Overview

overview

8

Static

static

3

cb06590256...0N.exe

windows7-x64

8

cb06590256...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb06590256be0ac57f30f0e9aaa0a680N.exe

  • Size

    89KB

  • MD5

    cb06590256be0ac57f30f0e9aaa0a680

  • SHA1

    a8362aaa945ff28ed9bc3dd0c1414106447e5221

  • SHA256

    d7b728f75d7a4063764c80b0456a73d1a2e477fc727575c7d6450c8291c27417

  • SHA512

    e3bb0076f653ff9d3d38eaaa6119fa6629e11f5145929b817264b9ce187b556f7103b3118870ea38955a4b63eab5cf28e9f5fb2428daa2e5750d82719b527362

  • SSDEEP

    768:Qvw9816vhKQLroDb4/wQRNrfrunMxVFA3b7glL:YEGh0ofl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb06590256be0ac57f30f0e9aaa0a680N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb06590256be0ac57f30f0e9aaa0a680N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\{23B545C6-0B25-46dc-B8F8-9A26A973969D}.exe
      C:\Windows\{23B545C6-0B25-46dc-B8F8-9A26A973969D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\{1357CD55-1F49-49ab-9AE2-D8846579E30F}.exe
        C:\Windows\{1357CD55-1F49-49ab-9AE2-D8846579E30F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\{319FDCCE-A84A-4b62-B869-58511F1C2B2B}.exe
          C:\Windows\{319FDCCE-A84A-4b62-B869-58511F1C2B2B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{3A292562-C6AF-43af-9FCB-CC54DFBE5679}.exe
            C:\Windows\{3A292562-C6AF-43af-9FCB-CC54DFBE5679}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\{7093BBDA-3231-4a6d-B112-05E523DE59A8}.exe
              C:\Windows\{7093BBDA-3231-4a6d-B112-05E523DE59A8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\{25076408-B90D-4b25-98D2-79583CC6847D}.exe
                C:\Windows\{25076408-B90D-4b25-98D2-79583CC6847D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1412
                • C:\Windows\{4CDAC7D4-8627-4686-BC82-2385BF496FA8}.exe
                  C:\Windows\{4CDAC7D4-8627-4686-BC82-2385BF496FA8}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1448
                  • C:\Windows\{6C969F4B-9AE7-46d1-8847-5B42605D87A5}.exe
                    C:\Windows\{6C969F4B-9AE7-46d1-8847-5B42605D87A5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1900
                    • C:\Windows\{5616B11C-7D9E-4d41-A26A-53E3E9BC1DCC}.exe
                      C:\Windows\{5616B11C-7D9E-4d41-A26A-53E3E9BC1DCC}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3024
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C969~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2304
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CDAC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1236
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{25076~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:572
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7093B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3A292~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2328
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{319FD~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1357C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B54~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB0659~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1357CD55-1F49-49ab-9AE2-D8846579E30F}.exe
    Filesize

    89KB

    MD5

    061de5d7158e03a3691c0301820de583

    SHA1

    f2192f289d4f71057d41705e0ec84883fcb3f654

    SHA256

    0e87c2d2f091c1bc05262d0fdf262669d6c5b1440ea652b828fb5c44e11c2316

    SHA512

    e1d1afa37c0c31336304eca568eca180509471a96f265e5998ff691f5681737b020c9bfe1a83a60f5ee0cc6e0a4f2428bd07d03bae487de8cc25b3ba35d1a200

    Download Submit

  • C:\Windows\{23B545C6-0B25-46dc-B8F8-9A26A973969D}.exe
    Filesize

    89KB

    MD5

    6f4b2291a4ac750b6836f208e522745b

    SHA1

    84a6a086adfaa80b8c37097023bcdc3cfc57d632

    SHA256

    7be7de48c45103e611e9f7fc26492f5ba67c4c934bb39284c838bb032ff4dadf

    SHA512

    f773281f1dbdef3e5d133a4021631ddcf7c7b2c9e15e2c295724021f638d7a52f6dc7212ebcc4a1198d14382b80a8c69e4fc6c247348d397efb0a0926c533b5d

