d68ac7a3f47e09fc89c7fb6565093bd1ea3d1b1adfd8948eba724cdb0.exe

  • Size

    80KB

  • MD5

    9a78d7c98cad77dc28204bf3ae7cee82

  • SHA1

    9c3db91bb7c09836177b4640b89c10d1bf43fdc2

  • SHA256

    2812ff6d68ac7a3f47e09fc89c7fb6565093bd1ea3d1b1adfd8948eba724cdb0

  • SHA512

    5152e062103c0b7fcf85cc532af51b976f4d45ec59aee22b1a3c067f7bdc65eaa72c513b3fc6740ee59197d5916095c29b2df5da3585f3162545f4ef7bbf947f

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroX4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroX4/wQRNrfrunMxVFAi

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2812ff6d68ac7a3f47e09fc89c7fb6565093bd1ea3d1b1adfd8948eba724cdb0.exe
    "C:\Users\Admin\AppData\Local\Temp\2812ff6d68ac7a3f47e09fc89c7fb6565093bd1ea3d1b1adfd8948eba724cdb0.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\{DA6DECB7-C846-4fdb-AE02-2BF770771623}.exe
      C:\Windows\{DA6DECB7-C846-4fdb-AE02-2BF770771623}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\{FB2E8682-D340-4d56-B5DB-47CA5BFDD5AC}.exe
        C:\Windows\{FB2E8682-D340-4d56-B5DB-47CA5BFDD5AC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\{9E6CC7F0-DDDA-4ec5-8171-E7ED6FBCE3E2}.exe
          C:\Windows\{9E6CC7F0-DDDA-4ec5-8171-E7ED6FBCE3E2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\{7E06CCB4-2537-48a4-A9E1-7F7F5087DD04}.exe
            C:\Windows\{7E06CCB4-2537-48a4-A9E1-7F7F5087DD04}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\{AC0359AD-09BC-4ad4-868C-5D023E49E222}.exe
              C:\Windows\{AC0359AD-09BC-4ad4-868C-5D023E49E222}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:944
              • C:\Windows\{A6BFB369-274B-4f74-8DFE-5922D41C9D12}.exe
                C:\Windows\{A6BFB369-274B-4f74-8DFE-5922D41C9D12}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:572
                • C:\Windows\{56DE9949-3C80-4ebe-A1A2-FC09ADC69D40}.exe
                  C:\Windows\{56DE9949-3C80-4ebe-A1A2-FC09ADC69D40}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3064
                  • C:\Windows\{BCC112C4-2340-4d8a-A91C-21A1EEEADBAC}.exe
                    C:\Windows\{BCC112C4-2340-4d8a-A91C-21A1EEEADBAC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3036
                    • C:\Windows\{7D94C06D-D54B-4c23-8F3F-89E25155C6D0}.exe
                      C:\Windows\{7D94C06D-D54B-4c23-8F3F-89E25155C6D0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:872
                      • C:\Windows\{41D909C9-CC04-4a97-BA94-80265A208D6A}.exe
                        C:\Windows\{41D909C9-CC04-4a97-BA94-80265A208D6A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1676
                        • C:\Windows\{DACC110B-B92D-4661-A7F7-D9BA5ED2A107}.exe
                          C:\Windows\{DACC110B-B92D-4661-A7F7-D9BA5ED2A107}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{41D90~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1040
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D94C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1844
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC11~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:684
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{56DE9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3040
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A6BFB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{AC035~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2604
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7E06C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1356
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6CC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB2E8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6DE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2812FF~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2348

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{41D909C9-CC04-4a97-BA94-80265A208D6A}.exe
          Filesize

          80KB

          MD5

          1728e92a24a30df843141a9f35a0469c

          SHA1

          2bcb454fc8d0fe26d7a3ed0d81b02e21602b9174

          SHA256

          530d7131d2600e969cb244bc0f6a6e613042af39a5b765f0b239c3ef8a560515

          SHA512

          003ca6e5308e2ceafd26dc076caa963fa9eea75bf164aa8e279aa25d19d793359fc26f9fe3ae2db34a2484f1d2c461a521bf954106403c51633550749f346ef1

          Download Submit

        • C:\Windows\{56DE9949-3C80-4ebe-A1A2-FC09ADC69D40}.exe
          Filesize

          80KB

          MD5

          0edca3843f9a42d26d7ee14df8e08089

          SHA1

          a51f771e35f87b5a55236503a7353e4f34c894d7

          SHA256

          5952338c20a3a6cef0703164169edd9b14a2ac7d6c9efdfe508161d3c8fb626a

          SHA512

          c9b40cc8a33932144a623caa57e9f45a9ea86790e0426f276e19bc0456aaab65f35cac26e6ceef85a927ed548ee0e967b2e64f94adf742ea5d1bb231f223cdf0

          Download Submit

        • C:\Windows\{7D94C06D-D54B-4c23-8F3F-89E25155C6D0}.exe
          Filesize

          80KB

          MD5

          54719c3ae7a3d8b682001b6042554a18

          SHA1

          1ef5e1e342fc66038bb119f04b38aa558945ef44

          SHA256

          3f051b2174e7d3272c3bac640cee6fffc6792158f97125fe1859f4b812c8e006

          SHA512

          a46ec94b294bcb43255a8b759f1f9f4224594e33f1d21cffa1c81cf8e120316d4305692690d10b0abf1adbc90cc47d0039d8cf0094e6e6830a4a0c9b145f82a5

