Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 20:35

General

  • Target

    0a6044d74688986491f21d842878d610N.exe

  • Size

    89KB

  • MD5

    0a6044d74688986491f21d842878d610

  • SHA1

    6882c7b0930884261f54c47303a294f1c8f0b69d

  • SHA256

    e7c24c87e807e70c6e22982368b3caf8e1a0877730c856f3d5d3fc70a4a10967

  • SHA512

    428807a2d43ee09f5526bbd7b98daadd2f3b78ed0e30a54ff528abe0996fc9814a2d656447646831f4cbed5e0a3b1de50f32126c25862dad7c8ef2b32eb42eda

  • SSDEEP

    768:Qvw9816vhKQLroS4/wQRNrfrunMxVFA3b7glL:YEGh0oSl2unMxVS3Hg9

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a6044d74688986491f21d842878d610N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a6044d74688986491f21d842878d610N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\{407ED18F-B142-4aa6-B7EF-8390B73F4A49}.exe
      C:\Windows\{407ED18F-B142-4aa6-B7EF-8390B73F4A49}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\{87439BDE-39CA-4a33-B0D0-2F27F41707B8}.exe
        C:\Windows\{87439BDE-39CA-4a33-B0D0-2F27F41707B8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\{65E02D13-C93A-4bd8-84CA-5C2FF9EFCF41}.exe
          C:\Windows\{65E02D13-C93A-4bd8-84CA-5C2FF9EFCF41}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\{F61CC614-E32C-4cb7-A5C5-FA3CD096F2F0}.exe
            C:\Windows\{F61CC614-E32C-4cb7-A5C5-FA3CD096F2F0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\{16639536-3A24-4789-9AB9-1B54A2A72910}.exe
              C:\Windows\{16639536-3A24-4789-9AB9-1B54A2A72910}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1664
              • C:\Windows\{D7331DA0-3B10-48f0-AE59-37263C3C838B}.exe
                C:\Windows\{D7331DA0-3B10-48f0-AE59-37263C3C838B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1620
                • C:\Windows\{E1B8869C-BF23-4b35-A216-4894824BEC99}.exe
                  C:\Windows\{E1B8869C-BF23-4b35-A216-4894824BEC99}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2040
                  • C:\Windows\{26819CAA-5CC3-47be-B04E-7B02868B54C4}.exe
                    C:\Windows\{26819CAA-5CC3-47be-B04E-7B02868B54C4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1488
                    • C:\Windows\{3D5F22B9-5587-4902-80E9-151AE01648FD}.exe
                      C:\Windows\{3D5F22B9-5587-4902-80E9-151AE01648FD}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2836
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{26819~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3004
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B88~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1484
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D7331~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1596
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{16639~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:376
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F61CC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{65E02~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2604
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{87439~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{407ED~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0A6044~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16639536-3A24-4789-9AB9-1B54A2A72910}.exe

    Filesize

    89KB

    MD5

    a7fd16f968eb4a1b7016e3cfc4cf2d39

    SHA1

    4af2b7c26681e57f8628b5c008fa57251d25a64c

    SHA256

    a85c8ff4689cad9f3ee7d94e43171698693379e0d4e2f33a0a484bdb7efadb77

    SHA512

    d9ba40ab96dfaad1e867a0ab56dc7d4565cd7dd9b594f478342f9017bed6d9d11416cfec547362c8c5d36bf81122c3bc5cf0829d0a0ecc1eae18d2d54644a1af

  • C:\Windows\{26819CAA-5CC3-47be-B04E-7B02868B54C4}.exe

    Filesize

    89KB

    MD5

    f8f95da89a71e0b5ad6e13e18b742ddd

    SHA1

    b2402134438ed594919d4b8fe4c1c87aa094331f

    SHA256

    4fcba0599d888e354dfd85c79763074820fe367cc27774bca96c37bededc0236

    SHA512

    24a098d111b53a124ff7a97c696b8a1e82eaf0e54f85803a117df3a1370a7fb6469e0427bb19c0237d82115a10346703d1bacb28ba82763af80ab5abd8d05ca6

