Overview

overview

8

Static

static

3

4b44797f9b...0N.exe

windows7-x64

8

4b44797f9b...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b44797f9ba623cccbe5041c9dd0fb40N.exe

  • Size

    91KB

  • MD5

    4b44797f9ba623cccbe5041c9dd0fb40

  • SHA1

    5e1a8d221a6c69e2a6491739332f8808acd28a38

  • SHA256

    654289647bb122e15c3a8ed16274169109be4077d9b630662ad998203280051a

  • SHA512

    39fc02e4ec7669cfd2a2fa9237e18a85036b94fd2f7051f196c9330dda2f40bb353d90bc53046467784b99b39055efd9ece274b926c1053c4b2fe8adb68c9619

  • SSDEEP

    768:5vw9816uhKiroK4/wQNNrfrunMxVFA3b7t:lEGkmoKlCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b44797f9ba623cccbe5041c9dd0fb40N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
      C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
        C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
          C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3232
          • C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
            C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
              C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2296
              • C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe
                C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe
                  C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:116
                  • C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
                    C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:404
                    • C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
                      C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3628
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D43~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4804
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{318FC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1916
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{42E4A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3568
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F04F8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2148
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9EF38~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4496
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{67277~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5A3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:824
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D4B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4B4479~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{318FC896-3FAC-425d-AF28-475380F6923F}.exe
    Filesize

    91KB

    MD5

    ae09b1cdaab0f8ec3c8383d8e3fc7d99

    SHA1

    f8628598f14afbdfc7cbd07957fc1dea99f4801e

    SHA256

    ddfe7cad36d55e68889ceae5e5164b98ecb2e57be8f2af520af39a5e6c066610

    SHA512

    e635cff966d2272cf7666c3adb174117cbb45aafa7e1d0c167f63298baf8c0b894a0d19c81217244de12df6864b040e7124657cc1d2f9caebe6984dfbebc6da9

    Download Submit

  • C:\Windows\{42E4ADD4-8009-476d-9423-96A94812E862}.exe
    Filesize

    91KB

    MD5

    ddfc3122ab6e819cd975979bad790fc6

    SHA1

    a941c51a42304abf897416f8a560c111b7aca973

    SHA256

    052d258064f9589536273aad4e4b70414b8964ad5126addf16fa1dcd37c567fa

    SHA512

    255a8e73cd9fe99b9772d1d1743ce0f3687b129f0ce3cb9e6b137620a90aad2ad0d71389583fc8cbcd36f20b67ba690e57fc189cc51844935030e583752eb8bd

    Download Submit

  • C:\Windows\{67277E68-86CF-4cee-80D4-0BF95AFC58A2}.exe
    Filesize

    91KB

    MD5

    8358561445453a765ef0546aa1ec38d6

    SHA1

    3ac58dfcf9194cbfbd39b1236590271ab55d19e7

    SHA256

    f2e71807a864a28830e97fff7af6ca93d5dd2ecb4ff7f2a1a9dd4b5fc1036ed4

    SHA512

    476c15e5407076e478e5915cb85dc2adb6389d60352132a233cf7a5f104b6927d626d17329d0754aec49025d67629e5b7e118f333be0698b8d53c1511eca040b

    Download Submit

  • C:\Windows\{77D4BDEC-02DF-41e8-BA65-CC2984637689}.exe
    Filesize

    91KB

    MD5

    c7ae8043db74ed9ea5c1003e58c9e819

    SHA1

    43013c0cabd6881b06a98f120189181acf559a3c

    SHA256

    0e4bf1fef9dbb2590e5d569219dfcee9eb540f88b49736649c7edd70c47db943

    SHA512

    4035a1f364c1af4b83ddf3215e640678e43023dd8a3bdf02edca327dd5c43728451f70badb18c975b53e3c49e3e95ec980931d331da9b98c8a742c372e7a8086

    Download Submit

  • C:\Windows\{9EF381F7-3617-4266-AE96-0994865E11AD}.exe
    Filesize

    91KB

    MD5

    2ecc0c80c2f7a60ae94b883af201fbe3

    SHA1

    60825662b4fc0c8dfdad423de30364102cd7811c

    SHA256

    6749b933b4bfc99290bc6aac5cb5d4b51a86cc983b3fd28cb6cca857aa4c894f

    SHA512

    6ba4fb47f5ee24d2a1c2df27e49b2e5c56eba8b3af31145a73995ffea87bedd796b35ba2b6d1a990ec76d73b5223fb177da1669b86629aeeda5a4ff22ac6ecc3

    Download Submit

  • C:\Windows\{A0D43F7A-42D7-40b5-8E22-2DB55FFA394C}.exe
    Filesize

    91KB

    MD5

    cc694ba8690d96b6f47889e5903e0c72

    SHA1

    34b8d5edabce0a616718d41a98403c790ccbf4a6

    SHA256

    f98f916abb477a1b5ea13f05b09f622daf12649cc4abe71c11abaf19f5b06759

    SHA512

    909adf084ca798dc1242e015b6270a26bdb317bffd14b28475263cdc94afa35c14d5603d8a7a959c1d829a8dd3fe0a6608d3fa19f09aa5ec67b2ce81067a812d

    Download Submit

  • C:\Windows\{A7C6F83C-0B8B-452f-996B-F030A7791048}.exe
    Filesize

    91KB

    MD5

    9a3c666571b8c26a2555bcb66abfbb49

    SHA1

    7cbdf5c918f592a4adcd43b601df09de41148e5c

    SHA256

    ea8db02e3fdc25200d9073ccfbdf4c9da5d24c94d5eddd8a3f47390f7f22e9bc

    SHA512

    8db595a573ad04310919f9f52b28bd3b8cf07656831674d5d464b8ed26b28607f45ab2c03c6c352cf1a6d7d1f4098673de173190ab973b71a875d8706e26b4c2

    Download Submit

  • C:\Windows\{CB5A34B0-A6E8-4c14-AE72-34BA31F023C1}.exe
    Filesize

    91KB

    MD5

    22aa0375739bade31b3b23a55a4c8647

    SHA1

    d4aefbda302950c1110c77159d1def88967aec30

    SHA256

    17a375eb3717a6324f395c66d19cef479628b551c3dbab76ea70617bc09b5f87

    SHA512

    07c90e3f3087832d731890a83b0ecac5beae5d67b54cb8c84df1914bc637338883b5d5dde47ca7c14a53f6d1d31a61fa2250cb5a2e9f274fa424a5abf44157cf

    Download Submit

  • C:\Windows\{F04F89D1-4443-4bf9-AD48-A49870216852}.exe
    Filesize

    91KB

    MD5

    09428f675d0a79d53b9083d62230d0e7

    SHA1

    b4f158562036008eee0abf84f4faab9cf78528de

    SHA256

    aa044dcba5a49bae4e84cf7ec00f232ef5fa11f632f026cfc7450b7dfaab92b2

    SHA512

    b06e1aba742fe5276bbfa9005bc887ae9b864d09a16b14c7374e384ae44a5c23049335db7d90d34ba306c1e4920c3edbac41a8e7c9c82b61745e45e9d516ac23

    Download Submit

  • memory/116-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/116-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/404-51-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/404-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1656-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2296-35-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2296-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2392-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2392-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3232-22-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3628-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4860-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4860-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4860-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5104-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5104-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5104-14-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download