Overview

overview

8

Static

static

3

b64ff5f1c8...7c.exe

windows7-x64

8

b64ff5f1c8...7c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe

  • Size

    197KB

  • MD5

    d5dedeed045daa6f7dcdc079187b3e25

  • SHA1

    8e3f34a25da743d73f247ac6e8c01bf7de30bf61

  • SHA256

    b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c

  • SHA512

    60a193eee2700e1113131e67099ca671e33be13c8912c04186607b5bff73359650fb3339641b94d903466b7e0c3a7b7105769f2929433469ad4ce026e4bc9382

  • SSDEEP

    3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGwlEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe
    "C:\Users\Admin\AppData\Local\Temp\b64ff5f1c84c8bc597d5c3b16be49d4add17ba27d790797e80e650e4f615b67c.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\{E202D03E-4992-412e-9D47-FCD2FBC0B44C}.exe
      C:\Windows\{E202D03E-4992-412e-9D47-FCD2FBC0B44C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\{92A305FA-0097-47eb-8C18-81AD2557AEA4}.exe
        C:\Windows\{92A305FA-0097-47eb-8C18-81AD2557AEA4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\{8EEA6E07-1047-4b80-BFDD-8D5DDE3D0B2B}.exe
          C:\Windows\{8EEA6E07-1047-4b80-BFDD-8D5DDE3D0B2B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\{2FA6C3BC-1859-41bf-99D3-92644217DE34}.exe
            C:\Windows\{2FA6C3BC-1859-41bf-99D3-92644217DE34}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\{809A48CC-6D08-499a-8BFB-AA54CE181058}.exe
              C:\Windows\{809A48CC-6D08-499a-8BFB-AA54CE181058}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1144
              • C:\Windows\{F8960A81-A31E-4b4d-8B8E-FB1F117DB9E9}.exe
                C:\Windows\{F8960A81-A31E-4b4d-8B8E-FB1F117DB9E9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2004
                • C:\Windows\{D7E4DEA6-A5F4-45e9-88CA-3431E332FD15}.exe
                  C:\Windows\{D7E4DEA6-A5F4-45e9-88CA-3431E332FD15}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1584
                  • C:\Windows\{90FD897F-B702-4cd6-B4C8-B4795F1DD65F}.exe
                    C:\Windows\{90FD897F-B702-4cd6-B4C8-B4795F1DD65F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:632
                    • C:\Windows\{53C5BDAC-02F5-494d-A3F6-0FEB8ED16BEC}.exe
                      C:\Windows\{53C5BDAC-02F5-494d-A3F6-0FEB8ED16BEC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                      • C:\Windows\{C0D26ABA-280A-44d0-B229-152A275E284F}.exe
                        C:\Windows\{C0D26ABA-280A-44d0-B229-152A275E284F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2432
                        • C:\Windows\{D7949B26-B8C1-4f76-9323-ED9A5AA80AE7}.exe
                          C:\Windows\{D7949B26-B8C1-4f76-9323-ED9A5AA80AE7}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D26~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:868
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C5B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:948
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{90FD8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2920
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E4D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1756
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F8960~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1936
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{809A4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1988
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2FA6C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:676
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEA6~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{92A30~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E202D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B64FF5~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2FA6C3BC-1859-41bf-99D3-92644217DE34}.exe
    Filesize

    197KB

    MD5

    6b523903c1c7dc193832d28e96bc7cb1

    SHA1

    2d44c1610ed009fc42686eee14a7c9611c40cf95

    SHA256

    d8246411d9eb31fb55a6dd5a1c6874ea2c8bcc8492182d54bcde57988acb2e93

    SHA512

    e82e63545533bf6dca7857e023e8a708fce7363c9a98cd5f0f58dc5ae319a84cc7a42f62948cd2419f20495d2f4b2ef96bc69b4171a7d0ac56db546dd1fe5fe9

    Download Submit

  • C:\Windows\{53C5BDAC-02F5-494d-A3F6-0FEB8ED16BEC}.exe
    Filesize

    197KB

    MD5

    de4e0af17dc07ab874b4c8fbc6d8070b

    SHA1

    ff9cf2cf4ae768118299e3ab363e725ef588ed30

    SHA256

    042a1355de647b01eedadfa3b31a5ffe830178f1f2375e2707923f06096057b3

    SHA512

    a273638d8c02d3bba9be48edf3b857b04511c7affc4692890ad8793aaa4adf98bd792999282c4fe64ac6b1c743b971ba440fe35ede6ce3cfadf9e28385dd7c94

    Download Submit

  • C:\Windows\{809A48CC-6D08-499a-8BFB-AA54CE181058}.exe
    Filesize

    197KB

    MD5

    155dc71018cdece33dff48182d2e5b70

    SHA1

    0a548371666c0838afadfffc9013d15e87689bdf

    SHA256

    2b7f0711d89a5c6a330fef8d9dbafbb6e94c94f7823444cdce18eb495fdb62b1

    SHA512

    4ecc547d9909910cf518adee892e4fad052ef089d1b8ba27db39edb8f41c34f494e93822e64975bd86cac8e0c7f2581d9effa0c4efc39568ec71e6ca11f92895