          Download Submit

        • C:\Windows\{7E06CCB4-2537-48a4-A9E1-7F7F5087DD04}.exe
          Filesize

          80KB

          MD5

          87deeff814a26526aa9a86e2b2344214

          SHA1

          d9cbcc2ff25bf200b8f2b003649ef69bd7326139

          SHA256

          c36d9d61eb61bb6015f53963c6857e3c105d3769f703e19cda7efffac4ce545e

          SHA512

          bd868eb150781566235ed6dd6c7d36cdb2cb40eda21f146b34d2b78b2e4d3bde70c097de0b206e82d77e736ef90feb49a4012084d31a1a7097d98e39b4fd3b40

          Download Submit

        • C:\Windows\{9E6CC7F0-DDDA-4ec5-8171-E7ED6FBCE3E2}.exe
          Filesize

          80KB

          MD5

          3dc92f959bc1c616835440d7d33244dc

          SHA1

          91d93fc8e2add047ce6808588f52ef2d8b0f7a9c

          SHA256

          197410b489d0578410625e8a2027138d9e6fa03eba06b161ca6c1ffcc37624d5

          SHA512

          3ee084b4561cf0a05cffe61d10a7c25fbba12d9786f122d55f4431b837f1cbef4764a43d409a6c229fa18e50ecbc8c664c26285dafa7d103c7b147cd01a44362

          Download Submit

        • C:\Windows\{A6BFB369-274B-4f74-8DFE-5922D41C9D12}.exe
          Filesize

          80KB

          MD5

          8c32a60d020f824e652a3413e6a94d7d

          SHA1

          7af642c3957975c0e7ead88f92b3faeea8a9edeb

          SHA256

          d06a3486e4cb2a999050bced3d87fe850cc5e9d6fdc17cd14102a23950c9f95e

          SHA512

          5149be345c09f52ee486e160eaa2523987a68ccfb267c6d164519313b2a82098b8573cfc6922743a7a55a49ca6557eff79d0ae131df3d9f272695726ffacea9e

          Download Submit

        • C:\Windows\{AC0359AD-09BC-4ad4-868C-5D023E49E222}.exe
          Filesize

          80KB

          MD5

          c9edd580c73852ca5e736caec63ab0b6

          SHA1

          284c5ede6afea91c5f2da58999dc3acb92643d20

          SHA256

          e0d34d2ea0f1b035125ab2d8f469172d6e4bdacabccba93a67d2a9afb60d9e76

          SHA512

          e7d9d0beb1b4eb9985f9910cbe0fff899cda9c07b3d19f73b780b012c82baf6862071de545afaf767aa8b01c3704f47b1d1cc39eecb281bce177c9d605153f43

          Download Submit

        • C:\Windows\{BCC112C4-2340-4d8a-A91C-21A1EEEADBAC}.exe
          Filesize

          80KB

          MD5

          da487551023472671e279789b6eb0ed2

          SHA1

          a9a48ef419c73669faf88a8b2dedeb5845574744

          SHA256

          2b551d33c78d12f034034c64dfb04f7087571e71445bddb5d859d5cf2329b9ba

          SHA512

          0e13b45b7c355fad1e8e8c4caa41378cc6d60e2df89a2644a0d50ad4acfadd90e9bea72f1b726e4aa3540eaa6200421a0c912a8b841c544a719b65c9e1322781

          Download Submit

        • C:\Windows\{DA6DECB7-C846-4fdb-AE02-2BF770771623}.exe
          Filesize

          80KB

          MD5

          d5d4f955721182eb569b43b1110eb1e4

          SHA1

          c1ec8f605014c3099b1c95febf2fd3f17a5fa090

          SHA256

          d43dd2216963862fb841e162c98d2426db323949b17dab113c01e6727810ef60

          SHA512

          37d7cc9c00063bbe63ee8a0c0f760ad1f6e54e3b08dc3e0be09c746790532bdb15c212b690b4dc0a92fec9d4c46b3c4d7a23439452073df3c5936c0ca97c15a7

          Download Submit

        • C:\Windows\{DACC110B-B92D-4661-A7F7-D9BA5ED2A107}.exe
          Filesize

          80KB

          MD5

          1e408dd8e3920d92475a5633f1796083

          SHA1

          ffd096927a77790618af2d15fa48982b263f6e4e

          SHA256

          5643e60689eca8a45a0b2fc08fee2bc5052a5d027ee6ec137bd7c531d21c77e0

          SHA512

          8cbe9d12beabe35956456e396602b8f3b71bf47cd49f8d3f03c38d7b25c21e495e3d66d3c181980e3867e2fe38f3ed50c0c40aa08ca4c00ec79907bfb9232eae

          Download Submit

        • C:\Windows\{FB2E8682-D340-4d56-B5DB-47CA5BFDD5AC}.exe
          Filesize

          80KB

          MD5

          f42c421eea92cfed2b92236e0a42bde6

          SHA1

          ffa4dd0367c61843fafdb9746f94ce47000fc0b4

          SHA256

          268374c3ce97b38e360ee5e7962c48724cabf36add85bba205dc06fd32e3498f

          SHA512

          733f7ab8951b6748c1a3f8aa452cc217191383e30c03c30e97717712bac29c8e7cb7fb2cf6d2b1450d563d0545d4f1cc3a008bf2d4cf3a1e65dd894036d782ee

          Download Submit