Analysis

  • max time kernel
    119s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 06:29

General

  • Target

    6749f3a6a433c31fb6ab65e598eb1d00N.exe

  • Size

    64KB

  • MD5

    6749f3a6a433c31fb6ab65e598eb1d00

  • SHA1

    aea68d6871f0c95e3b9fbe611919f5b2b9293be7

  • SHA256

    da9162c42d00d2c894c6ae45a8cda2e58fc694d1629da24aa8df76cd011264ee

  • SHA512

    ae98904880d69526bd15b789fa82b63f86f506cd14c31638118fa39df4bcc80c953dac86e7a1debec73063f9fb91b74c6a1df52ec4e7575b5969fc933c0bdbbb

  • SSDEEP

    192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwERY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLroW4/CFsrdF

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe
    "C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:708
    • C:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe
      C:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe
        C:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe
          C:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe
            C:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe
              C:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1312
              • C:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe
                C:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2632
                • C:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe
                  C:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1216
                  • C:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe
                    C:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2012
                    • C:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe
                      C:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2192
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D924E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2248
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF6AA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1684
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C9961~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2136
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{059BB~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2820
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F14~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3032
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{39116~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{90B40~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0E1E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6749F3~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{059BB384-5DDD-462a-BD49-A49E499125C2}.exe

          Filesize

          64KB

          MD5

          22a1a255bae27a323c0ef8ba8c36f093

          SHA1

          0f95b729c5dae5045997e361f6f025075dc11b03

          SHA256

          427ac308f4b32fccca7288329f14b3facce1b39edc73c790ea676a2efbc990b6

          SHA512

          0247135892f13064c312e91e9530fa4bef4bc97f7c16c5b94c77f75869f75475d2d6a5b69bdcbfd70608da4fc82bf36a1ca333d6b151cdfb0a0986f50ec31402

        • C:\Windows\{39116B05-A30E-4c51-98C5-4BA8C37219D7}.exe

          Filesize

          64KB

          MD5

          168a027a22405ed3cab8ec3a03d2100c

          SHA1

          e4ed9c5baec1b0bf4122d283a965829b6a998e67

          SHA256

          00d4318556f25c1b3985623b74d167c4b61b7741705178a6a0a4ff88de38bcef

          SHA512

          d6b211bcb150a598508998306ec5dd84bbaa68b54fa8e9c3890573669990a9bb99d6e6b4f441811cfeca13a84cde29431916bfa4039887f8170f6111a5a7d6c1

        • C:\Windows\{6419613F-C821-4311-BC76-4D01FFD6F7EB}.exe

          Filesize

          64KB

          MD5

          982c04d3fcaedbd0e126d9aa8498c9f7

          SHA1

          67888dbd6d9e26ff6b01f2d9ee253aa5ab75c94c

          SHA256

          36556b49606b60419061ef42042b7ace119d8e2a28ccffd5313f5635a9f210c3

          SHA512

          eb681189b318df0819e94d1c7dc4768c5bed2fc6ffdc2f829a86f65ba3d53cd4b71ca8672856e869f161bb3514faf508d00e4025dc20d1bee13a4fa72a6a6d47

        • C:\Windows\{90B40A0A-25C1-440d-9FF3-FDDC4A07B6D7}.exe

          Filesize

          64KB

          MD5

          7ac53b417bc0d88a81ce14cfdae36d54

          SHA1

          e1e9a4889cf69dc31861a4721eca30e7339663aa

          SHA256

          51ecf207eea96b6e43e3e9be883158cbc09244eb0dd70296571a81875519ec47

          SHA512

          eaae01cf59bbe001199f596a4cccb27cdec4f22b5668688b57a8ccff1dbdc0d785e47fffe7a5f09a3c23dcdd3b49b191970e3e49542edf8956f7be2aa59e9e46

        • C:\Windows\{A0E1EC43-8BDB-4fc9-93B5-4105CAAE400D}.exe

          Filesize

          64KB

          MD5

          b04f017bb3bec1985f885b40b32f71b4

          SHA1

          ae0cac152205d049e944446971bc22dcfeb80e0d

          SHA256

          882469c4b700015de653abb8657334ea737353e4423edba71ee76efd42f0cd0c

          SHA512

          c6415d7458d77b31d637f4f320878a3355364991d4a1a0ca395956d9b81662ad28a58e8037ba8f104fb6d9561a839eecccfa37a0e61cfb184f8d30710212c7de

