Overview

overview

8

Static

static

3

6749f3a6a4...0N.exe

windows7-x64

8

6749f3a6a4...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6749f3a6a433c31fb6ab65e598eb1d00N.exe

  • Size

    64KB

  • MD5

    6749f3a6a433c31fb6ab65e598eb1d00

  • SHA1

    aea68d6871f0c95e3b9fbe611919f5b2b9293be7

  • SHA256

    da9162c42d00d2c894c6ae45a8cda2e58fc694d1629da24aa8df76cd011264ee

  • SHA512

    ae98904880d69526bd15b789fa82b63f86f506cd14c31638118fa39df4bcc80c953dac86e7a1debec73063f9fb91b74c6a1df52ec4e7575b5969fc933c0bdbbb

  • SSDEEP

    192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwERY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLroW4/CFsrdF

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe
    "C:\Users\Admin\AppData\Local\Temp\6749f3a6a433c31fb6ab65e598eb1d00N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\{E870FD73-798B-43a0-9B99-EA1CB95ADF3B}.exe
      C:\Windows\{E870FD73-798B-43a0-9B99-EA1CB95ADF3B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\{89AC63A7-946D-47d1-B04C-4FF29A98551D}.exe
        C:\Windows\{89AC63A7-946D-47d1-B04C-4FF29A98551D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\{8C701867-BCD1-41de-B6A9-F3C019DE5ACE}.exe
          C:\Windows\{8C701867-BCD1-41de-B6A9-F3C019DE5ACE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Windows\{459FF8C6-889F-4847-BFE6-3BB22D8EE650}.exe
            C:\Windows\{459FF8C6-889F-4847-BFE6-3BB22D8EE650}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3244
            • C:\Windows\{22854050-92D3-4d52-BC0B-703B9C2874A8}.exe
              C:\Windows\{22854050-92D3-4d52-BC0B-703B9C2874A8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:548
              • C:\Windows\{99968B7E-5A33-40c6-B2C7-94640B382D34}.exe
                C:\Windows\{99968B7E-5A33-40c6-B2C7-94640B382D34}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2316
                • C:\Windows\{99451793-D36C-4d21-9136-B2ED56A4FD25}.exe
                  C:\Windows\{99451793-D36C-4d21-9136-B2ED56A4FD25}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3384
                  • C:\Windows\{CB13DFEF-05FD-4960-B4ED-22D9A6FC6C59}.exe
                    C:\Windows\{CB13DFEF-05FD-4960-B4ED-22D9A6FC6C59}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1188
                    • C:\Windows\{10821D35-0BE7-4ce1-BF72-26174DF9CCA9}.exe
                      C:\Windows\{10821D35-0BE7-4ce1-BF72-26174DF9CCA9}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3416
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB13D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2536
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{99451~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2788
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{99968~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1056
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{22854~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4732
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{459FF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2196
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8C701~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{89AC6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E870F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6749F3~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{10821D35-0BE7-4ce1-BF72-26174DF9CCA9}.exe
    Filesize

    64KB

    MD5

    ac770add719b04a8c0e1039ed710f32e

    SHA1

    c5269517fb9c406bbf5b11f32a5863510c13b27e

    SHA256

    0a227861b2a8f5b5c2e48558af4a1e99d0a8b223c1a23289f70bad7c9f9dae24

    SHA512

    24e810ec94f96285a6f90f2b3010ba6e69d6ee49af9cefb1ef83ae3149b6da7e31a27732afcce6bef71a3115fff441ff2f195fc95b869d656e03912cecfb3e13

    Download Submit

  • C:\Windows\{22854050-92D3-4d52-BC0B-703B9C2874A8}.exe
    Filesize

    64KB

    MD5

    4a5be8ddd0cfda54b11d87931c703a03

    SHA1

    1bf5782d32b1834b928f8a61f5fbaee5bdb1e66a

    SHA256

    f67fdf7e53bc211e06ed12ba7ed2decd0c28b5ffd3f9579fe72caadb77aae3b5

    SHA512

    ed1060896f525936edde365551bf387c9c70a7e34a6c025431af93cb518dcca571596842814205d49b871b746d773840a4753ea02735b72c2bab9e3aa42f4d08

    Download Submit

  • C:\Windows\{459FF8C6-889F-4847-BFE6-3BB22D8EE650}.exe
    Filesize

    64KB

    MD5

    4945cf1fe4bf1d596c606a4a65fa6706

    SHA1

    a33121373597733eb8daca6ea6d5bda93e5e8f37

    SHA256

    62966d4a5653d3461d263674039eb167fc9fee2110a3d131c31f3dbd6f639dec

    SHA512

    3b8bf8eb9107df7fcbdad472b1076078d737402855ff7a44cbbee4ece29a243124b12b1f3d69e80d2b5fb6412e9c9390e00b2c94e755885ad824962f70f89541