    Download Submit

  • C:\Windows\{8EEA6E07-1047-4b80-BFDD-8D5DDE3D0B2B}.exe
    Filesize

    197KB

    MD5

    03c77417ce473c12c74d716075db9874

    SHA1

    f616a3d2be38e529afba7ccda638754b9c159d41

    SHA256

    550803b51fa09f8b61da5333f820fd41aa04f781cada25d6ed966e91df3ded94

    SHA512

    06a98cba25254d2ea876debd6029ee56f6a03260e05578e3e669c0bddb2516707c71ce981c66992eb6873134fbd783a0a42dff83ebc2e29e35ef5a344079a9db

    Download Submit

  • C:\Windows\{90FD897F-B702-4cd6-B4C8-B4795F1DD65F}.exe
    Filesize

    197KB

    MD5

    9e69b2f00427955a2f4d5ddebe1c8015

    SHA1

    cc4986d3d0469b5b0c160384b0f4ed6f761fa147

    SHA256

    0bd63509822a0788f16bc2eb74f8094dc7ad21a3ffef57b0ebed7e2761403a71

    SHA512

    c44360ccef8184ecba5d4bcd055d29eefa299536f037094eeddda62814bbe106f6a7f8809877ff6e2a4da17273eb9e97b3aa33a2db6aa1e6da371adce8e7cba0

    Download Submit

  • C:\Windows\{92A305FA-0097-47eb-8C18-81AD2557AEA4}.exe
    Filesize

    197KB

    MD5

    24280616923471a47da19d5f0247af72

    SHA1

    cc1b9ddf7f723fda51dc5922a8e374e7951e237d

    SHA256

    49f2551d55a30c638b9d71057a2bb97b7622406817369c1e8b2d65650fdec108

    SHA512

    4e3a649eead580bb49367f5666ccc7669e444e383b82b67c01376f573564506bf52247e6f0a73b8f4022f8caef149a1eff9aaee6445c4e3f2ad0b62573653779

    Download Submit

  • C:\Windows\{C0D26ABA-280A-44d0-B229-152A275E284F}.exe
    Filesize

    197KB

    MD5

    d3120792f7916fe59d1e94f56f91b2aa

    SHA1

    9b144670d87d32ae276c1e61b6fb06e6ea3b0aeb

    SHA256

    f89bdb42b96d0841846d41b08308a8dd5ff126d466b5b09ec0e50ff2ac6cd12c

    SHA512

    32f530f1b3122da6398fbb70463b2b0a2da74919c0a5dc53b04bde064614478300d42fd36a08e7c134f94b97202daf07efb4b82c7a89697a662ce0af955116dd

    Download Submit

  • C:\Windows\{D7949B26-B8C1-4f76-9323-ED9A5AA80AE7}.exe
    Filesize

    197KB

    MD5

    f611a81f78d2b6eb7c2ef322292c7df3

    SHA1

    1433f0e87159f8e9d6dfbc4809d018554a910fc6

    SHA256

    d492639539a70dbae86b7d6b5418b413a5496668c54049737e5da0cf359fd8e0

    SHA512

    101acd019a0d72d4fe0be8fb1ae6559b72e1a49b040f064ecf2bed111abc6b0a7d140871648495d33c3dea2b32e4fa5fa7a80522c8607a3d6a8923d763f93adb

    Download Submit

  • C:\Windows\{D7E4DEA6-A5F4-45e9-88CA-3431E332FD15}.exe
    Filesize

    197KB

    MD5

    7d42c368abbc67231667e6f2c0e466e6

    SHA1

    7fc335b9a72e1782a5516eb56d3a4659e114cbeb

    SHA256

    c7932d29d34aaf007904f1b8fcfa59698879af633b8f865f4a07d59ad1c554ac

    SHA512

    35155ea0b92e62dca854d9e3f554a7a24cec67e147fe0ca44b4dac66f5c643f35effdd185b313fe88d848e32dd9e0b4228f1eb467b6a252d977db39209ce9140

    Download Submit

  • C:\Windows\{E202D03E-4992-412e-9D47-FCD2FBC0B44C}.exe
    Filesize

    197KB

    MD5

    a3904aa09bfe12bfeedcf3dfba3b0321

    SHA1

    a4471e41640d82f09de42113d3d3f844d3f068f5

    SHA256

    b89be8551eefc8be4dd95a7f2d316f14f13b274b8d196c5b794af454b1b1e45c

    SHA512

    00fa2c0e0849d30575ef48b03ca77685038f613f84023495f0b553203336cf0d2ef1265daf7f0d8dd9afce30605d63702f907b7ba4e9679cd39c2d83495053ad

    Download Submit

  • C:\Windows\{F8960A81-A31E-4b4d-8B8E-FB1F117DB9E9}.exe
    Filesize

    197KB

    MD5

    02fb6ac2bfff502092c06b548d43cad2

    SHA1

    b9bbbe43672ed2d5ecde82ca3e36a0efc2beffe2

    SHA256

    8075e88dac89d2d740607ed89760f1a3d51f8cd7032a3c783fa725fd80b0bb1c

    SHA512

    cf48806f20654c4527b0e9712cd1c1be4c4ab94e5fbf48a9ad4bacd2b1bd8a96cf6e0d1c8649214591b5727821e8f3a1d20c9dc5a349ad1416c83f30622dcd66

    Download Submit