Overview

overview

8

Static

static

3

27f4eebace...71.exe

windows7-x64

8

27f4eebace...71.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 19:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    27f4eebace3c206c4e837623d3e58f2ba21b20e6e4e4bef5572ef5fc21e58a71.exe

  • Size

    89KB

  • MD5

    c937a975abe84532ccacf5b372b3ad34

  • SHA1

    88d6aab44403b303e21458c4a5881433c9aa7eb5

  • SHA256

    27f4eebace3c206c4e837623d3e58f2ba21b20e6e4e4bef5572ef5fc21e58a71

  • SHA512

    f53a91a9c184ac208a55103f9b14ab02c80d5b8fd0d56087d1f793d4091627a057589c6b57a384f88c6a248f80c6bf553dba73d0b98d0968aceb8bb5c5e8d4d9

  • SSDEEP

    768:5vw9816thKQLrov4/wQkNrfrunMxVFA3k:lEG/0ovlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27f4eebace3c206c4e837623d3e58f2ba21b20e6e4e4bef5572ef5fc21e58a71.exe
    "C:\Users\Admin\AppData\Local\Temp\27f4eebace3c206c4e837623d3e58f2ba21b20e6e4e4bef5572ef5fc21e58a71.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\{625D4834-D22E-45b2-A5ED-367A967325EF}.exe
      C:\Windows\{625D4834-D22E-45b2-A5ED-367A967325EF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\{16ECB017-2D1A-47bf-8BDF-10AD93CD6C3C}.exe
        C:\Windows\{16ECB017-2D1A-47bf-8BDF-10AD93CD6C3C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\{5D2A82CD-3C09-4cc0-A94E-6E329AD887F8}.exe
          C:\Windows\{5D2A82CD-3C09-4cc0-A94E-6E329AD887F8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\{8F1C9DD0-BAC4-496e-AA3B-232F353D4C74}.exe
            C:\Windows\{8F1C9DD0-BAC4-496e-AA3B-232F353D4C74}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Windows\{09B8858C-6B59-4668-BFFB-DBCEB322C2D5}.exe
              C:\Windows\{09B8858C-6B59-4668-BFFB-DBCEB322C2D5}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Windows\{C77BD877-48FB-49c7-96FE-CA24EB099EFF}.exe
                C:\Windows\{C77BD877-48FB-49c7-96FE-CA24EB099EFF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2948
                • C:\Windows\{967DB88A-4B09-4af2-8002-B17397CA05A6}.exe
                  C:\Windows\{967DB88A-4B09-4af2-8002-B17397CA05A6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:540
                  • C:\Windows\{D704F2CD-F1DE-449a-AF59-F415DDEF02F3}.exe
                    C:\Windows\{D704F2CD-F1DE-449a-AF59-F415DDEF02F3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1436
                    • C:\Windows\{3661AEAC-34D5-47d2-A5E7-4F184F1C6259}.exe
                      C:\Windows\{3661AEAC-34D5-47d2-A5E7-4F184F1C6259}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2064
                      • C:\Windows\{13DE6EE1-BB83-43ea-BF15-EDB999AC6BC4}.exe
                        C:\Windows\{13DE6EE1-BB83-43ea-BF15-EDB999AC6BC4}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:556
                        • C:\Windows\{65CB81E5-BA40-4408-AB13-E12136B8273D}.exe
                          C:\Windows\{65CB81E5-BA40-4408-AB13-E12136B8273D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{13DE6~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:544
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3661A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2360
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D704F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{967DB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:576
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C77BD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{09B88~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1376
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8F1C9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2136
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2A8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{16ECB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{625D4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\27F4EE~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{09B8858C-6B59-4668-BFFB-DBCEB322C2D5}.exe
          Filesize

          89KB

          MD5

          b7bfcdc72f494f7e2c131269ac89e766

          SHA1

          35503b8c5eea7e5a6b720333f29cc92ba1752886

          SHA256

          bff6329f6a61b510f43ff8d9755b88d4dd8f2bcbf9d1de29e5c9fb0752a29c81

          SHA512

          cef56185510d38ab8e9261748cf302f568c0e7afb825d9810f9d07accea96180487d5ffcfd29c4f3a334836d3c09e5414796136c8d8f4cd830dba91dc4a66573

