Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 02:23

General

  • Target

    c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe

  • Size

    90KB

  • MD5

    a19f1807122963e2331337a66e55cd86

  • SHA1

    bde12bcb403ed6d409efa6a62f6dd0e2415498f2

  • SHA256

    c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035

  • SHA512

    7807e3a0f50e0b6e81d9bf80d51fcb8866f399329c3d793749e17e16a608adeb6e232f661c12789dbc6b9eb6a01f71e8b8f5e70b4485fb8ceffdc48b1d4d7d02

  • SSDEEP

    768:Qvw9816vhKQLro/Z4/wQRNrfrunMxVFA3b7glws:YEGh0o/Zl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
    "C:\Users\Admin\AppData\Local\Temp\c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\{FCBC2B4F-E5F2-4559-887A-9C33618494FB}.exe
      C:\Windows\{FCBC2B4F-E5F2-4559-887A-9C33618494FB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\{41DC0AD3-6DB5-4573-9381-F319DB9FCECC}.exe
        C:\Windows\{41DC0AD3-6DB5-4573-9381-F319DB9FCECC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\{32A46B4D-C619-430b-ACB9-7BF6053E4B5D}.exe
          C:\Windows\{32A46B4D-C619-430b-ACB9-7BF6053E4B5D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\{6A39FE85-0E11-4e71-ADDC-11B024EF3CC3}.exe
            C:\Windows\{6A39FE85-0E11-4e71-ADDC-11B024EF3CC3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\{46D5C438-A95E-4b72-AB21-C7D47611D462}.exe
              C:\Windows\{46D5C438-A95E-4b72-AB21-C7D47611D462}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\{A094B0CF-5B5C-456d-864C-2217233303DC}.exe
                C:\Windows\{A094B0CF-5B5C-456d-864C-2217233303DC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1552
                • C:\Windows\{89D32921-83C6-4a6e-9FB6-AA1915699B9D}.exe
                  C:\Windows\{89D32921-83C6-4a6e-9FB6-AA1915699B9D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2092
                  • C:\Windows\{37F78D2A-1CCA-405d-BFE9-A20914EB7C31}.exe
                    C:\Windows\{37F78D2A-1CCA-405d-BFE9-A20914EB7C31}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1724
                    • C:\Windows\{B1C4AB88-B246-42fe-AE8C-AB183ADA1FB9}.exe
                      C:\Windows\{B1C4AB88-B246-42fe-AE8C-AB183ADA1FB9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:696
                      • C:\Windows\{AA6DBF6D-93D0-42d4-8D4B-B8805F911426}.exe
                        C:\Windows\{AA6DBF6D-93D0-42d4-8D4B-B8805F911426}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2504
                        • C:\Windows\{6F52C60D-6794-488c-A9BE-DEC7695BB2C4}.exe
                          C:\Windows\{6F52C60D-6794-488c-A9BE-DEC7695BB2C4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AA6DB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1720
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C4A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2456
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{37F78~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2900
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{89D32~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A094B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1864
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{46D5C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1184
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6A39F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{32A46~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3024
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{41DC0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBC2~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C93704~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{32A46B4D-C619-430b-ACB9-7BF6053E4B5D}.exe

    Filesize

    90KB

    MD5

    cabaa9e315106dcff224b678bee4bda9

    SHA1

    0ac31d78c8028368bd3bb5ae4624436bee5dcbc1

    SHA256

    466b76ed50a9fb3576a125e7bc9e0ea16e19b12b27430c9b944182286eea15f0

    SHA512

    94c8d45838d255c6f2e05777d651bfd03398c60a67bc7f23200759717f96529bf9a64977fd981cc92ec8f0905dcfb5e64e8afe6b05901dd4bb32b29f7ddef1ca

  • C:\Windows\{37F78D2A-1CCA-405d-BFE9-A20914EB7C31}.exe

    Filesize

    90KB

    MD5

    7edd6f82f89cc9775cab39602b1be56e

    SHA1

    9013fe40e1238c3b8fb7b3273dd906e4049a2b55

    SHA256

    b114445d362af2179226e07aaffbf95f13b4c998a701c75a66e8ee718edca4b4

    SHA512

    08a101af5ea38b6a7bd4eb6ab053dbb13328206d4ef9540cb6af2b57f9173649eb59e5fb81afd58cc46c07c9e30ee3b978a8b6d7e945cb97b11d26b0671a1b63

  • C:\Windows\{41DC0AD3-6DB5-4573-9381-F319DB9FCECC}.exe

    Filesize

    90KB

    MD5

    cdf99d1f89f7e80eefd014dc622db0be

    SHA1

    c5397670d5b5db0945caebae2548c42f6a8e17fa

    SHA256

    d92aa517da5cd21841814bc98215a019145d5a5721d1fb1fb718dc871522da24

    SHA512

    a7a8331044033c822888ff5da017778fe1af202938919c808974ef70f09bf0a1517132529fe510901cf4f7f285272419ea021950301ed6064afca154bc0442a5