    Download Submit

  • C:\Windows\{25076408-B90D-4b25-98D2-79583CC6847D}.exe
    Filesize

    89KB

    MD5

    74065969fe686fe9d49858903cdd4127

    SHA1

    7a4d037c7b4571758f7b3f1354afff0330497eb1

    SHA256

    835c429a8d8eb9f2a5fbad0d91ec5108fc71c390273358bde3e4b5bf2b900a35

    SHA512

    8fbff2ea4a4f0ce077dd049ab1347a983d090a3b55f9dd234c180f237826d43f27eab929a2ced11e8bfddfe7c225c021e2d39822ad20c295c9d7c3aa4aa616b1

    Download Submit

  • C:\Windows\{319FDCCE-A84A-4b62-B869-58511F1C2B2B}.exe
    Filesize

    89KB

    MD5

    23317b5062419a629d7d13fd0aaa2282

    SHA1

    d1440d986a3c73fe5fee04b5629ffd7931dd2248

    SHA256

    73073f06a96835396ccc9d84266e14a9b89beae48e65ddfb813d05b5e3fa9b0d

    SHA512

    f1f0d907bd37e8ee43061578f8d7867aa681915da8295ed972bda3aff53e8a62b0e2831384716c48138068574e808006fae2517789cc04d9ae952e9ed4e0cbfd

    Download Submit

  • C:\Windows\{3A292562-C6AF-43af-9FCB-CC54DFBE5679}.exe
    Filesize

    89KB

    MD5

    3f73522a9fc90de2c1d4d26e871165d1

    SHA1

    b186c974bcb0d8a46c96de69f3b480f899d96aaf

    SHA256

    e3ea6c92b1ae40fea883d9718e010f0e2b6e4af4453ff8059d634c1a2851751b

    SHA512

    921c1607f2d9c8e1ed90647a335afbafb81e55726cc9462cf27a7747baefe8402ca825b9e9a6a0bfcf525942674d47cb99fc1a475d64983e06ce69af27f76878

    Download Submit

  • C:\Windows\{4CDAC7D4-8627-4686-BC82-2385BF496FA8}.exe
    Filesize

    89KB

    MD5

    77b1c516dca3ce4d5890bcce8024c289

    SHA1

    ba67f76162a304b77f41b2ad6aed24c1e2a3e6cd

    SHA256

    e63d575e92e85efe0798de15d9abf6075157fca71a8b0c52a013db823c4acbde

    SHA512

    dda51ffb7061a84019f6772540135037b5d6ad17d53b4fcc0e52f52ae2ed395430041d6d950e17bd52ea847122dd8a29f79e12ffff192b13a57ba4659b3d4470

    Download Submit

  • C:\Windows\{5616B11C-7D9E-4d41-A26A-53E3E9BC1DCC}.exe
    Filesize

    89KB

    MD5

    ab6d18223a47ca53a1ce98c281b95735

    SHA1

    b34a16d2b8f7abc629aefc6cc682ed14b2e24d27

    SHA256

    b3f12e1812a37f1ee69e74788fdb61443ce046ddd24b51f0dcd8527342a7d126

    SHA512

    1fb8908bd128879ee3142d1f2ae82d6208da344202ce78f103c9d574f0ac6e7f4e7617ffe4cd1191d338ce1e32e23eeead88fdc5016485ae16448fce3f73a72b

    Download Submit

  • C:\Windows\{6C969F4B-9AE7-46d1-8847-5B42605D87A5}.exe
    Filesize

    89KB

    MD5

    ce5afbeaa782592a1771cb6d99c6c106

    SHA1

    b0f087cea681d923789a3052b0fd3861f7cd9b7e

    SHA256

    5915ff590e88610ec836ab7f452333e50bc21333b26df424e00e940daf0412c9

    SHA512

    b67c737e5facc235c8ac323ff71974806f573c2b5e479d0805118ad59322ef1d224899920fdef300413ecd89d7bf6c9a36276ec93bcef267dd0e9b6f7225577c

    Download Submit

  • C:\Windows\{7093BBDA-3231-4a6d-B112-05E523DE59A8}.exe
    Filesize

    89KB

    MD5

    850158de6df7f746615bb737155e9acf

    SHA1

    d02442924b74afc406ce6e33d17a59c94e74ef6f

    SHA256

    4c60acc69e980bc88db4c955c89087684cf69878ec1c5439ae41d93bcc09d5ef

    SHA512

    284846c4ed55a0a2f171e061c68ba39fb06aa404696b858d7a045bf43118bcff5e1f7c279eeb43d0698c3dd048bc1d3dff6d37060575fb7519475f0012500e1a

    Download Submit