Overview

overview

8

Static

static

3

277e7f6c8a...47.exe

windows7-x64

8

277e7f6c8a...47.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe

  • Size

    91KB

  • MD5

    37d23a1ae86ee32d90c30701c42ded78

  • SHA1

    e9437c071279a58f2e2ba2c87b423526259e2a09

  • SHA256

    277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947

  • SHA512

    824158cb061dc0cce73c3ebed50784ee772d9dbd0db097ac15ec3e3cdf761b3a044c4a9312870e4ac5a345fcc3743b29a262dadba65afd86d4f25fa4bcf1f475

  • SSDEEP

    768:5vw9816uhKiroP4/wQNNrfrunMxVFA3b7t:lEGkmoPlCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe
    "C:\Users\Admin\AppData\Local\Temp\277e7f6c8a8b5604dcbb5466978b2a2f01b668653af39e89bbfd0d3c8b6b5947.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\{449B4844-53EA-433c-9291-6C1648B1F3BF}.exe
      C:\Windows\{449B4844-53EA-433c-9291-6C1648B1F3BF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\{1B76698F-18C3-4cba-9991-9E7C4052C64E}.exe
        C:\Windows\{1B76698F-18C3-4cba-9991-9E7C4052C64E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\{F4965637-693D-42f4-91B4-037E9AE43E6D}.exe
          C:\Windows\{F4965637-693D-42f4-91B4-037E9AE43E6D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4228
          • C:\Windows\{B89A80F7-CDD3-41a5-A5E5-C77C825F5D34}.exe
            C:\Windows\{B89A80F7-CDD3-41a5-A5E5-C77C825F5D34}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3508
            • C:\Windows\{EDAC877A-6555-4542-8EBA-60AADC4B11EA}.exe
              C:\Windows\{EDAC877A-6555-4542-8EBA-60AADC4B11EA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2180
              • C:\Windows\{FAA79358-06BB-48d2-A418-52BAAC9EE54F}.exe
                C:\Windows\{FAA79358-06BB-48d2-A418-52BAAC9EE54F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1804
                • C:\Windows\{2BBD995F-9E65-4783-A0F1-9B9578495534}.exe
                  C:\Windows\{2BBD995F-9E65-4783-A0F1-9B9578495534}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4356
                  • C:\Windows\{1CA257C0-6893-4af6-A44C-4D17CDB274C8}.exe
                    C:\Windows\{1CA257C0-6893-4af6-A44C-4D17CDB274C8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3324
                    • C:\Windows\{9E43884B-AB28-490b-8AC3-F037A083E5AD}.exe
                      C:\Windows\{9E43884B-AB28-490b-8AC3-F037A083E5AD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1480
                      • C:\Windows\{4A8DD3D9-1982-4b9b-9E8A-80D62FB5B7D0}.exe
                        C:\Windows\{4A8DD3D9-1982-4b9b-9E8A-80D62FB5B7D0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1036
                        • C:\Windows\{6446A884-AF62-4828-ACAA-9D3B8CB195FB}.exe
                          C:\Windows\{6446A884-AF62-4828-ACAA-9D3B8CB195FB}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3640
                          • C:\Windows\{BE3B1C6C-B890-4c09-9EF2-9C54BB1CF4AD}.exe
                            C:\Windows\{BE3B1C6C-B890-4c09-9EF2-9C54BB1CF4AD}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6446A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4A8DD~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4492
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E438~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3332
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA25~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5004
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{2BBD9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2220
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FAA79~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1676
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EDAC8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2720
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B89A8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4252
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4965~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3460
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1B766~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{449B4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\277E7F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:64

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1B76698F-18C3-4cba-9991-9E7C4052C64E}.exe
    Filesize

