Overview

overview

8

Static

static

3

e764d0cfdc...8c.exe

windows7-x64

8

e764d0cfdc...8c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-09-2024 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe

  • Size

    168KB

  • MD5

    98b3812735a48904638761327ff848b8

  • SHA1

    f511727d79bedec88ac82c9ead318a97410a5ba4

  • SHA256

    e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c

  • SHA512

    97c3aa2d7695711a486d16104f56272f3e91549b2af7221a4d0300962387211c19f7e90c3f245eb6c974f3beb93d31085afb22eb16bbcfea1362d30337d4d81e

  • SSDEEP

    1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
    "C:\Users\Admin\AppData\Local\Temp\e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\{3A19EB11-66CE-49f7-963A-2D72237853E8}.exe
      C:\Windows\{3A19EB11-66CE-49f7-963A-2D72237853E8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\{D9A67670-A0FE-4ae9-95BF-A88430A1F50A}.exe
        C:\Windows\{D9A67670-A0FE-4ae9-95BF-A88430A1F50A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\{53D87E4B-CB89-4c7c-98DC-0B9A4DA58F21}.exe
          C:\Windows\{53D87E4B-CB89-4c7c-98DC-0B9A4DA58F21}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{5119B931-801C-4552-A998-C5256CEF0F1A}.exe
            C:\Windows\{5119B931-801C-4552-A998-C5256CEF0F1A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Windows\{3970548C-E76F-4a55-AB30-3502F026A7F3}.exe
              C:\Windows\{3970548C-E76F-4a55-AB30-3502F026A7F3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2552
              • C:\Windows\{1B833B5D-CF77-4176-BABA-AEE19A253628}.exe
                C:\Windows\{1B833B5D-CF77-4176-BABA-AEE19A253628}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\{4499218F-575C-4917-B92A-1476D3BD8A26}.exe
                  C:\Windows\{4499218F-575C-4917-B92A-1476D3BD8A26}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1644
                  • C:\Windows\{A19750D7-61BD-4a08-AB51-F42BDE469602}.exe
                    C:\Windows\{A19750D7-61BD-4a08-AB51-F42BDE469602}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1288
                    • C:\Windows\{83AE38B2-23E6-4ca8-8FFD-BC7A96FFB6EF}.exe
                      C:\Windows\{83AE38B2-23E6-4ca8-8FFD-BC7A96FFB6EF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1936
                      • C:\Windows\{7EC0823E-EB09-403f-BBA0-61975354C334}.exe
                        C:\Windows\{7EC0823E-EB09-403f-BBA0-61975354C334}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2228
                        • C:\Windows\{D47D20A0-123E-4255-878C-83961F6B3A96}.exe
                          C:\Windows\{D47D20A0-123E-4255-878C-83961F6B3A96}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC08~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:584
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{83AE3~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2156
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1975~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2732
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{44992~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1724
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1B833~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1324
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{39705~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1808
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5119B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{53D87~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D9A67~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A19E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E764D0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1B833B5D-CF77-4176-BABA-AEE19A253628}.exe
    Filesize

    168KB

    MD5

    71c06b2e4cd28f6698b7417ce48588d0

    SHA1

    fc669c346c7d0774b6aa37011e90167972e6c9bb

    SHA256

    7ee188c85b3d652903f24a95970d4a30ef4c4e95924715a611300a22875e73d9

    SHA512

    38767b91c465cb5c143f9809f337d31b2d71ae0f5c0c82694ba01c7292aa925c0a9ca1a43bd28ec2d69ef8481dc7a510f7e93da4ba3fbc83def262337bd40cef

    Download Submit

  • C:\Windows\{3970548C-E76F-4a55-AB30-3502F026A7F3}.exe
    Filesize

    168KB

    MD5

    860dbaa676daafa185c8a2a0089cb8a8

    SHA1

    c2f1e44e88ddcdcd639bcffce223668257da42ee

    SHA256

    4bf8f54c256fc4ba0dc4c4291c0bdb227686e36eee0e4a29181deece7d8346fd

    SHA512

    d609a0dcfc4e515c1727e854ff706f43fae5c80039b4d85bede2ab831cb39795886eca382ad8060de7107031385068cd7f2ac4a87540e102d45f8e3d6ab148e4

    Download Submit

  • C:\Windows\{3A19EB11-66CE-49f7-963A-2D72237853E8}.exe
    Filesize

    168KB

    MD5

    f1bfac2f19a773af23f0e6735da5c6eb

    SHA1

    f2b88309483b07cba6e24d9f832a4a07688c1fb7

    SHA256

    5ee47ce875f70e39ea2643df6166916b75dd430e8fecaa500e784f65df54531b

    SHA512

    b79ceebebbf4ceb4d6d4607941bdc8a83fbb6e87b20e794c86f51a165c852f9d93c2e30f93104259a4551149676e282828c20cb9e4f13910d81488c697597c32

