Overview

overview

8

Static

static

3

20eda244cb...0N.exe

windows7-x64

8

20eda244cb...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20eda244cb020a1ed13ce2226dea1040N.exe

  • Size

    408KB

  • MD5

    20eda244cb020a1ed13ce2226dea1040

  • SHA1

    5dd1040a647322633ccf6baf4825f999e60b695e

  • SHA256

    507427a0d30c910a287e4e77210cf03ae4da46d967f0d0d53a3f8b660d7571da

  • SHA512

    75a95270839bf48e072b8356d55ed72080942f315d679545022ec7299ce6cb22c436c483693c7114f6ce299d4215488e9792764ec2a18da3751117a8103297ce

  • SSDEEP

    3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20eda244cb020a1ed13ce2226dea1040N.exe
    "C:\Users\Admin\AppData\Local\Temp\20eda244cb020a1ed13ce2226dea1040N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\{C5627192-F2DF-4536-9CE9-34F33D2E6AD2}.exe
      C:\Windows\{C5627192-F2DF-4536-9CE9-34F33D2E6AD2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\{C2057765-5EE9-4b8a-AEA1-EE630A683E32}.exe
        C:\Windows\{C2057765-5EE9-4b8a-AEA1-EE630A683E32}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\{DB3B0147-E1FD-430c-875F-47B45EA13836}.exe
          C:\Windows\{DB3B0147-E1FD-430c-875F-47B45EA13836}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\{AED0B5BA-3EDE-45ea-97BA-6587E280C36A}.exe
            C:\Windows\{AED0B5BA-3EDE-45ea-97BA-6587E280C36A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\{BF27BA93-0437-47c3-AD08-94B9DB4FB959}.exe
              C:\Windows\{BF27BA93-0437-47c3-AD08-94B9DB4FB959}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\{94ED8E89-2D6A-4b16-8C79-40EE562755A7}.exe
                C:\Windows\{94ED8E89-2D6A-4b16-8C79-40EE562755A7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3064
                • C:\Windows\{9DF08C9A-17D1-48d7-B94E-BD6C73C068F0}.exe
                  C:\Windows\{9DF08C9A-17D1-48d7-B94E-BD6C73C068F0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\{51FE96A0-B081-4386-988F-515597560DBB}.exe
                    C:\Windows\{51FE96A0-B081-4386-988F-515597560DBB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1936
                    • C:\Windows\{E8757417-5C08-41e4-AA47-39BBC85A16BA}.exe
                      C:\Windows\{E8757417-5C08-41e4-AA47-39BBC85A16BA}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2480
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{51FE9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1696
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF08~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2200
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{94ED8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2856
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{BF27B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1800
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{AED0B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:760
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3B0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2057~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5627~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\20EDA2~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{51FE96A0-B081-4386-988F-515597560DBB}.exe
    Filesize

    408KB

    MD5

    c2ef96e6c1e11426223d171b76b1e3dc

    SHA1

    27cec08bf3536866324ca0a6a16b617a37d352a1

    SHA256

    899c31a0ccb5b9e6a52c67b73e1109e0fd8589dbda3073d7228c96392e7f87ac

    SHA512

    61cfa785e96a8f15909e587c51a2f658e92c1be28569cede6601208dc4d42271652dcc3cc694d44efbed80410d7608f55129134e813d4fec19d2ff5f9797218d

    Download Submit

  • C:\Windows\{94ED8E89-2D6A-4b16-8C79-40EE562755A7}.exe
    Filesize

    408KB

    MD5

    aa286c88123e2cb6e0d782194953e14e

    SHA1

    12d4591ec10809c2bdce4592c38c28b5cbeb9d21

    SHA256

    ef6312f750bc1f2ac6f6ff54c82f484cb65b7bf8a87c49551c4a92351af76d70

    SHA512

    dbf55aa64d8094398a832a8796f0932c8a0709049453a6d0488788ff73c366746c810a36ede6f45a6430b1ea51da672bdbaabfa17742cc14f17db8fd6fc76252

    Download Submit

  • C:\Windows\{9DF08C9A-17D1-48d7-B94E-BD6C73C068F0}.exe
    Filesize

    408KB

    MD5

    f31418358bb381c5147ba3592027cd8b

    SHA1

    41eaff6a3722a53be74769a8389172533c3247c6

    SHA256

    91b98f6d0556a61786f4dd972712f88791c18021e77e5ebeb2d4e27bf402920e

    SHA512

    99d59c6d0df2e9ed3492448805bd6cdef9ce91a26f668bebfa0a42c518d362be52abbf822fc3ececcfde32f9492dde48f3d03202855e5147515cc0ba3f24241c

