Overview

overview

8

Static

static

3

bc45a49e7d...0N.exe

windows7-x64

8

bc45a49e7d...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc45a49e7db6309658aa088cfab04850N.exe

  • Size

    90KB

  • MD5

    bc45a49e7db6309658aa088cfab04850

  • SHA1

    22643f7cddd9a26489f3053345250bf132373139

  • SHA256

    6c5610b1bbc577a0d0ab9f45d3030449a3e7b67636c53271f86bb1ed68cff52d

  • SHA512

    cbcb42f7126d1553341ac2a59491bf8f8dce921f5a6520ca220432ecba05e43736b093696295ac97baa84a462cd654868222e5595762bd1c83c8d7c3bed4de99

  • SSDEEP

    768:Qvw9816vhKQLroUL4/wQRNrfrunMxVFA3b7glws:YEGh0oULl2unMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc45a49e7db6309658aa088cfab04850N.exe
    "C:\Users\Admin\AppData\Local\Temp\bc45a49e7db6309658aa088cfab04850N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\{31297A93-3BCB-4f14-AA80-207302E733D1}.exe
      C:\Windows\{31297A93-3BCB-4f14-AA80-207302E733D1}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\{6697F614-90E4-4ff7-B20C-9C5BFF60E3A4}.exe
        C:\Windows\{6697F614-90E4-4ff7-B20C-9C5BFF60E3A4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\{04696DE6-C973-40e7-8CC4-0FC43890B189}.exe
          C:\Windows\{04696DE6-C973-40e7-8CC4-0FC43890B189}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\{D60434C3-A466-4ea5-A8F4-305818BE3905}.exe
            C:\Windows\{D60434C3-A466-4ea5-A8F4-305818BE3905}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4480
            • C:\Windows\{E6124F9B-1525-4e62-A9F4-59C2202C2636}.exe
              C:\Windows\{E6124F9B-1525-4e62-A9F4-59C2202C2636}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3700
              • C:\Windows\{0CD64AB1-16BC-4803-87A4-90DCCD01CD58}.exe
                C:\Windows\{0CD64AB1-16BC-4803-87A4-90DCCD01CD58}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Windows\{F3B8008A-3F31-4a50-96CD-B289CAA1D9B3}.exe
                  C:\Windows\{F3B8008A-3F31-4a50-96CD-B289CAA1D9B3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4956
                  • C:\Windows\{E748D86D-3D31-4246-8593-25A70E24CCFD}.exe
                    C:\Windows\{E748D86D-3D31-4246-8593-25A70E24CCFD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:812
                    • C:\Windows\{B5954719-7141-4429-B750-865C8EDBA878}.exe
                      C:\Windows\{B5954719-7141-4429-B750-865C8EDBA878}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2176
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E748D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:528
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B80~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1160
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0CD64~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4104
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E6124~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3940
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D6043~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3632
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{04696~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6697F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31297~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3688
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BC45A4~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{04696DE6-C973-40e7-8CC4-0FC43890B189}.exe
    Filesize

    90KB

    MD5

    3712e08702695f15975695f31b267496

    SHA1

    5d4609f546b7040f49e995f8ad51d96580ea000e

    SHA256

    28f7e45c599c5eef058864d918d073004b82470233b7779df7ce0295faaba0e0

    SHA512

    97a55251bfcb5cbc5290d12b78c345deeecff1f22cb4c9762dcd7837463200037b50b9803db6c954e5fe355c41aa9fecb41d694334d481ef0ec62f2f0fc417b0

    Download Submit

  • C:\Windows\{0CD64AB1-16BC-4803-87A4-90DCCD01CD58}.exe
    Filesize

    90KB

    MD5

    baa60921eb3f139c54894a2c16ff6aa0

    SHA1

    68e2f90ae5dd6ae61dd00a7b0cd56c1ea7e9412f

    SHA256

    6c7b80cf442dc4227e2fd82cc911be18f80c1e09040a68c10e51de37657f370b

    SHA512

    da197a6117c17b8e699b54ac1cffaa38a8c2ced1da5512714c6926e63080f0614aaeee646e0e6758a442188cf8179ee88792b7e2853e9b8178be34a62ab97401

