Overview

overview

8

Static

static

3

20eda244cb...0N.exe

windows7-x64

8

20eda244cb...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 03:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    20eda244cb020a1ed13ce2226dea1040N.exe

  • Size

    408KB

  • MD5

    20eda244cb020a1ed13ce2226dea1040

  • SHA1

    5dd1040a647322633ccf6baf4825f999e60b695e

  • SHA256

    507427a0d30c910a287e4e77210cf03ae4da46d967f0d0d53a3f8b660d7571da

  • SHA512

    75a95270839bf48e072b8356d55ed72080942f315d679545022ec7299ce6cb22c436c483693c7114f6ce299d4215488e9792764ec2a18da3751117a8103297ce

  • SSDEEP

    3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20eda244cb020a1ed13ce2226dea1040N.exe
    "C:\Users\Admin\AppData\Local\Temp\20eda244cb020a1ed13ce2226dea1040N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\{572AD497-0606-405a-A316-5BB3EC5CFCA3}.exe
      C:\Windows\{572AD497-0606-405a-A316-5BB3EC5CFCA3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\{41D2C4A6-8D02-4926-9C7C-4CD7A9FDF836}.exe
        C:\Windows\{41D2C4A6-8D02-4926-9C7C-4CD7A9FDF836}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\{CAD40C8A-4D68-4823-A36A-4D4A4A39FF74}.exe
          C:\Windows\{CAD40C8A-4D68-4823-A36A-4D4A4A39FF74}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\{9AFAC9FB-1792-4ca1-85A7-0B38FAD00D7A}.exe
            C:\Windows\{9AFAC9FB-1792-4ca1-85A7-0B38FAD00D7A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3244
            • C:\Windows\{1BAE1575-564E-4c03-904F-7565D4B8E442}.exe
              C:\Windows\{1BAE1575-564E-4c03-904F-7565D4B8E442}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2952
              • C:\Windows\{06D91EC9-EFFD-43e3-80AB-A58ACAEF5B03}.exe
                C:\Windows\{06D91EC9-EFFD-43e3-80AB-A58ACAEF5B03}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1968
                • C:\Windows\{E2BACBD0-C7FA-46c4-8A9B-A892B73515E6}.exe
                  C:\Windows\{E2BACBD0-C7FA-46c4-8A9B-A892B73515E6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4916
                  • C:\Windows\{BD8D079F-3818-4c9d-8D58-17E9B3776341}.exe
                    C:\Windows\{BD8D079F-3818-4c9d-8D58-17E9B3776341}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3880
                    • C:\Windows\{59ECFD4A-EC43-4a44-885C-AE29B697D662}.exe
                      C:\Windows\{59ECFD4A-EC43-4a44-885C-AE29B697D662}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3664
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BD8D0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4476
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2BAC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3052
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{06D91~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2880
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1BAE1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1164
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9AFAC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD40~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{41D2C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4036
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{572AD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\20EDA2~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{06D91EC9-EFFD-43e3-80AB-A58ACAEF5B03}.exe
          Filesize

          408KB

          MD5

          31f498a812258f51716e68efe6337094

          SHA1

          da8ebfe218cb8ea338ee29ce6e18646ba7d2035e

          SHA256

          709b3f3dbe2c38e072b366b1273bbfa7528ebea66eea603d0cf5ab14e880be85

          SHA512

          65a9693813e66b8d83542e49ce6155a7b8f44e295eff58a5d6513ade1b222c01694855da101bb0799e6b31bc98bf74b2bb7fff1f423a951ab307b9a2fb1953bb

          Download Submit

        • C:\Windows\{1BAE1575-564E-4c03-904F-7565D4B8E442}.exe
          Filesize

          408KB

          MD5

          867de1e3500c23fbf43792bee684cbf5

          SHA1

          3a1e6de56e63d699a74ea802340545c6525e946d

          SHA256

          21e6bb32ae89daa19ac54eed34cda5f09ff741115d01b6a08b9b88654aba51ce

          SHA512

          aa0206bf9dcc6800b994bb8acfe8a07534707a22329402baf3b69650bdb65fed3957e3eb29dbbedcafe7b0e68f55841fce1aba6f7ad116f473d59524980fe301

