Overview

overview

8

Static

static

3

277e7f6c8a...47.exe

windows7-x64

8

277e7f6c8a...47.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe

  • Size

    91KB

  • MD5

    37d23a1ae86ee32d90c30701c42ded78

  • SHA1

    e9437c071279a58f2e2ba2c87b423526259e2a09

  • SHA256

    277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947

  • SHA512

    824158cb061dc0cce73c3ebed50784ee772d9dbd0db097ac15ec3e3cdf761b3a044c4a9312870e4ac5a345fcc3743b29a262dadba65afd86d4f25fa4bcf1f475

  • SSDEEP

    768:5vw9816uhKiroP4/wQNNrfrunMxVFA3b7t:lEGkmoPlCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe
    "C:\Users\Admin\AppData\Local\Temp\277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\{9669237F-BF12-4d9f-9A67-928DF4181F16}.exe
      C:\Windows\{9669237F-BF12-4d9f-9A67-928DF4181F16}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\{3A9F717F-318D-4592-B57F-BB413591E8BF}.exe
        C:\Windows\{3A9F717F-318D-4592-B57F-BB413591E8BF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\{69286F13-61D4-4406-B025-B3C81642BE9B}.exe
          C:\Windows\{69286F13-61D4-4406-B025-B3C81642BE9B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\{33FC6791-A218-4f61-A472-07BE7C40BE66}.exe
            C:\Windows\{33FC6791-A218-4f61-A472-07BE7C40BE66}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\{54907826-A9A0-4c1d-AA84-4C57EA863D08}.exe
              C:\Windows\{54907826-A9A0-4c1d-AA84-4C57EA863D08}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1492
              • C:\Windows\{5DBABEF0-1C12-4302-A1F4-32918BDC3D46}.exe
                C:\Windows\{5DBABEF0-1C12-4302-A1F4-32918BDC3D46}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:328
                • C:\Windows\{9FB67E2C-8FE0-40ec-A305-A771144BC745}.exe
                  C:\Windows\{9FB67E2C-8FE0-40ec-A305-A771144BC745}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:108
                  • C:\Windows\{3C13388A-549A-4442-BF8D-9358B206BF7D}.exe
                    C:\Windows\{3C13388A-549A-4442-BF8D-9358B206BF7D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2508
                    • C:\Windows\{5C5576A4-6BA4-4c4b-9407-2614D3F17A22}.exe
                      C:\Windows\{5C5576A4-6BA4-4c4b-9407-2614D3F17A22}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1564
                      • C:\Windows\{00B0FE9D-8AF2-4abe-9FA9-6D618C0C8F6D}.exe
                        C:\Windows\{00B0FE9D-8AF2-4abe-9FA9-6D618C0C8F6D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1592
                        • C:\Windows\{C1982D0E-343E-48fb-9E45-4FAB6F4D75F3}.exe
                          C:\Windows\{C1982D0E-343E-48fb-9E45-4FAB6F4D75F3}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1704
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00B0F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:904
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C557~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:936
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C133~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1748
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FB67~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5DBAB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1968
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{54907~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1880
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{33FC6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2972
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{69286~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3A9F7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96692~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\277E7F~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{00B0FE9D-8AF2-4abe-9FA9-6D618C0C8F6D}.exe
    Filesize

    91KB

    MD5

    3c439735cf6ea9fa8be26596213f118c

    SHA1

    5ec64f6f0272df19e072b39784138930ed2264d6

    SHA256

    7dcc85d60fe4861d5ec3ba8610046fc61cf42129a05283286f4a3b8ed917c996

    SHA512

    694c9333abffaa58e940428149d240ed2a8fa0e2559330a4e2a542d43dffba14fc6add3a6cd57c5845ea14977da72e8dcd3a536100dc674d49e92582d174d6db

    Download Submit

  • C:\Windows\{33FC6791-A218-4f61-A472-07BE7C40BE66}.exe
    Filesize

    91KB

    MD5

    f2b0b0d4dbacea0211e46a49779a7d50

    SHA1

    0cf1e174886d24c61d655016e7450fb9fabd755a

    SHA256

    bdf1f426eb9445a75623aaaf2e913413d9e9e0b1e724937834415cd196689767

    SHA512

    d6f67bc33ee0d42081af50d96599a08dd117b842218d1db6507170ed3e0ccb2128393f641249442f14b4bb303abec96d610bf6c1f259bdde9f5b2bddb185eeb1

    Download Submit

  • C:\Windows\{3A9F717F-318D-4592-B57F-BB413591E8BF}.exe
    Filesize

    91KB

    MD5

    5d6abe4bd43dd28a54b2123a830deab3

    SHA1

    40a4c1a98470b37b9b5c15b067f54ef5f3d614ea

    SHA256

    d4d4beef8529ff9f6e4937804603690c28a5af62e2ce4cbfe97508907ce0cda8

    SHA512

    c9eeb286d6249b5d660d20f01399fa5cc979557a2a134fd664f461839b5ff5b6a0c34488bc13214d039ca3cb0f5d46567dc2a8dfae9eea0253abc8c337020f96

    Download Submit

  • C:\Windows\{3C13388A-549A-4442-BF8D-9358B206BF7D}.exe
    Filesize

    91KB

    MD5

    57984a5e23312a666425410dfe082272

    SHA1

    7df10afb9beecee6d3db8a2bfdd334d18ee20429

    SHA256

    9aebdd7eb2e46b066a954a29fc712320360167909a36134e28ca7a38643bea5f

    SHA512

    5bb5627e955eabd33bfb04908d206e9279a44c87045bd75c1c35d17b85fe051adc4ebb1c801c143c4a2e7e8c2cf54e776ef83e986b12779de752d1fd244103e8