  • C:\Windows\{3D5F22B9-5587-4902-80E9-151AE01648FD}.exe

    Filesize

    89KB

    MD5

    b34dfe88ad5c7837db0864a2f127f171

    SHA1

    cfc52ea9ceaac305b69e6813bdbaa50c40ea7d03

    SHA256

    bfede57e81e19c076c9603dd5dfee99fff69f305b6ec48a8b3d529a43921ae9d

    SHA512

    94ef961b4c0083fe1b24ef1b805da9b9912f170be8b7027608be2878276fadce7ab4d2328efe8c9630f96ce797efb226a5cc0e7ebb96a7f2376b4ab38fc2da3b

  • C:\Windows\{407ED18F-B142-4aa6-B7EF-8390B73F4A49}.exe

    Filesize

    89KB

    MD5

    a5b3ade63ab4cb9eb675050dba61f386

    SHA1

    a10a1c98c55d8338d52960a5c5fbddb1c936e95a

    SHA256

    9fbcf4696beb9df794db8af13aaf47a5939e6bf5e99c0cd5ce5645c50553ec45

    SHA512

    71fcf13f908177bc99f1ca48ea2b00fc16952ac3882ad7c075c690742120d5c200e90168b228ad6deb172182b4e6eb8deaac95fd2b1830583606f379522251ea

  • C:\Windows\{65E02D13-C93A-4bd8-84CA-5C2FF9EFCF41}.exe

    Filesize

    89KB

    MD5

    b2e390dac90ab6c84ebe64dc98082b6f

    SHA1

    fb11045c289ad4d4272bb8324a27e829ec99761a

    SHA256

    e83e9b79c43ca0bf719052d2af247f1811b7e655edbf7ace63120497838b124e

    SHA512

    5fa5a5cd39d9c3bd9f7cb1891ae97074045e29ccea2820b484171a371ea7c7394134578b346e46dab133f368e55480257ddf001311ba46cd506e9720dafc6eda

  • C:\Windows\{87439BDE-39CA-4a33-B0D0-2F27F41707B8}.exe

    Filesize

    89KB

    MD5

    7ead180ca599eebc40cecdda2ad26f2a

    SHA1

    556be72fe271880263a44b31de53df4b33857fbd

    SHA256

    dafa3e0092921cd962f0bc0ead21dff730bb186621beddf6749cdc3833baf608

    SHA512

    e71dc7ccb13228b8ddba5322e58f8f967a96cb5e168e135e24fbe0e89199f7e5a04d88b05c92c61f827f132df99b697c505f879ee894ec9fb352929bffea059b

  • C:\Windows\{D7331DA0-3B10-48f0-AE59-37263C3C838B}.exe

    Filesize

    89KB

    MD5

    9b6fb7140abdb7a9653521aa183ea6db

    SHA1

    2532db600daccdb7a2ca3a937522e28900fe8d9a

    SHA256

    8ab0a5b9714d1d4c1bffcca38ecf155dfa951e052129949fa0e5de8f881c2ab6

    SHA512

    62941ddd6fa31faf090786e79c49847c53342d87af1b592b8542c2abc899716efa5b39dbfafae751e95fdfc9cc8304135e3869cfb24aa55525aa4648a8495399

  • C:\Windows\{E1B8869C-BF23-4b35-A216-4894824BEC99}.exe

    Filesize

    89KB

    MD5

    64a558c49b44c38748751f80ae74bc87

    SHA1

    38a940e0d11e0c936ac6e942b798a54cd0f5764e

    SHA256

    a604c5021391d330af54835bede2dcc119c95f8a66e1977915f357eae0836e6e

    SHA512

    7dc3a897a53596178d643f09e79d3acdd5d3a075be9fc3fe72e4c8e468b46afa323ae51385393fdd635fca19771a9f9981acb480260992c0682048fcfd933a34

  • C:\Windows\{F61CC614-E32C-4cb7-A5C5-FA3CD096F2F0}.exe

    Filesize

    89KB

    MD5

    a818d7e9f20ca5cb951a160b01ad4ed3

    SHA1

    6dfd489657d722ed7cac867f2bcaf5a8698554b6

    SHA256

    8acb2e8a8e4a2b2dc074bf180d80b220d1366cf0ac06cb4e5de0d8846509b39c

    SHA512

    108f8f9df2a084697f935ca7641f575ac7943d1cb89eee3510cf114afb18b1fbf1920649bf1b99b583fa3e68d04e8e41b28010b53ae947733fc90fcbac17b70c