          Download Submit

        • C:\Windows\{41D2C4A6-8D02-4926-9C7C-4CD7A9FDF836}.exe
          Filesize

          408KB

          MD5

          67fd903ff6514f7cb6fa0b56f575d79f

          SHA1

          416735a74521fda86f79fbfea93879cdcecabd43

          SHA256

          38414be6ac7de86eef1cc87a388670619d3f19fa1ca8d8f616a03311e97a2237

          SHA512

          d5a78f44d06c9952ac1a3a0512e90539f61cd06c17508f4e3a322c9fde2b451b72808edd297d1823031ff38c4f5c8685ba15c698534e72195cc5666df03ad096

          Download Submit

        • C:\Windows\{572AD497-0606-405a-A316-5BB3EC5CFCA3}.exe
          Filesize

          408KB

          MD5

          4bc3d5ddc1147d4475d37a95cfeb828b

          SHA1

          3690e69e92e8599804a276e666303117626e4ec1

          SHA256

          888302cad551d78bf9a263cbdeea3aa35916ef9ef11736efb20c248eda8f7fe4

          SHA512

          ee97fc03320ac584cd67a71edaa8f74f45307a02f1cdfe33a011cf5918cf9b09060c8cc4a2c94ae77b43a6a28e14f63285a9f0d64e79e2bcc0bbe49b9776d983

          Download Submit

        • C:\Windows\{59ECFD4A-EC43-4a44-885C-AE29B697D662}.exe
          Filesize

          408KB

          MD5

          6639c4b4087d7eba21fb52e3b05141bf

          SHA1

          01ed3114c8c67174bffaf6aa5349436f16742688

          SHA256

          58dfbcf9b4ba48452907b5525d3a36b85b6a8bcd02e0b3ca5f62a87021777ed9

          SHA512

          6539e7c66bcc8742753eff4e7ce961ecb2589802ce885e229d2d84410d3a7f5cac57727216526f695023ef39ec3eaeb8e7b37bfb31c2b2e9594d70d1690393d8

          Download Submit

        • C:\Windows\{9AFAC9FB-1792-4ca1-85A7-0B38FAD00D7A}.exe
          Filesize

          408KB

          MD5

          51a829a6764f2b984fd4e8e27e129ab3

          SHA1

          e1586ddb0a07fd837e824a725e18d5310dd0e1c5

          SHA256

          051ddbd1ecb8e5d5a9a150cb9304f530f517edf96d13be8c0a46e4220610ed4e

          SHA512

          424b0e02d84d1427e8f504aa0e8eced576541b4a759ffec342f28686d2996ab23734e09ae2d5e02e5956e9dbcfc9e3b765340937966afa4b49aab01737a948e4

          Download Submit

        • C:\Windows\{BD8D079F-3818-4c9d-8D58-17E9B3776341}.exe
          Filesize

          408KB

          MD5

          08b803917a8e7128f87a30f71f78a8bf

          SHA1

          7dd0eef8c15d7617fee29ae70ea881534aa19e02

          SHA256

          c2e876e98a0dc41be6217bb5b3ee1903f9fe4a859824ee28cddd713606e0db6f

          SHA512

          b5f9c82b94694922325d9118f9a527eaa9988e6fc4a31d3f9be476137ac78bb17ccdf834908ec06942e6ac79e2d36ff3133beee410ba67549f93e81902dcf391

          Download Submit

        • C:\Windows\{CAD40C8A-4D68-4823-A36A-4D4A4A39FF74}.exe
          Filesize

          408KB

          MD5

          c72b3f936b3357154f54de9828ed0adb

          SHA1

          fdc9184f40eb70e0143862cf70f5f52ae66a28e7

          SHA256

          5cf8b8ccd832efb893b55602c3e5cbe83152e8adee79792afeb1f55545b2731c

          SHA512

          afc2f4de6179ea1cc734a1d67ae6654b93f329dd0a2f8e9c7eef8f21af28a2abc08adaf0a396a46b8eaf9992b963eb89755f66436d76499e30d1aa99369ef718

          Download Submit

        • C:\Windows\{E2BACBD0-C7FA-46c4-8A9B-A892B73515E6}.exe
          Filesize

          408KB

          MD5

          c305f161057d46c462e4f9cf9579393e

          SHA1

          082727e98a2350a7292066fb3c2fa45a4f4ab7bb

          SHA256

          016779d1aed8933c14fd5794640f94626e0308daabdf93f3d3b58c5260552f26

          SHA512

          1d5da8474ebb69614a10e6fa24d6aad6a76a9caeb01c2177fa194fb84cb9058b9a4562c39aac61d2918220eff49b9ffc866c066df1a2a899f1a15a13a8e8f9dd

          Download Submit