        • C:\Windows\{C99617EB-6F7C-47ea-BECA-B0436DC31403}.exe

          Filesize

          64KB

          MD5

          3325e4540565b23a0b214ce954bc5493

          SHA1

          ddb50f77d21167084f6f38767bffa405beaef9c6

          SHA256

          1be696df7b817a410096585a1d95164b5f04ddd2ddee9dfac66ea0f83f88cb06

          SHA512

          d791316325b17354adaa93e3fa01393456e1f7cb71f32ff1bc6cbe0a550fd77b78c3123d83ae5af4d7bf6eed8a3ddfb521fce28638dfc087bc5e332d945c55c0

        • C:\Windows\{D924E4F5-5050-470e-A671-60A9CE0B26DA}.exe

          Filesize

          64KB

          MD5

          590c5dae234d58e7cb7e95ff7326920c

          SHA1

          dbd608642541cec1e84006f9ef63b527819df0f4

          SHA256

          1dbf63ce043c55e662eefdcfd022dc93b4102ed779ed0da2d72cb943f2bdd96a

          SHA512

          8229e2a288e5f66ec01e5f496cfcdcb5922984f97a5e32a221c78f814d0e98159e8d6e9bea81605ec7bba9f8c1289ffaefc8b6585204e800936173bcacf4ee10

        • C:\Windows\{DF6AAA2F-8A19-428a-B111-77150913BD9A}.exe

          Filesize

          64KB

          MD5

          9bdb2bab42d36fa3b127e3fa851b9601

          SHA1

          0fea5ab49b2ea8fe4711ad21d5552941b2db0646

          SHA256

          8f68800ce84ed36cca5a1c8414ea56c709ccd4fc09619cb0e3268855c06fbb15

          SHA512

          20aa3d8dc2a81452dc4137c6de8a0771be58d3029f939c148f5581358ef24145c37df232b8c9d6b833ea18926f00d456d3f0fb5fbd795069407eac7cbec2f95a

        • C:\Windows\{F7F140D6-0D69-45d7-8459-0AFFA2AA8C52}.exe

          Filesize

          64KB

          MD5

          52e2b5527151781902c5e42d53359a97

          SHA1

          8d9afd5d6dab487c4dc55a825debddaed6cfaebb

          SHA256

          d243c662d56eac948b14d217b4758d2a3eb7f88793e71d081f805b9d59910f45

          SHA512

          800d99d9ea091bc6e72155d99c94a2d229972e5635c8d4b054c63493ee088a67327850c945819b5542b5b0bc564ab8f89ffc3603adae697e0854f886a3019892

        • memory/708-9-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/708-4-0x0000000000320000-0x0000000000330000-memory.dmp

          Filesize

          64KB

        • memory/708-0-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/708-1-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/1216-74-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/1216-70-0x0000000000260000-0x0000000000270000-memory.dmp

          Filesize

          64KB

        • memory/1312-49-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/1312-56-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/1832-39-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/1832-43-0x00000000004B0000-0x00000000004C0000-memory.dmp

          Filesize

          64KB

        • memory/1832-48-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2012-76-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2012-80-0x0000000000250000-0x0000000000260000-memory.dmp

          Filesize

          64KB

        • memory/2012-85-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2192-86-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2632-66-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2632-61-0x0000000000350000-0x0000000000360000-memory.dmp

          Filesize

          64KB

        • memory/2640-29-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2640-32-0x0000000000270000-0x0000000000280000-memory.dmp

          Filesize

          64KB

        • memory/2640-37-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2788-18-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2788-13-0x0000000000290000-0x00000000002A0000-memory.dmp

          Filesize

          64KB

        • memory/2888-19-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

        • memory/2888-23-0x0000000000250000-0x0000000000260000-memory.dmp

          Filesize

          64KB

        • memory/2888-28-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB