Overview

overview

8

Static

static

3

ec59c17231...0N.exe

windows7-x64

8

ec59c17231...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec59c17231ed8bd67caadc99a2e518f0N.exe

  • Size

    89KB

  • MD5

    ec59c17231ed8bd67caadc99a2e518f0

  • SHA1

    ef386acddf34d329b5d1e095f8f3ae2766ce25be

  • SHA256

    5fe9d40215d42be9b27516622782cca0e10bd4b05695383411c7ef552551156f

  • SHA512

    325b2ad76237df9c18fefc7b08556eadea5b45ebb107dba798d27371655c14ef54d4f7db8903b838c652dc6d8871ebc6e3b5815815d4636c034ea56b58308043

  • SSDEEP

    768:5vw9816thKQLroq4/wQkNrfrunMxVFA3k:lEG/0oqlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec59c17231ed8bd67caadc99a2e518f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ec59c17231ed8bd67caadc99a2e518f0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\{2E9429EF-EA67-47e8-9A49-CD90759ED2DD}.exe
      C:\Windows\{2E9429EF-EA67-47e8-9A49-CD90759ED2DD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\{98A94D38-FF02-4eee-960C-A992F8D922D9}.exe
        C:\Windows\{98A94D38-FF02-4eee-960C-A992F8D922D9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Windows\{2F36715A-7819-47a2-998A-24BCB95BC4A7}.exe
          C:\Windows\{2F36715A-7819-47a2-998A-24BCB95BC4A7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4276
          • C:\Windows\{728F9E36-8036-4a88-958A-05C55B407604}.exe
            C:\Windows\{728F9E36-8036-4a88-958A-05C55B407604}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Windows\{21803E5C-5C8E-4435-A2F8-8EEF4026E743}.exe
              C:\Windows\{21803E5C-5C8E-4435-A2F8-8EEF4026E743}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2148
              • C:\Windows\{0974765C-A7D6-4d99-B4C0-DA0542641982}.exe
                C:\Windows\{0974765C-A7D6-4d99-B4C0-DA0542641982}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3580
                • C:\Windows\{D0BF7797-0605-4edc-B135-E7C6BAE026E5}.exe
                  C:\Windows\{D0BF7797-0605-4edc-B135-E7C6BAE026E5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1576
                  • C:\Windows\{2E9AFA76-4D33-4fec-911B-9F6716C7796A}.exe
                    C:\Windows\{2E9AFA76-4D33-4fec-911B-9F6716C7796A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3144
                    • C:\Windows\{302FE9AC-0651-4db3-8EA8-8CAC1921BB25}.exe
                      C:\Windows\{302FE9AC-0651-4db3-8EA8-8CAC1921BB25}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E9AF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3688
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0BF7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3712
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{09747~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3336
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{21803~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:952
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{728F9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4360
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{2F367~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{98A94~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E942~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC59C1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0974765C-A7D6-4d99-B4C0-DA0542641982}.exe
    Filesize

    89KB

    MD5

    36d063a9534f6a7aa71d0ca46cee7204

    SHA1

    10d7661751e6061659b01204b5278a4005048987

    SHA256

    4812824ee8f6d4e33d3794d2f048a2adaeefba48b30433650ebe18dff37400ce

    SHA512

    e0dcaae21bb494efa922e8b85942c6bc85a3303530e7cb1235f36d2e2588275d32cf8690e44b205375846ce6c5767f15ced7d21d044dfcc65889bfa2ddc3296e

    Download Submit

  • C:\Windows\{21803E5C-5C8E-4435-A2F8-8EEF4026E743}.exe
    Filesize

    89KB

    MD5

    270cc7da970162a695e5f77ca467711d

    SHA1

    1003e4777bdcabb626ca98bc92a4c4b0fd9a1158

    SHA256

    18353a6889ca41ec8b208a1b2648d7d0b413676b5a5c8c07c32ce046a7abf7fc

    SHA512

    615b81dc0865803682f2f56f4d1feed284469c594594d103dc52bd24f1fc1c7124a118b04b79d996a8b51d68f7ce248b492410758f743d6abdf2917f123c0360

    Download Submit

  • C:\Windows\{2E9429EF-EA67-47e8-9A49-CD90759ED2DD}.exe
    Filesize

    89KB

    MD5

    40053ebcdb5403f01017d1d124fa55e2

    SHA1

    e81282f3176ff20bae4ef52ec467829057768361

    SHA256

    880d2650fde189f59ad5cce44a14834920f93e31cda829686d7940b3d4d92a80

    SHA512

    1390777d6cbe8aacad924b210c8583f4cecfe5ff50dbc548dcc8039161f882fa1b35d6563ca1c3532b761670ab80d60a8ac5ace87c954e0320a472d9bb060717