    91KB

    MD5

    e04e6208d809a76af76c25ca56b55742

    SHA1

    19fa405a36826b1a29e64bbe7d478d14cd249136

    SHA256

    ab6389ca7f676ab7df76f1916ed6730cc3869ba7b415060cdd9f90222d527aba

    SHA512

    086440e5134ad4c40cb643cc4c5793019d7e6e1bdf7e06f324f3b6c02f5537e58f86455867d97ad8b9a09f6fbe9009996f939d26bc03ac41e3f0a65f935084ad

    Download Submit

  • C:\Windows\{1CA257C0-6893-4af6-A44C-4D17CDB274C8}.exe
    Filesize

    91KB

    MD5

    78cc67cb100ce670f9eaed2314a47fd3

    SHA1

    ff1bfff377f3b1d36943cc13918f611840671fad

    SHA256

    991eded83e0c5ccd987a327640863ee8c30903c8e8a298d75791e6ebb43f6346

    SHA512

    fea5e7f523cbc86ca3de086d1cf410ef8b5a5506b10eebcb102878f3d25e42968a9c92e747d937f90525c653e3d8c46367e1cdf9cb0344edc698b9212e49640e

    Download Submit

  • C:\Windows\{2BBD995F-9E65-4783-A0F1-9B9578495534}.exe
    Filesize

    91KB

    MD5

    ea4d659d60d04c9b82d694def6c6f301

    SHA1

    7208db19361494826b441de617a75e930439cdf8

    SHA256

    b34e30d673d314eac976ddca50cd44e570dd519c7c6d693fb97cc8cce718f1bc

    SHA512

    7035da1c439ce85c96a3ecc7a7ff62828f09346c033801d372a0a1efa11fb0340589cdcf157386c5fc0afffdc4a711aae8b5e8bbfcbac59ea6d068c6fba1adf5

    Download Submit

  • C:\Windows\{449B4844-53EA-433c-9291-6C1648B1F3BF}.exe
    Filesize

    91KB

    MD5

    798924a99279c4cdd858d22f93fe6b43

    SHA1

    fb3a04a1095c227f82f7dd3fe2e3fdc65745f211

    SHA256

    2847c23d85a84a2898ee4dbb34d23f59a3020deaf742bed7eefca308a8a255f1

    SHA512

    98f0e9e4d4566ae224dfa9a80a186bcbc6db9b35ce6cb11f7f5d740c09e160b3c3dce21c4611ad0df40728842a486b5ccc2cf70091156b6f6933008fcfe5221f

    Download Submit

  • C:\Windows\{4A8DD3D9-1982-4b9b-9E8A-80D62FB5B7D0}.exe
    Filesize

    91KB

    MD5

    c38bd287f75bd526ee6951d5ec1ea9da

    SHA1

    7140fd6be57dbfde5e2cf68e0ab959ea0d146a01

    SHA256

    a595db51c5588b3af2603a33efbe296ce708e8b68cd104f941f738b44683f101

    SHA512

    0ede3ac3e6321829220641a43dc430faf74ed415c0293aa164ada2aafd09ff88ecec126bb5c19824aa0a728e4940ac3e58704558e153d402cda967d81f756917

    Download Submit

  • C:\Windows\{6446A884-AF62-4828-ACAA-9D3B8CB195FB}.exe
    Filesize

    91KB

    MD5

    35608d1137a3e02061729a22f54fec26

    SHA1

    15cac3fb75bd8a1e5441c4036002906f02200914

    SHA256

    a2faea1b7c277fe12c9c34d165ab7178b3fc84ab6660d2411720ea60015e62c0

    SHA512

    9f7d1bea118a525c88f2f42ef6ec43b4dfd9b727082d673bae3ae2942ee642cff43842a5e932b29ff0f92ee7388afac3a2f2ce040a1f21bbd406eb7f0baca41c

    Download Submit

  • C:\Windows\{9E43884B-AB28-490b-8AC3-F037A083E5AD}.exe
    Filesize

    91KB

    MD5

    192987291c7f8b43aaf76771f5079446

    SHA1

    dbf7f2cdf7534d2948460da3a353224abbfd9436

    SHA256

    1afb539791ec815bdaa8438663bcab5e1b4b48126e9689e2dea9d87c2f09356a

    SHA512

    09ec659079d89f3df4e452c8e7245636c88a3cce9fa41c6d241641e63b00221234fb25ad16e4c51345a0bdf70e9b54e338777227b0180f38919aeb5832fa4f43