          Download Submit

        • C:\Windows\{13DE6EE1-BB83-43ea-BF15-EDB999AC6BC4}.exe
          Filesize

          89KB

          MD5

          41b6b6d3626bb37c3adc5ea8a9560851

          SHA1

          98634d07c933c13a9f286ad9de2294b77d0b0477

          SHA256

          daef4f647bdf47fe32c2495be9deece9783f045fd2647d40bba0ae5c53253ab2

          SHA512

          f82596aa62726807e0c2eabc84e15ce1937be4f786cd0811c6207e4f26ed39e4b2787f7ca59ba64ae38cfde3bc0e07c52cc81c2184e95e023fae741a21bce74c

          Download Submit

        • C:\Windows\{16ECB017-2D1A-47bf-8BDF-10AD93CD6C3C}.exe
          Filesize

          89KB

          MD5

          d1c6d75ec2210d130d482657d5c20474

          SHA1

          8c03d5654dfd8113ece565c0178805ed8393cd29

          SHA256

          a3c2d9ab6e13f2a0ccc5ccfaa5ed1405835dacf4b87e28466ee40e3888797b2b

          SHA512

          5b317f5d6a8e9e00f1ac379b3ebfd6f3d62b3562ed8894ce44e29626985b1ed7500a0d78f43c64f431316f4536f4241b8dce67c38f9f8c1bed1109266a18df8b

          Download Submit

        • C:\Windows\{3661AEAC-34D5-47d2-A5E7-4F184F1C6259}.exe
          Filesize

          89KB

          MD5

          3e4561a70d4e71762c69ee0a5a4ba2fb

          SHA1

          c7175ce94d4901537b38aa529d3389fcd66356c2

          SHA256

          dd14a619bad82bba6abb223119b60f7b8cd2d41d7e2c282b19b5d0470b971cac

          SHA512

          c9ef9c23dc94a0b1131529e889d0c70c9905566ac643341517e5a0e0fb337dfc5f6257534e625cf112ee7f1f2709a2fc419272512833c1a8ccac8b64e323e456

          Download Submit

        • C:\Windows\{5D2A82CD-3C09-4cc0-A94E-6E329AD887F8}.exe
          Filesize

          89KB

          MD5

          d6a477a71f0786b4e64b565581d71d75

          SHA1

          f897cae5841ca0f4dd2a3a85064cb4dd781477b8

          SHA256

          f4bba18eece2baa5e2f509507e4de27c16d1a2a3c04e529443e73d60d96fdf47

          SHA512

          a84cbbf21dbb1fc63bc62be3259f801928076b6bcd5de37cbf97d0c405aeebbb91673dc76fd71208b01d01703ce4f66c27e8bf1f7288c693639d3d641d5f7c3c

          Download Submit

        • C:\Windows\{625D4834-D22E-45b2-A5ED-367A967325EF}.exe
          Filesize

          89KB

          MD5

          5fcb2e76e1458f9bce21e739df7ffb2b

          SHA1

          c2f21f5aaa28ad79c51888d40cfb627dca68cb0a

          SHA256

          2db09616068ee455ca4eaded483203bd5eb38d46da6e57951cf5b7160c59075f

          SHA512

          9186b10c33c525d31f80bcf1bad842fb39bc223457932f46eaec47b47745090ee5b0b2ead4674e188ad02dbfc54e399bf7ecb0b7015a55b02f767ac3ccc9a092

          Download Submit

        • C:\Windows\{65CB81E5-BA40-4408-AB13-E12136B8273D}.exe
          Filesize

          89KB

          MD5

          f3c67252e70dd928ec989a47d05b9a40

          SHA1

          c17d2decab6563d5bd1c46a144c59ca3053e662a

          SHA256

          bdcad9a3dce512839eaf9714ac5bb65813099adccec8276ca4e3b3d52a711a65

          SHA512

          df4630222f9df59172e7e135f0acf260c154cd0d1a8b1c92e4ba54854a3af88a48ea3fb668afc4b3c41f4043c4a60c4e288e5ec1e748ab4276aa62e0a743d3b6