    Download Submit

  • C:\Windows\{31297A93-3BCB-4f14-AA80-207302E733D1}.exe
    Filesize

    90KB

    MD5

    6a2ac5cd58be19eb9434a07b16196886

    SHA1

    b961d7a6cd80e8abe0694a9fb4e68e37ccd0db98

    SHA256

    41951a01dac52a31d26448a48eb423110ebf6904a5769487f0d713bbebbd1be1

    SHA512

    4e1d05bfc7b799163f34b1f7717187aab8e949032de22c62e01751bdf56e2e5e8476c6747b5c34ae34de0a4c77c7765808a8f5d3444663e842fe40a4cec6951f

    Download Submit

  • C:\Windows\{6697F614-90E4-4ff7-B20C-9C5BFF60E3A4}.exe
    Filesize

    90KB

    MD5

    fe850354a6fdada43b51717122f3f0f8

    SHA1

    02f139bb0e975f3123515d3039919fa3483666ae

    SHA256

    96c2f0d5e8f699058579f7844c452bff06b4f32cc686711761f58ba91bcf2115

    SHA512

    b654f7ca69269f8a684d70c3c5da9c78446f3ce323e7d31df9d5b45f1b782df7416f787be16fd840d710b542ba429f10a26b90552e658cfe626436aa0dc587e7

    Download Submit

  • C:\Windows\{B5954719-7141-4429-B750-865C8EDBA878}.exe
    Filesize

    90KB

    MD5

    18c7111538373a832863ff3cdda9989c

    SHA1

    0988fd488af7ef2410127773550aa2bd84e0120d

    SHA256

    dc359268c6f69c8369138331b91265a68a68c5282625bce5357025dc437e3bed

    SHA512

    45676080bc8c8e08170cf228566a1d167b32c780ab444ab79d245682f9f31a94d37ef5c1a1f11a5e8d7e41c4f622035b3bf7d26d7e1fab2617cb11967acf75d7

    Download Submit

  • C:\Windows\{D60434C3-A466-4ea5-A8F4-305818BE3905}.exe
    Filesize

    90KB

    MD5

    293f6112e1abef1b057be482e170b63e

    SHA1

    79edb45890981482fda5070b61e89d5350e4d94b

    SHA256

    6720bdb66d174450dc955dbf55ea83a7c5a120b1e65f86e32cfadfd3f9fe650f

    SHA512

    cf2ca62c2af2476ca8fc0eb397a2dece512dfa67839bbc04610f61af4644b909d46da44551e021d644874a32911fa46c465a0e630f46f6915c1f3b5b435dfc7e

    Download Submit

  • C:\Windows\{E6124F9B-1525-4e62-A9F4-59C2202C2636}.exe
    Filesize

    90KB

    MD5

    e4afdb2199a7602379e8073adae71023

    SHA1

    66fbede936e9a087397537e8fadecb739c3ae1d8

    SHA256

    56d27b6eb1da4a513f59482c71f2e269a0d804e63f364f9f8198097de93b1a86

    SHA512

    3ba992f72fc3bc411ae0d1c8d31df5d50a50938020786a197d11fc380baf24cdd949c915a1ac7dd249d5199067198b4432908c701d0a7a1383970afa874e3ebf

    Download Submit

  • C:\Windows\{E748D86D-3D31-4246-8593-25A70E24CCFD}.exe
    Filesize

    90KB

    MD5

    20b970af4b4cf914d3aa9f6b28f0c23c

    SHA1

    0e8fd27f70f46f015f8755088e710591dd75196f

    SHA256

    91b2412ea145f23f123772d6d2b43df480a15544a2a347e44645afafa78d9235

    SHA512

    67f502eb419a70608e15f04f8a2be24b2db3402b834e974674ac776b823c5f4dbccaf50b4da36f38c9a290f116ef24200f081b7809a1f363660a713cf304f140

    Download Submit

  • C:\Windows\{F3B8008A-3F31-4a50-96CD-B289CAA1D9B3}.exe
    Filesize

    90KB

    MD5

    477e7dad40aba23c4fd6178218ef83ff

    SHA1

    711fb60efd552b49e2d3cf500bfae2b8f8ec55dd

    SHA256

    eb33b2081299455047f185c59669b58ce8888a67bd7367c3bbd6e04980f3b322

    SHA512

    dd6fa32d8dbcf2b50101d26c005dfc5f4c21ed5f7796a973640ee1fe3ac9105ed2b3820770f636e0d0ec38a447fff3f23ef8ea9afcf055f14c4f513c18519d05

    Download Submit