    Download Submit

  • C:\Windows\{54907826-A9A0-4c1d-AA84-4C57EA863D08}.exe
    Filesize

    91KB

    MD5

    2a83319dba7b41c589c5d5e407f9fcd9

    SHA1

    134f8585b1c46bfbd5858237f99d8af3f8431c71

    SHA256

    98fb6e6af39e7be6f50876a0c28a041624937578c4eb8983ed0c93d79c8d435b

    SHA512

    85e53552054cd4ac02431177feee1a098fc904f5e49be4c0ec5eb3de63b29e59b14e8e51a9aaa317b3f27c5956eca46dcceb0b5590343df5ad63dbacb392543c

    Download Submit

  • C:\Windows\{5C5576A4-6BA4-4c4b-9407-2614D3F17A22}.exe
    Filesize

    91KB

    MD5

    ba515e1ad20b063cdcb10a135a69819d

    SHA1

    7d60899284565a6ae20ccb8ee1529718180b1994

    SHA256

    711b5fbf57d749c6fe112f1379923450977c57d10163fdc35a9888905ad607b1

    SHA512

    9ee4cbbe02c00162f02a8bdbb9ec3c5f3cec6e1f412a1d23e413c6444d83a68987c940c8ac30368f6cce41a5fb34ac632b543108f3b576cd66c6c4e4ecec6795

    Download Submit

  • C:\Windows\{5DBABEF0-1C12-4302-A1F4-32918BDC3D46}.exe
    Filesize

    91KB

    MD5

    362a09bc281814b323f8f7e92901067e

    SHA1

    5fc796a3202385b9eea5ff3ef9e8cbb07f8accd4

    SHA256

    746d9a5cf03ec49271f2ba4bf46e476a8934ff34f53b0ed2485e4d2f328920a6

    SHA512

    0a8d677032e48adec361bd32bb695186c9ac117517f82b9b1a64b675334b05678a4988e909ceb81e454bea0e8d9104315159235699afcdff5c1ad02eb511200d

    Download Submit

  • C:\Windows\{69286F13-61D4-4406-B025-B3C81642BE9B}.exe
    Filesize

    91KB

    MD5

    d9e002272a7a651b7a8b18fd6d66b2cc

    SHA1

    a5fccb0e7c353ab2dd7ef293ae2f33f79ca63b1a

    SHA256

    17a67a7e1f5706f12997212be9e75e52e0a0359d59f65213588a61959f063bd9

    SHA512

    cdf114644078dcdc8c533308901b9ba097d8ea3778567e9e8e6bbee14d568f2d076ce5c2126ad797602b5cbe351278b6c66157323e0daf26b28f69195413d93f

    Download Submit

  • C:\Windows\{9669237F-BF12-4d9f-9A67-928DF4181F16}.exe
    Filesize

    91KB

    MD5

    1a25fcee56042adc9a2430d3899d6be0

    SHA1

    ac040b073dd0ba9395e06f0b18dfcc8ed72d8156

    SHA256

    f5b840ca7a26656efa4c3bc3b70af5d8d12955dd48f6085e3181b81ecfb16e62

    SHA512

    3f5bdd701f1a82a4339a005e158446c1c86ec9aec725e123484de05e0684dd7c60dbb402d43f7a01dbe45359301f219afb8080494ced772927ea3e2cea4f7453

    Download Submit

  • C:\Windows\{9FB67E2C-8FE0-40ec-A305-A771144BC745}.exe
    Filesize

    91KB

    MD5

    5b5673edfd0c93da40be1806f0160070

    SHA1

    9551f3e2814f673b0064981360af2e6364a219a6

    SHA256

    247b527d03de51e63bd9ed1e2a83348a7cca2f20c4bf7121db6eb03fee030607

    SHA512

    c17416422b4ec5420bf4016f31134842d0f672099acff1d5043e35e1cb49b8b2fe0edb41891ab0b5a83b3052be01bd2e44ba15d53dae7136b114b709c7c371be

    Download Submit

  • C:\Windows\{C1982D0E-343E-48fb-9E45-4FAB6F4D75F3}.exe
    Filesize

    91KB

    MD5

    968f359fb288620e15d6fb252f5a59f8

    SHA1

    049f2c2171cd2d9d06f3a3e5818e29058f079230

    SHA256

    8b7d9b40dbad3c2022111803c10237d9a3c0744bf2bb502f1c906d9611a4629f

    SHA512

    aa06e57d5cf54d1181daaa990ed1c271dd8b748f136c1c66bb2859cf09a683f780e1fffce346e2ee4b69ffbd6e44701d378fedfdfd2ef111cc855077ac4a9e75

    Download Submit

  • memory/108-83-0x00000000003D0000-0x00000000003E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/108-76-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/108-85-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/108-84-0x00000000003D0000-0x00000000003E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/328-64-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/328-69-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/328-73-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/328-74-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1492-62-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1492-61-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1492-65-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1492-60-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1492-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1564-105-0x0000000000420000-0x0000000000431000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1564-104-0x0000000000420000-0x0000000000431000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1564-97-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1564-106-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1592-114-0x0000000000330000-0x0000000000341000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1592-115-0x0000000000330000-0x0000000000341000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1592-116-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-9-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-16-0x0000000000390000-0x00000000003A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-17-0x0000000000390000-0x00000000003A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2508-95-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2508-94-0x00000000002F0000-0x0000000000301000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2508-91-0x00000000002F0000-0x0000000000301000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-51-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2688-50-0x0000000000430000-0x0000000000441000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-27-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2844-28-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-39-0x0000000000310000-0x0000000000321000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2908-38-0x0000000000310000-0x0000000000321000-memory.dmp

    Filesize

    68KB

    Download