  • C:\Windows\{46D5C438-A95E-4b72-AB21-C7D47611D462}.exe

    Filesize

    90KB

    MD5

    addb9571eb8a2f32b90b4ec95c83778a

    SHA1

    afbaf4cbe99a7529556d5439c6b540d78d651766

    SHA256

    16d363e0dc35c9aa9785289eb265568549c879ca418d000ddb8fa6359d8204c6

    SHA512

    001bfc9a888ae204a5de265269f4108c94f34d618476941969dc273cfc1b8c97efa9e7a7c43dcfba0af487e31bae5910671f6503b1a9b086b786b1e61cb89c1f

  • C:\Windows\{6A39FE85-0E11-4e71-ADDC-11B024EF3CC3}.exe

    Filesize

    90KB

    MD5

    a122293222a539119c629a2a07dcdc76

    SHA1

    94401d1a8f34715143a3868c0c646f85970eefb2

    SHA256

    4fd6b47e229bdb17c56052fdf1429c2e966fc2e2fa52adaca36fe9a7ea67446a

    SHA512

    15f0d9bdb342fff38729656d11be997e1f2cd3da763b73a8c57c3ab3a7657327da7e8c121c3fdfde35c59e0ec3b2c7514961fea37d6ec4529105470c2b2081f4

  • C:\Windows\{6F52C60D-6794-488c-A9BE-DEC7695BB2C4}.exe

    Filesize

    90KB

    MD5

    c7d65cd116129b5c3b49688f36a09f85

    SHA1

    96bfc124a1f37f6313e537ba3af6186d643c2472

    SHA256

    0f2f56bc76e2bdf463c8a4c9260cee1550d7a1fa2726edf0b07b730d9b41aa82

    SHA512

    37c7321c625fa5e87c7396802aa97b3ed848a89fbc647236ffed4e6d25fb788c148cb2a605b44b8292b754473d0bb7ef396b2e68f8a628743e76ef2580d68726

  • C:\Windows\{89D32921-83C6-4a6e-9FB6-AA1915699B9D}.exe

    Filesize

    90KB

    MD5

    a1b3e062669871b01dfd06c8e5f3ae54

    SHA1

    c5ec93c36a9be862697c03e3177bbf7d74f54976

    SHA256

    e65ebdf5a2718f941bfff81d332629e7efe5559f924ae92e3c8f41f6d327061d

    SHA512

    a1c394cdd01c342d733b30a9d36f74dbbb8722955c9a76707dbd702f4d4fa666af03d1bdae8d7629475599117990e7a73b9814a9ddd9947b28f8627612fb2fb2

  • C:\Windows\{A094B0CF-5B5C-456d-864C-2217233303DC}.exe

    Filesize

    90KB

    MD5

    0fc41ce88700e019f8e3a966e3ef5aa9

    SHA1

    3e0202395c65668a8f5a7fecb493ddc42b48f17f

    SHA256

    2486d6efa282b8dd8ff750566b5019757f09ff22eb6f0894620c0dcc04d86483

    SHA512

    2133f1114c0b6037dcc71d6932dfa20bcd0a4838842d7f547799b92262e2e557411a964f04138562059a7a3baaafe356949e888d5951bce9f28b05e25bceb090

  • C:\Windows\{AA6DBF6D-93D0-42d4-8D4B-B8805F911426}.exe

    Filesize

    90KB

    MD5

    8d956249712ee2f0f0380b5a7330e907

    SHA1

    1f5a15c517908504bd6df9c16fc71d15cd4d0387

    SHA256

    0e172edcb08a329157a9484a5d47135232a2c261898c28c81201a3421d2118e9

    SHA512

    7d16830ab66e5321a60f8d7795937f074722701f7b570a9fa3c5b566a35bd3e61c3361bcbc1887f9de258e25965adaade012863a1abcf2547a609ae738fc1e95

  • C:\Windows\{B1C4AB88-B246-42fe-AE8C-AB183ADA1FB9}.exe

    Filesize

    90KB

    MD5

    fc3cef514c08c0de8c98dde878e68bff

    SHA1

    fc6c61eaf427eca79ae1e21baf2a148401ac7b97

    SHA256

    a1452cea26fe9b01af8d34eced6e1f68433f2776a4cc51130db55cb832d4cd27

    SHA512

    839c024e44497e23a831c9959ee0dc34140c0d03911435aef8edd5f7b9d6c304ab6175c2dc5f2b502cd4ea039943d23b0399b00001e3496e6d7c29c556961910

  • C:\Windows\{FCBC2B4F-E5F2-4559-887A-9C33618494FB}.exe

    Filesize

    90KB

    MD5

    57c63a535821b694ba91e5e6f2681d97

    SHA1

    48d66e178981a202bdcc3343f85b735e4049de70

    SHA256

    6d35cbd12f1d02662e18f0b3589c922f14d0943d6143f953316081dcd39e223f

    SHA512

    05d2fc9673071b44c12db3d7aa982f34f416fcc21884286763fe5386502102305ffcc15047fa2e6d51c6fa4b9e9a13dc6f0f64c231b658ad20c259e2b8b80d5c