    Download Submit

  • C:\Windows\{2E9AFA76-4D33-4fec-911B-9F6716C7796A}.exe
    Filesize

    89KB

    MD5

    22c885cbe0299bfde12164456f754242

    SHA1

    e5b331ca128ad4ca32479e7c8c8efe07b9c1a200

    SHA256

    5b5215ace3b9e34fc00a0280b9a9ba35456229d697d3cda18397438db0e295ad

    SHA512

    330343324f00c821a8d4f7865b9ca30350210098f723b7525d491d2c5badacd8df1532812cb710fcbabff97a77b2852a01d446a3ac8eb25925f02e43e9b5e87f

    Download Submit

  • C:\Windows\{2F36715A-7819-47a2-998A-24BCB95BC4A7}.exe
    Filesize

    89KB

    MD5

    dabcb5bea22b5e8f68067b6bb41403c0

    SHA1

    197c773fc871ef1cf581e3fbbf89bbfe4147709e

    SHA256

    4cbf36eb117f8c5af0bab5c1452b354cdf109d272b060a96883cc84bb44b49ac

    SHA512

    68ec4341d367c4604c8cdb7e71369d0b91ddee11723cfe512bdbf0fb12b45bee914f823e9f7f8c3540c116f0365cc5f276847f7284fb1b09294d16265449e77f

    Download Submit

  • C:\Windows\{302FE9AC-0651-4db3-8EA8-8CAC1921BB25}.exe
    Filesize

    89KB

    MD5

    e292663d84db7156f2ba72473c39c51c

    SHA1

    0dc204d15eef8df0ae65d495e4fbe8c662817bbd

    SHA256

    d4e1709badd7b9b223fd555af89e690921985301b6d46390a9c6ca1e5fb79396

    SHA512

    840b599dd8c7ce6ee282883ac685aca37a8ce45d88d3a5fb15b481fac83ab92425d56d0a78322677b10e684be33b96373d437c9ab4b3128121d454d8c3bde1c6

    Download Submit

  • C:\Windows\{728F9E36-8036-4a88-958A-05C55B407604}.exe
    Filesize

    89KB

    MD5

    1498389f27f24dcf796a9d3b9f5d9894

    SHA1

    9a458ac23f5d0d9befe3557083e34d8604473acc

    SHA256

    a83de8b5f00d0a2f98e35d7e48b35d755519b416c05f420f17fe0d9576741b73

    SHA512

    ed87c3439e9e517770515d2405e06e6a66db0213d37316855db0ad40dd2d99f589befd4e0ba845a1384acb1983912e067c4d0f50e84786916046ecd3b88e7bb6

    Download Submit

  • C:\Windows\{98A94D38-FF02-4eee-960C-A992F8D922D9}.exe
    Filesize

    89KB

    MD5

    b7dbb860ff95cb19dccb8346972a5813

    SHA1

    18525a6621f3a027fa698ce3d6b8b9e1e2602180

    SHA256

    22e87610501691fb5ba09d87676a5f66e0a136be682aaff361332a081b6b333c

    SHA512

    b04da9b9df116b35a83bbf5ccd0c42193eadc6ab4d55b217e4cd9ffc7a408d3c48977c9d7d6816ddd6a4d96f7c7f852aae005e0cd36c9013fc817f0ea2633625

    Download Submit

  • C:\Windows\{D0BF7797-0605-4edc-B135-E7C6BAE026E5}.exe
    Filesize

    89KB

    MD5

    61614157c3ae6a7305fa7cd21092de04

    SHA1

    ee58411f071d9c2b5b7475a95d43dc4f41232e72

    SHA256

    af6ffab16ad83240aeba370b7a73528ddf8f08eec851e7bb7e395b280c5c10da

    SHA512

    d71fa5b5490ad4c73734ae012fc9d02a8adeaa86ae7c850144eda7df164def7e494244fb8a4fc470f53ac634ff2258907ffdfa1d36baf0e2ef5ca705cb15a489

    Download Submit

  • memory/408-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/408-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/408-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1576-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1576-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-34-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2404-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2404-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2404-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2640-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3144-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3144-52-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3572-14-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3572-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3580-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3580-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3588-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3588-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4276-22-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download