Overview

overview

8

Static

static

3

174b49c039...0N.exe

windows7-x64

8

174b49c039...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 14:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    174b49c0391925aa81157add3ea6e200N.exe

  • Size

    90KB

  • MD5

    174b49c0391925aa81157add3ea6e200

  • SHA1

    39e701f001d346facca26f2fb5d966a33e32dc42

  • SHA256

    70d4848380a660400596ede2115e0bf3cf7ca4d695f04bdfc114ee24d7bdc828

  • SHA512

    a86485046dd46623d9a0e73a687556d9e4a52f22beb480e6e8cc87830533bf5fd5eb385765b858edb9137e330b6f328c6d13f87f9d71ae300a385092a4927882

  • SSDEEP

    768:Qvw9816vhKQLroo4/wQRNrfrunMxVFA3b7glw:YEGh0ool2unMxVS3Hg

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\174b49c0391925aa81157add3ea6e200N.exe
    "C:\Users\Admin\AppData\Local\Temp\174b49c0391925aa81157add3ea6e200N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\{7276DF79-562B-4bfb-A5C3-889039BB02B5}.exe
      C:\Windows\{7276DF79-562B-4bfb-A5C3-889039BB02B5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\{AC90371F-092E-4abd-B04D-B46443B15B12}.exe
        C:\Windows\{AC90371F-092E-4abd-B04D-B46443B15B12}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\{68FC1A6F-6C08-40b4-AFA3-0B9DBF52B89A}.exe
          C:\Windows\{68FC1A6F-6C08-40b4-AFA3-0B9DBF52B89A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Windows\{9B7660F0-AD15-4d5e-A676-54F5A68A4965}.exe
            C:\Windows\{9B7660F0-AD15-4d5e-A676-54F5A68A4965}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:8
            • C:\Windows\{4019E085-3690-4998-9E0E-ABBD3536C8CA}.exe
              C:\Windows\{4019E085-3690-4998-9E0E-ABBD3536C8CA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3604
              • C:\Windows\{CB8DAF0F-8D42-48dd-9A8F-0EFFA5FAB5C5}.exe
                C:\Windows\{CB8DAF0F-8D42-48dd-9A8F-0EFFA5FAB5C5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3756
                • C:\Windows\{A7676610-7B40-4944-BC31-2ED5BDC13056}.exe
                  C:\Windows\{A7676610-7B40-4944-BC31-2ED5BDC13056}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4208
                  • C:\Windows\{9251A77E-BFC0-4481-8E08-7C78CAD15C15}.exe
                    C:\Windows\{9251A77E-BFC0-4481-8E08-7C78CAD15C15}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3496
                    • C:\Windows\{26EB67E1-E823-44bc-A54E-F40070145DE0}.exe
                      C:\Windows\{26EB67E1-E823-44bc-A54E-F40070145DE0}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2900
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9251A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1656
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7676~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2444
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CB8DA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4708
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{4019E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1480
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9B766~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{68FC1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC903~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7276D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4000
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\174B49~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{26EB67E1-E823-44bc-A54E-F40070145DE0}.exe
          Filesize

          90KB

          MD5

          994b4164d216442e24fada63eb244c73

          SHA1

          57dc9cdd79482fab352d2ecc6f67258ecc982f54

          SHA256

          89ed314305194f343296d233a917a1e934e876858862e4ae76fe950d5e96e46f

          SHA512

          852594ada8f8d88e6796a852a55718e67ce715b62448eb15009baef0b3b2a8024e7d876ec5d897b503b61e93815f261caa04f7b8f1c22bece32e0ea182f59f27

          Download Submit

        • C:\Windows\{4019E085-3690-4998-9E0E-ABBD3536C8CA}.exe
          Filesize

          90KB

          MD5

          bcf5aa6aa71b82903796449cc88c32a6

          SHA1

          36f8bfdab941979790978a9145afd54e66666f24

          SHA256

          023d8df33a569b4d6b090bd4c78a9351cbb454dc835bb6e5a610d3c9b49ced99

          SHA512

          4fc0f06a3f7b5282e262fb6197e2162d1fa01670c3ba7f32111252fa3988db1688e747d7837723b9b02f96c57449727e309f132e55001fdc3951ef79c7abb54f