    Download Submit

  • C:\Windows\{AED0B5BA-3EDE-45ea-97BA-6587E280C36A}.exe
    Filesize

    408KB

    MD5

    372e56c8630ef2d7abd91961d8743e91

    SHA1

    95eb8b9ec2e045f4bc07c77100f2713b296bd67d

    SHA256

    3fddc9ded4ce68ec1f7ee3f0b05ff5ae44f6151c387b2e1cc2676f083b7edeb8

    SHA512

    bacec66af50ff0d7df5a4a781f4204f254ee2362a9d0e913a0e3897be073e629bb6f07e05119c80e76332555832d3ae2d94bd83cd9d668bf6ac9be1d115af1c7

    Download Submit

  • C:\Windows\{BF27BA93-0437-47c3-AD08-94B9DB4FB959}.exe
    Filesize

    408KB

    MD5

    378710e665ed5d2d34e29a8e8082c6be

    SHA1

    cc0df4dcead987a7fc8da1cf43f9c234d4a0ad70

    SHA256

    ad7cab675c3a52932a07f4a4abbcbaaade3fd95516b75698b243c8b6595d5639

    SHA512

    84cf2354074c1e81fdafff489665bb154c9f4b786c6dcfd3d23050574dfe2d4e976c8603f1f75c68cc6d955ed8248fddced4cfe87c2a44f67fc34e29205e3abb

    Download Submit

  • C:\Windows\{C2057765-5EE9-4b8a-AEA1-EE630A683E32}.exe
    Filesize

    408KB

    MD5

    3a012075a1d7d87d0de42ac80934b8f2

    SHA1

    7992a2cc3de3a8baea95f2696f8749f24fb52fdd

    SHA256

    9f44afc8488f357616b2c294201003bb7467653b12635c6f4c513ce3b01acdf7

    SHA512

    0fc823ae55fc64a2eb181a4fc871a6d0c6929eddb540e1982db2d5d1f213386121200d5cc5d0feeeeebe6a190f18fabf0c0196b072c6f8400322659c9a97ce3e

    Download Submit

  • C:\Windows\{C5627192-F2DF-4536-9CE9-34F33D2E6AD2}.exe
    Filesize

    408KB

    MD5

    69bb62ae0b5a8a95e3b82d4136a1e0b6

    SHA1

    9bcd788bb75a32849e28f315b65342fddb299ca0

    SHA256

    16976867e8bc2186f2e63f10e32ec76e1f54f35e96e1a6682ef2600966e9ade7

    SHA512

    ed27528a8ec87adaabe6da797cb2ab957101e05bfbd2bcd6f555303316e4ae4c53ce6c4457052658a1ae0412b3e4595a85899ce4d59eb74a322ce0a26db954bd

    Download Submit

  • C:\Windows\{DB3B0147-E1FD-430c-875F-47B45EA13836}.exe
    Filesize

    408KB

    MD5

    569e9756698d80167a075b302ef13804

    SHA1

    e36a062eb5b815865b2ab72e66d1d0c20d433354

    SHA256

    2b1467466e05d52e92efacd998e2a158f6249eaf9022780bfd6051d276506b36

    SHA512

    e9e7a260c2f626ca324ef76758f669d41c8340a55b98ec18dfba290efe25d995c2abc4e89372e4207ac5915eadc309e34a6cd88e6fa02ab9f87b1eaaa70bc72c

    Download Submit

  • C:\Windows\{E8757417-5C08-41e4-AA47-39BBC85A16BA}.exe
    Filesize

    408KB

    MD5

    808fb819a3cef59432a4e42ae521ea97

    SHA1

    99edeb4d8b26e689bc468defbb6afcaa745b088b

    SHA256

    0b44763046ecaecd72984c638a9211dd0c727a525b6ffd211c9fa1648afd04d1

    SHA512

    3c20d7c5a686e255b89c9615e34728322b3779ceb48079a3b2f49a48c17db8236d4720151291ae64cbb538c7c81e4622985184209a6cc6ed04f44707803cd233

    Download Submit