          Download Submit

        • C:\Windows\{8F1C9DD0-BAC4-496e-AA3B-232F353D4C74}.exe
          Filesize

          89KB

          MD5

          90df7bc315b450d9af1347c5e84ccada

          SHA1

          384511bcc3118a55f3a1984a15cbc71eeafad8be

          SHA256

          267d1d907e4a9fb8595d755a0c928c1a22053bf07f444456df444f776f3e673d

          SHA512

          183bf85c7fa0b48daf9d1b95ffcb7e081eda839b4891df7ce42de72911f08b24cae938f4189d72e5018a49b2e7c4f0f73eb205c457430c1ecee79452961b57e6

          Download Submit

        • C:\Windows\{967DB88A-4B09-4af2-8002-B17397CA05A6}.exe
          Filesize

          89KB

          MD5

          9731ba92f309d5ac034bd5198ab89901

          SHA1

          4bb6b73a176b4dd9be099890075af58206d37167

          SHA256

          d38b184b68613bfcf6a679d20f5e6501d652f8eac2f591d221758a6ff1bc0eca

          SHA512

          716f5f5a8232a8324ccca81732156570b79f02402d3c40b9da1923c65c90069d0f1df37ef46db1972fdc6ef1afd437ea63ff3dd40184faedb99e42f23ec3bb20

          Download Submit

        • C:\Windows\{C77BD877-48FB-49c7-96FE-CA24EB099EFF}.exe
          Filesize

          89KB

          MD5

          a63c84b066b658f5a291545e6e344c31

          SHA1

          8044cf3adb85dc8819adadbb3942e56068c81908

          SHA256

          a9636c3667bc8e83e07aca668ce8b51e5a1258516b67c5d94a8ac5e946b52ca6

          SHA512

          2040dcf2c456f44ccbc6148a710c093cab1c02723f51c5faa377ba8577d23ede5e0bc65423eca78cb25f916c0eb80c9c22ea9eb181331ba3bbf93db2ea711602

          Download Submit

        • C:\Windows\{D704F2CD-F1DE-449a-AF59-F415DDEF02F3}.exe
          Filesize

          89KB

          MD5

          27a41df38a7b44ce81dccf3b9f0f6537

          SHA1

          a0c3b44528a38979cd57764d95fa1b4356ffc9a0

          SHA256

          d661b7080fa3ec6466e91cd1a3ffc8ad73d07107b22a94024a76a64eae5e6f71

          SHA512

          8c658f64f872274cb9047792ff70f156f3b883dc15b7b29fa77ba0ef78527e4c9e54aeb7668732884b95d3d222a79de1f51d5fb896d97c66ec98b5eb0f4ecfda

          Download Submit

        • memory/540-79-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/540-73-0x0000000001B40000-0x0000000001B51000-memory.dmp

          Filesize

          68KB

          Download

        • memory/556-106-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/556-100-0x0000000000280000-0x0000000000291000-memory.dmp

          Filesize

          68KB

          Download

        • memory/588-14-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/588-19-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1436-88-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1436-82-0x0000000000320000-0x0000000000331000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2064-92-0x0000000000360000-0x0000000000371000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2064-97-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-10-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-8-0x00000000003E0000-0x00000000003F1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-4-0x00000000003E0000-0x00000000003F1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-1-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2248-49-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2248-44-0x0000000000280000-0x0000000000291000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2248-40-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2248-39-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2796-33-0x00000000003C0000-0x00000000003D1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2796-38-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2880-20-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2880-23-0x0000000000300000-0x0000000000311000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2880-29-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2948-70-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2948-63-0x0000000000290000-0x00000000002A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2948-68-0x0000000000290000-0x00000000002A1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3052-59-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3052-50-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3052-51-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3052-54-0x00000000005C0000-0x00000000005D1000-memory.dmp

          Filesize

          68KB

          Download