Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 02:29

General

  • Target

    b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe

  • Size

    90KB

  • MD5

    679da92d799ea9a74f171fe40d783dcb

  • SHA1

    b0687033cf4c64b98aaf4fad60d2331faa87d3f8

  • SHA256

    b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5

  • SHA512

    bc63ebe4981fac675d9145a9c646abf548bcc1b0ccafa1c2313c294031b0f81a7abab81eb6c8685a3f806a6fa75a0ac2561428c0076a96e4fac2cae894981761

  • SSDEEP

    768:Qvw9816vhKQLrop4/wQRNrfrunMxVFA3b7glws:YEGh0opl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
    "C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
      C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
        C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
          C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
            C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4824
            • C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
              C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
                C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3960
                • C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
                  C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:452
                  • C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
                    C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4272
                    • C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
                      C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3804
                      • C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
                        C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3444
                        • C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe
                          C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1184
                          • C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe
                            C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4356
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{80989~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DFDE7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4832
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF9BE~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2000
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{331B1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4320
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F60D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2576
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DC8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A4ADD~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4148
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8F521~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:764
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C94~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4D5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19893~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B50360~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe

    Filesize

    90KB

    MD5

    d6fe1087b420002d55013c641f0aad6b

    SHA1

    4aba7728c613525f77eb9589c0cdaa998bce738e

    SHA256

    30a65857d89775552bd5c382078f3e0e4c929f9466dd3c6f88c6bc2180686f28

    SHA512

    dc5ba379be39c2d5c1b4c1ab7a3d2d775d06def7182a5c142917064c9eda3605398c0af643b6c0cc8fa60365252bcb6ecd957b19bfcc18c309f6de3a06ecf925

  • C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe

    Filesize

    90KB

    MD5

    a050bc114c2fb89f550ef28d5acbbf78

    SHA1

    d529cb046c7ee15f31aed809910dd30df1387eec

    SHA256

    6eb293c5756924754a2a878488505717721f793bbedaa48428c69a4c51c8225a

    SHA512

    f482297085a1c056f113ce842190423192d7ee655da39687c58a6de64f64d8e7d1216e0be500faf6ea1c144c2ab3e164059efe177f951d7c65117f3d2807305c

  • C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe

    Filesize

    90KB

    MD5

    ce0cd89f76024028f0194aba6e43fb03

    SHA1

    fdf575dc4f5f0fe94e899ccfed248700c5791a6f

    SHA256

    54e6b8efc3e6a4ed74717b3bcd68055addbdf12b1dbd73cdfe7e1e4eefee5daf

    SHA512

    7fcb5d4ded46d475b6a3640e1b7e469547ea7a16d5f2dad45bf02f48006ce68379e6493caa8f3b97c0579c1e5d98d8fde23ffecf7e710eb54b3467ead583117e

  • C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe

    Filesize

    90KB

    MD5

    cd2ec43ae14f56e836ec9a9782393c3f

    SHA1

    e805b1189fb5e31da2294eb94ce9d212fa9af479

    SHA256

    490f1cddf5f401b356f8e11ac6690da21d1b7134072c0a4f9bb7ef8402715b07

    SHA512

    76a36bc12f63fc0ca615e424973c1af9ae1bafa98d066ec18c4ad032b05fd500e31be3c2638bf2a7e3fe8d4aa9d376186b2c3096a536f1a947b7ea41f445c65f

  • C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe

    Filesize

    90KB

    MD5

    1f62e27c705e4fe1d23f76d2acd56deb

    SHA1

    0b496194ed41737116dda652bc0ae16db9497384

    SHA256

    c0f83ea71eb23afdaef1335303423ffc1f0433e43975baf3cc040b0e43c88746

    SHA512

    839a2799c4bc92fd6c1977c8e774c498b35f2df516726ef85575032d9493134e2f45d63e691108242e0ddb04422a09930d29bba759222922f991d508ae54bcaa

  • C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe

    Filesize

    90KB

    MD5

    73bd51f38c572d11058fa9b0595f9b82

    SHA1

    ed9bfb2a19acd45c334269cd1ec88866d99e2c7e

    SHA256

    240c21f50778078f88cc6f4896ee248d6143003ccbfd16084c27ee3acb438c7f

    SHA512

    955f2fb1904872e27fca48cc881c1e58eeb81d42c6709c599bdc2a4d1067db32412d021fb9d3be220ad681e222875db1fd535d86baebcf25025941ccf87536e2

  • C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe

    Filesize

    90KB

    MD5

    bc6b273472b1ee8a5ef48e154f950b06

    SHA1

    11c8df100637d3a9283782ea485e40e4d329978f

    SHA256

    f00b82e431c83734e534cff37cafcbb8e8140823a7e8eb9e3d9e87c1e8f67029

    SHA512

    d3e0a33e15cc84b058a2ac97322dd1bfec10f0abe322012e104bb1f0607c99f1496aa707316f54307f3ed10be45c363bdce2c716d73ebe2060330763319f58b3

  • C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe

    Filesize

    90KB

    MD5

    239bef730b8425ba0b09769cdeed51e7

    SHA1

    ec03e544c216c912f956a2f03f4f56fd21a731fe

    SHA256

    d2e65fdff393252c4beb792b24beabfd43a2b95c92ea23f0785e1b6bf2f84ec4

    SHA512

    794f7fb855f33733f1c317e4eca9800d1404c07c2d0b08d4fe2f9e6e831f74cf5c9a063842e1fb9a963465bbab2078295c621cd213576dd1767c10920832d1ce

  • C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe

    Filesize

    90KB

    MD5

    598c9c36dbf5cb66b16b27a4cc913583

    SHA1

    2d28b306d9f1b0620e1fc13ec9af65fd0e2065db

    SHA256

    105bff3254618b77301a32d7592e829d8cc1144c8673635a3b07442588546744

    SHA512

    00445d81540bee6e12f340633a7a1c286a3e362b18425ff494ff96543dae7d48893e4241d0012c88e23f81c886ec03f4b5d60f29841379c65dfde1fcaf2f15a6

  • C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe

    Filesize

    90KB

    MD5

    1fcdb9b594635bb258209b5eab86f567

    SHA1

    2bfbea98f1dea25934a788e61913c3510a0783af

    SHA256

    bf847c011917e672c6cd68d2a2faee02e1791bd3b88b58c8289a001079eacef6

    SHA512

    54be595322bdc66f12e20d1957fedfe8f23c3a1f897e28e70106f5fa6af29969fd2bfc306d8f4e34ec544cbc8a5bba962b234769bf353fb635d8520c2ac717fe

  • C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe

    Filesize

    90KB

    MD5

    8f92a9df3422edf61fb85a8c5459112f

    SHA1

    b923d2fc702ebfd8c887db16e26104538f8c89db

    SHA256

    ff369a64707af3f1a8385795cb3b4fbb5b061331938b089840d6b809e0e1aab8

    SHA512

    997eb201a6649d8bce824bf0fecef0ec06941b3cd4f8ba9d511bdcbc510669b26f9578d01b274489604c1364fb5b1616c5fbe09fd7af07db6f4ea373ad4bc766

  • C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe

    Filesize

    90KB

    MD5

    3276ea68796433552b11d874908dfc6c

    SHA1

    f4fdf28820cb3739ae18be675e40b8add8f56826

    SHA256

    693b21512d619344dcc6388bac6a8f251f46aa7e3be92fd5787fc29e80a6e5fc

    SHA512

    22884ff6eb89fa8d185c7994b9ad4d066da4ddadcac62efe9b685ba84d98ee244286397740968de21ed7b818f2918083476b51c05167c72c2f19d30f08302e04