    Download Submit

  • C:\Windows\{B89A80F7-CDD3-41a5-A5E5-C77C825F5D34}.exe
    Filesize

    91KB

    MD5

    7536b7d816ff6bbdeba7a7297416c986

    SHA1

    2a7ee462f0e58bd1ea510684f0627448061d333f

    SHA256

    f3a5d9abd317a433da3aec5770a5c14ce4c02910c4d0e0ed82fc129c9726ce1f

    SHA512

    c00b08819369902f91c056fb8f48172b9e63a352acd3fc2ec8dfd5b3d78df442f255bcdb51dc4df1b395993a0890ebe1d221018a75e35cbaf258ea81a77b5136

    Download Submit

  • C:\Windows\{BE3B1C6C-B890-4c09-9EF2-9C54BB1CF4AD}.exe
    Filesize

    91KB

    MD5

    520c18e396b4af61e92df3c244a9bc49

    SHA1

    f1f6f59cd0c7d5638d2cde98e0109de60f18411c

    SHA256

    347380efba4027daf423c1978547744ed7f4b01aa866773bc76e5926777c968a

    SHA512

    db131a8b6eb59158c0da3307a0fef4c080cdc87c79175b05600e95100c42587b0fed37142ceb9e20bf15518d3b0cd3cf2bd21dd28bb572243d2f07bf7000ed86

    Download Submit

  • C:\Windows\{EDAC877A-6555-4542-8EBA-60AADC4B11EA}.exe
    Filesize

    91KB

    MD5

    ec1aba136ab96ba6868cb0b8a75e147a

    SHA1

    c672b5f8d42e0840399709aaac0ecc91966f2e07

    SHA256

    8e44ddbc5e09344cadfcb4ac45bdb39d9deef8f95f64c131a8520003c0511984

    SHA512

    58999503d6cb1e1807082ebf39610128d11c6101ab3813e8879741c3e32ce638af6a7858e838986ae4e0d22349a8893220a85996c75185d77e49d17f7fe71e54

    Download Submit

  • C:\Windows\{F4965637-693D-42f4-91B4-037E9AE43E6D}.exe
    Filesize

    91KB

    MD5

    763722d27aea9fea2afe08a1fd3033cb

    SHA1

    39efdf7828d581e4376515834b14c5469676150e

    SHA256

    292bfb9baee07d52e1c2ba4327d38b9fec715eafce909d2b368e9a9283ee5463

    SHA512

    8fb4482cb8e3ea24929814a00c215aae4ba587d1bec5ea07f7fb035602faa88e8474919d17771a4396c84e35b3769cd6b0d03faff17ce3d050fbb5b6c5803beb

    Download Submit

  • C:\Windows\{FAA79358-06BB-48d2-A418-52BAAC9EE54F}.exe
    Filesize

    91KB

    MD5

    e42ba7a0bc53524827596b3accb18b6f

    SHA1

    a830bedbd989ab0c64c279fdf7a7748a61b28c50

    SHA256

    c88874bccb56e178b39fb635681562d2bf89f2d75e72ca9f060d9acbcb039b93

    SHA512

    1777575ec72dd941a0c5bac98659b153080c596e25721409952d5c765315292968f00126f1da060f06df8581937e54d6ebc8747f0259c44fe5bafec789961d05

    Download Submit

  • memory/964-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/964-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1036-60-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1036-64-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1480-55-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1480-59-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1804-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1804-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2180-35-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2996-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2996-16-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3324-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3324-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3508-26-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3508-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3596-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3596-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3596-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3640-66-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3640-72-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4088-73-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4228-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4228-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4228-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4356-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4356-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download