          Download Submit

        • C:\Windows\{68FC1A6F-6C08-40b4-AFA3-0B9DBF52B89A}.exe
          Filesize

          90KB

          MD5

          20ab495046622f04c01431bc0a783790

          SHA1

          7d61789eacf24905bf9c293d004b3533e556040f

          SHA256

          0e9acae1836d2ea16bf8f743db2876a2a0c52e3e9d5fb107e92afe449fb8b342

          SHA512

          df306a58025cd7b28724c3d32ef47752bfb6f04b5c4479a995e6b531e5aadfe108bc40a3a21e29e13dbdcf9b7ebc139ce74f4250a3869c87fc6044196f0c61cf

          Download Submit

        • C:\Windows\{7276DF79-562B-4bfb-A5C3-889039BB02B5}.exe
          Filesize

          90KB

          MD5

          8277c6d704e67a708b8ef444440f2cfc

          SHA1

          b37c79f5d0da9979444217039a8903293618ca38

          SHA256

          ea40bc8b932d341ebb4b414c2e1646e0f362cdb8b21268e49950a3ce3a56d271

          SHA512

          49af246bf93c83c75cab91b79049a99311325db207d2044e0cb1185b5b33b28cef44bc4fb3cd699152859b5555a3f6a1d2ef7ab51257d5172ba9f4b00d50c202

          Download Submit

        • C:\Windows\{9251A77E-BFC0-4481-8E08-7C78CAD15C15}.exe
          Filesize

          90KB

          MD5

          e190dd96259d3eb55de448c7cca0010f

          SHA1

          2c43ea4b42ca607a461b9d1287c4fb0c2a0d8513

          SHA256

          50e149923d5b71b77c716f748faca29fbdd9e3d5e75fbde10062947974046d4a

          SHA512

          87979a041db34151e9700b1ba72d301a8dfc8b0ff65f75b6ffecb09e3b127eb0894033d6f833967e638458229631d2b4f83209f937ebff99d95615b014724127

          Download Submit

        • C:\Windows\{9B7660F0-AD15-4d5e-A676-54F5A68A4965}.exe
          Filesize

          90KB

          MD5

          df27dac870c7574425ca0e7956d5b205

          SHA1

          163aff7c73aa2e2905f79eddd4adf7553e5b1573

          SHA256

          29d08f99952aae3b188b89f51585ad8ce006188dafa3a7287f556c5b0de12c5f

          SHA512

          49d2ad846de8571d5cf3d722b0ea9a20e34ed2da5706a6eb572b072bb2b39c6f697286fe60f0842673e515ffa8fbef71ff47e69e1724642ba699b54359c7f8c5

          Download Submit

        • C:\Windows\{A7676610-7B40-4944-BC31-2ED5BDC13056}.exe
          Filesize

          90KB

          MD5

          1174c81479ff5c805216286840a36c1d

          SHA1

          9087ef0e907935d04c11504b9e0034d397e711ba

          SHA256

          a1e1ccc744374226f229cdd905955b69190ae4d7c5cae77399aeb87603aec00d

          SHA512

          95bce65f2227e7e674e4c619a1a354266892c32ad6466980d4e8fdd9e47d814aa3faceeebd8639ea0dd304745f008d98e1ca3c3ea9b4004c442a0d61cd7e8b55

          Download Submit

        • C:\Windows\{AC90371F-092E-4abd-B04D-B46443B15B12}.exe
          Filesize

          90KB

          MD5

          6018c94dab1ce975a6d17d5be1c1834e

          SHA1

          1a00284881c60b9eb531e7e06bf440fc1cc98050

          SHA256

          db6594af289a30a0e113435170f6e19ea75129fbdc4b04988a37f19a69d574b7

          SHA512

          f98fd652eff4b8add9d887b8a09ecee71beda9a6d2c7051831fcd272cc93164af67644089cea7417f0b5baff2c67daa6c897e25d81fe54a3cfcb3420949a92ac

          Download Submit

        • C:\Windows\{CB8DAF0F-8D42-48dd-9A8F-0EFFA5FAB5C5}.exe
          Filesize

          90KB

          MD5

          596045851f37e73d6f8a58e51a231f25

          SHA1

          0cf14b305d958b0019d37f95bc442141b24acc8d

          SHA256

          a821023c7d4c0c65a41ffc9a356d50f756d959560f8dc619021385dc14a10d22

          SHA512

          67deb181a0e9b4c372f6cb16798c2b340eed5f290fb7b0208464b3c7a3e4dcd813ec0b4e8457b7fb7482c01ca6ad05ad86c4a9a26cb9d327837b7d88b5962b76

          Download Submit