Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 21:41

General

  • Target

    3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe

  • Size

    89KB

  • MD5

    796bd2fa644bcc8c6cb93a42fcc6298f

  • SHA1

    1189271d1aab6239c6d6921368b1199b981dd007

  • SHA256

    3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd

  • SHA512

    25bb9c61acb6f436958312f71348264af94c0e4963e3eb5db37ac90011879b28aaaa044fa00332175c845e1084f3b15d0f63e40e97b0b91ff4fe6df30cf3532c

  • SSDEEP

    768:Qvw9816vhKQLrof4/wQRNrfrunMxVFA3b7glL:YEGh0ofl2unMxVS3Hg9

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe
      C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe
        C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
          C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
            C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
              C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:824
              • C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
                C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:536
                • C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
                  C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2020
                  • C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
                    C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1852
                    • C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe
                      C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2936
                      • C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
                        C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1624
                        • C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe
                          C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{15A09~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1528
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{98728~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2996
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F195~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1108
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C98D9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2672
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{95A7B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{AE50C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{858A2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{68BB7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3F541~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C37~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2864
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3C6148~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe

    Filesize

    89KB

    MD5

    0e4c66513d6990dbf9fb39b2fc4698fa

    SHA1

    654c7b2e6b6d4ec110efe5b99f637b88123a51aa

    SHA256

    2141f4223c8b04ff52264332ad3446fbf287f4309af68b8bc84fb8c128449fe5

    SHA512

    145881cabb4b3955887107204c091ed1dae520eee960ae2ee316d6bd544fba94568d706d3e7a15c3ea0559ac668b6b2fc00a47cc36459ce002fa4269016d57f3

  • C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe

    Filesize

    89KB

    MD5

    ac1f67ccb1babe5b5c7f4113968cfbc6

    SHA1

    7e33cb9e8398b82f4890bc73def06f1ecf6030e6

    SHA256

    dc7078104f4b3999d31bded55eff0291b4d411cc0e8ddb1bcb509cd2009d31f3

    SHA512

    912b6005978740cc99f823b51268eabe39bfab70e71a7fd1e7bc921c87c9a5d59742f12a9bb07f3e2f39be4101d16fc3e17ca486bbf21c5710a79e68238a1819

  • C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe

    Filesize

    89KB

    MD5

    f8ef6bca3b27806dbc6169717278a893

    SHA1

    785ed3212de176fb6c7ba97673378dc78a63ef98

    SHA256

    07556834057bb050c3b54e0af4a227c346076add8188890110d6dfb7c80ac469

    SHA512

    81112150fc0e3ecc71036c5dd594b0fc1fdcb067157191fc6a43cd14d0c8be775ac180c210b656b422d1123708fec8e1e2a4e79fe4c7d6a93fff92c70326a1a8

  • C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe

    Filesize

    89KB

    MD5

    7f8d71a6c17204e6b0cde791551322b2

    SHA1

    94aea752283c6e4ba8e1fa8612efab6b3aad4e11

    SHA256

    8901c15b54ace62c123d46de599d221764339d6c38ad5208037a1b96f923ceb5

    SHA512

    720a3e347422f0d7dc1c2edf1bf00b5e222392737854058056a2e7a684659be28601189c27af346c8fbcfb66243811a8f02936171a7f5ce83d8ed8dddf11ccb3

  • C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe

    Filesize

    89KB

    MD5

    f619cd8af964d85b732ea5f1f0107639

    SHA1

    74d27680e02e856d80f71103c29f7ea967aa552f

    SHA256

    c5ed179573baba9e21065b873c343538cdb332c82ce61b5fc90e025c2ec77f5b

    SHA512

    0b5aa01b12cd4559d6544787bef6dbe17e78aae7e552ff234430eef6919ff68f584c9c6747d4d20849d898301594204f544bc0375c5b710ebd94d88d9ca999bb

  • C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe

    Filesize

    89KB

    MD5

    fa742aead89dcf8b9033837386ca0bab

    SHA1

    290af40fc41289fdeac22925272c0cd926b881e9

    SHA256

    9f6e6407241b3aad6cb55fd59f46eaa72834377974569b8310617d36505f15a9

    SHA512

    a4d1e3fde183c686d075f8e3eb36666a75849f9f572330d0eda2ebf2354aa7ebfe25683ef4bbae14316f59f844f70af32bc8fbc58dd30170253298b9fa4c581d

  • C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe

    Filesize

    89KB

    MD5

    0d0aba6d8d7383e943405d148a33e7e0

    SHA1

    09f54ad26594d6beb84e5491de8cde81eb8ad72d

    SHA256

    ed4ac071f263400948897fe808442f1a796696d630b70cd518b6088ba03a4dca

    SHA512

    22d9cb119f1f6dde108b47ed0ed2c3a69bee9c00d8240efbcfb4c4f8b0277287c4192d83aece96754a568479e8996db77d079d8aa9c2e9dc23e9b9c26065aa12

  • C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe

    Filesize

    89KB

    MD5

    857d0ea665c32e87232294b637459781

    SHA1

    d6959582b34b4f93105eda9ac86d6070bd43a0c5

    SHA256

    2a3e5304d9015c9952ba363dddf35428f42e5d801c31b53e2f64815c6eb7aca6

    SHA512

    def4113991c0ad04a1f83be4f78adec7c70628d058f78a80ebc09af39c992ec122c8cb878bc6c4ef638b312fc7a0091934bb4252ef5fdc9f56eb179ecdbe2112

  • C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe

    Filesize

    89KB

    MD5

    2b5ae1366fc95d95b1b9f4599eb50971

    SHA1

    fac8ac0d3e6e6f573c3ab5dd0005357bd902f99a

    SHA256

    c4763212440f2615f506367aba2db89b43a38a9cc99103cae2399ef74b85c484

    SHA512

    cf463dbef9f0a3fa0f28a54a7d98172237b642e6c266bb8b2059695570c67566dc35e319640364e88f356bda9a952aa516533d3088542168507ff229cf629028

  • C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe

    Filesize

    89KB

    MD5

    8f90b8de555fdaa3628ee99cd96ca86d

    SHA1

    f499adcb1a5f18b3dc20447ecdb916d7785da0eb

    SHA256

    2ecd435ae9f749a69d82496305889ad4f1d29ef42267c23af01b76a8bf9a5395

    SHA512

    2c4adc9f344ca519c765b96b04babf608be23602be4fbf159debfabbdf5257348c5aff87b9d0aa9fa1958c3ed8fa0d1f372c5f693b6a8f9f27d8661acd47f315

  • C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe

    Filesize

    89KB

    MD5

    42d248b500ff7c4c20b3852c4e7989b2

    SHA1

    dfd1cc2026d4193039c15424e9f57b915f3bbfe7

    SHA256

    31a095ee37eef8644973b4a2b79447b0d03c9280a8db365ac11deca1ac1c3888

    SHA512

    02adb740f6059e5973ed0743463a6f8d30c163d45a68a720d1eb17214aa167b8cdd038f5f66dc3deb8f657f51ea8a32ab0c8adbb6cebb3426ba36d294a1ad26b