    Download Submit

  • C:\Windows\{4499218F-575C-4917-B92A-1476D3BD8A26}.exe
    Filesize

    168KB

    MD5

    3f307837ce3c06237ad8d7b6b7809548

    SHA1

    7f470fdce6b53d24f7ff80d973e09a373f3a4ab7

    SHA256

    fb1edde8d5bc62c9f3ac0f545a6013842548ce26d7415003f08cbb32962a991b

    SHA512

    f1ebde4302e30b44478b0b87479633dca4be124633172eed790d895c4c71e9577d31a583c2a10c811cd0fb4d725baf3883fe87fe90f41a3d37e797d130588395

    Download Submit

  • C:\Windows\{5119B931-801C-4552-A998-C5256CEF0F1A}.exe
    Filesize

    168KB

    MD5

    2d34723b40625e96f281c0ded06bd926

    SHA1

    204af9415a17d09ec0a592b304a34ac27d26acb1

    SHA256

    660b1f6c1e781f9356d065026f4beb427b878650b9a1fb8728e66915e0f7441c

    SHA512

    ca99ac303d1ea2fd61aa1cf22918543e9b6a884a5eb59daaca865f084ffa8559f88fca5fef7173472a6b5a1a11b14904cc55c70bd848a4183a0070d4c0106149

    Download Submit

  • C:\Windows\{53D87E4B-CB89-4c7c-98DC-0B9A4DA58F21}.exe
    Filesize

    168KB

    MD5

    10570a9ff841c446d5585a2e67344491

    SHA1

    a6df4df48c41d41d362aa1d7f0b9a7f89889d766

    SHA256

    b76fb46aa6f5ff0ce91a3318241392b6e4b3817f1599db154080ca0ce6a86b60

    SHA512

    d489c6e76daad776413ff8f334e1915691f1a3db45536604441a1b958effb6c4d14184b793fb4fc1398fe6418a57be665e86ba1884f1aef06b013f3c59861baf

    Download Submit

  • C:\Windows\{7EC0823E-EB09-403f-BBA0-61975354C334}.exe
    Filesize

    168KB

    MD5

    944932bb9c5ff36fe02a77d15a303ce2

    SHA1

    35af835c0c662efa7738840d09b15ecefbc3c653

    SHA256

    5ae4aa08b183b2148c49cd8902095ca888ee683859abb6d6f57c3cc8a16759c2

    SHA512

    58954d983ad71cbd77fabd41ff8358abd693283feddda943801d830588ac3ae6592f9fe8d38b749664d3b0e62e4660a906d43634ad9c301bd086b8faedd9dee6

    Download Submit

  • C:\Windows\{83AE38B2-23E6-4ca8-8FFD-BC7A96FFB6EF}.exe
    Filesize

    168KB

    MD5

    ebffc6317f1c55603959a07f67b60288

    SHA1

    8b032241039f0c571081d85647b4dac997bd46f2

    SHA256

    f00450a900502a2a614b2266fce3279936d4acc56ae7a90de12f4dad7d96dde7

    SHA512

    e2305cf77d23b07fb33369fa0e485e25e0e557b01a91942968fb2d1d90affc19cf46a60ef2f1b8bd78670330c62319c328bb969cf8b03c854bec4759de041d65

    Download Submit

  • C:\Windows\{A19750D7-61BD-4a08-AB51-F42BDE469602}.exe
    Filesize

    168KB

    MD5

    31dc6f6142f53f1404643416065f2ff4

    SHA1

    f3348546758e769a5da6bdd15cd4004101c4f328

    SHA256

    bc279ffd42b4b3b39d56da876d970737d33c4685243d7eb0c46f7ecfaca879db

    SHA512

    f6441ae3edc7fea2ebecbe314bc3bfe091aa49911220aa8c1cd1d311f78c1332e89bbe8c3857937925c4bdb7762a87f7eaedfd8d0eee9aaf499d9155cedd7119

    Download Submit

  • C:\Windows\{D47D20A0-123E-4255-878C-83961F6B3A96}.exe
    Filesize

    168KB

    MD5

    92fe2dba04336660c88e783d2db3fd6c

    SHA1

    71d59b66aa17be269938feca11cc619eacd5f51a

    SHA256

    e75ba2c85fc49189e3d64b6caa69a717ddcdbbb9ddd82c6868069ac6a309389c

    SHA512

    ff9d5635b09fdeb60bf9ff7ec5886080edf86a32c503a4e1ab6ad68ff60d2d67901f8205ca6005b01f9715af2ad890b383617861d6b9141f6c02464d35a1cb74

    Download Submit

  • C:\Windows\{D9A67670-A0FE-4ae9-95BF-A88430A1F50A}.exe
    Filesize

    168KB

    MD5

    5e012719ba457112e52b6395298356ad

    SHA1

    a0374f697f442117297d871c1e18aa198f390f77

    SHA256

    74a4ad12b276bc5d227751da3a5f976000c4e5934d1c69bbb6157d960cd9f393

    SHA512

    5b5e9b26fbf077e767eb9aca55616e8be5e9c3b087bf0bd1c543350cc76668eda903330588921548446bac074173c24a9f5b02ed7889fdd49ddcf6ea258ccdec

    Download Submit