    Download Submit

  • C:\Windows\{89AC63A7-946D-47d1-B04C-4FF29A98551D}.exe
    Filesize

    64KB

    MD5

    390c502e4ff69473f82ed570b4582cbd

    SHA1

    83b0d70c6d048394fc83cd014feadbe8dd30ec5d

    SHA256

    be52427cfc50e000927db683db5c609a684339adf139977b9b3fa3b77056fc7d

    SHA512

    0e341962fee8e6cb7c82c9dc8fb825de51bebd388acee14bc795ec5c8f58fe28a8c96c2fb1642ba309037d9d33539918ac3ce2b2fc0f23a57b1e3e9c0b978be0

    Download Submit

  • C:\Windows\{8C701867-BCD1-41de-B6A9-F3C019DE5ACE}.exe
    Filesize

    64KB

    MD5

    c43de6f96053f118ae417e2b0252273c

    SHA1

    5bd586336b127edabe90c3f3ca609a7dd688a1f8

    SHA256

    d482c2e4cdffa46c660a5a27df31462251db37e6478e7fb6e2590a6a102d9c47

    SHA512

    171d39b470cfe5b783540bc635d02f43aff2e2b3b82ad1543b284a3852544a702bd387b35cc28e41b3dcdcb23407dc6968ce8d8f73e3b67f8dea789e5cdfd3ea

    Download Submit

  • C:\Windows\{99451793-D36C-4d21-9136-B2ED56A4FD25}.exe
    Filesize

    64KB

    MD5

    6a10a934d73f4f7c07fc5cfc1212d89b

    SHA1

    6f12d39953d2cb1cc74ace0ab6ec865feae2f5d8

    SHA256

    0c70e17566f4d4117853d8c27365591bee71b3741f11ecf6bf945b93e85d8977

    SHA512

    17927778667ff294600ea9fa591f25f13dfa999727ddff91d8c8e96c880b18f7c5888a80e84caaff2dc2f207da7069d9ff401b23567c6b46ff394df6cc882c3d

    Download Submit

  • C:\Windows\{99968B7E-5A33-40c6-B2C7-94640B382D34}.exe
    Filesize

    64KB

    MD5

    f78d08ff792c290746f44e8e6809eacc

    SHA1

    e11c9c072a3ae3be3b62ee9cedf6342bd8ee5adf

    SHA256

    9f68bcf6a308cdeae96a6023e32a0975d82c263105f424f6a9c4317397c4faf3

    SHA512

    da710205471d9c5e6e8ba98993d933a9539ad842792f3660410fc15248239bc7a64dd68570d7a5a5429aa6f441d3e078b7579a75d366fb68f5850af2c6356b95

    Download Submit

  • C:\Windows\{CB13DFEF-05FD-4960-B4ED-22D9A6FC6C59}.exe
    Filesize

    64KB

    MD5

    7e2a779f528cda9c90fd09c5449bd992

    SHA1

    a87d1cd9bac205c85cc8ab0280f8adff224805ae

    SHA256

    5817ca2ecf24b054f36dd4889b098b1ba55780e9cb31525ff4ed93453da7e1a4

    SHA512

    99bb80f7b63c386683021294c483f19fad16f731ea232c766e9be3733770b54c70dc0cc521fb96d64655fd141af0a005e0b7c1019409cb3282551bd8f574845e

    Download Submit

  • C:\Windows\{E870FD73-798B-43a0-9B99-EA1CB95ADF3B}.exe
    Filesize

    64KB

    MD5

    3e821e29bed74e2e12ebe1db1678a00e

    SHA1

    e4303f151f324f4a1199f6a68cc8e3d7d47e88ef

    SHA256

    643e5f66b799d5dc500bf3c732ebc137abfd186dea85bfbdea5a517a3decb27b

    SHA512

    76a8b4f1b7b21103a39a21e923145e81f922521614256d7db8bd97674a882acc2cbb7c09c868299534da030fc486c7313cbf8ef996f1f90b740cf4941900dc00

    Download Submit

  • memory/548-36-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/548-31-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/848-14-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/848-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1188-50-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1188-55-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1660-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1660-8-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1660-12-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-7-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-1-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2316-38-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2316-42-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3176-25-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3176-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-30-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3244-26-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3384-48-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3384-43-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-56-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download