Overview

overview

8

Static

static

3

6d2168a577...a6.exe

windows7-x64

8

6d2168a577...a6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe

  • Size

    89KB

  • MD5

    20706fd3835359fc7fd032bc41f8050c

  • SHA1

    27a15cd5b3359f743d21b2dc789478c4d0c81c2c

  • SHA256

    6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6

  • SHA512

    bff23b3c830c77487a385308260512235e59baad06f1c303de5ece12bb73d7c4cb19066e9e7873454a3ef279f8648fb03bb6d2452c0acd329dd6819d848bbc7c

  • SSDEEP

    768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glL:YEGh0ovl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
    "C:\Users\Admin\AppData\Local\Temp\6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\{7CC49266-F927-432b-8E8B-377508CF3EF7}.exe
      C:\Windows\{7CC49266-F927-432b-8E8B-377508CF3EF7}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\{89441A56-4B5A-47de-97B6-53FE7BB7965F}.exe
        C:\Windows\{89441A56-4B5A-47de-97B6-53FE7BB7965F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\{4BBF52B5-ED99-4e11-BDDA-DE9B7FF5DD28}.exe
          C:\Windows\{4BBF52B5-ED99-4e11-BDDA-DE9B7FF5DD28}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\{3ACB4B94-322E-4256-A2DD-186714B127C0}.exe
            C:\Windows\{3ACB4B94-322E-4256-A2DD-186714B127C0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3224
            • C:\Windows\{1C5A9D5A-1CF1-4a9e-B30C-A862D3E66A70}.exe
              C:\Windows\{1C5A9D5A-1CF1-4a9e-B30C-A862D3E66A70}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\{BBEF717A-9053-4881-943F-2CF8BAF24C17}.exe
                C:\Windows\{BBEF717A-9053-4881-943F-2CF8BAF24C17}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4048
                • C:\Windows\{7561216D-3045-4076-A7E4-05A4C6D27EB2}.exe
                  C:\Windows\{7561216D-3045-4076-A7E4-05A4C6D27EB2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4336
                  • C:\Windows\{7B48E475-39D4-4012-8F74-A0A72622F7BE}.exe
                    C:\Windows\{7B48E475-39D4-4012-8F74-A0A72622F7BE}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4020
                    • C:\Windows\{CD52E026-BD64-4979-ABBA-D162980E5C94}.exe
                      C:\Windows\{CD52E026-BD64-4979-ABBA-D162980E5C94}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1576
                      • C:\Windows\{E4A5D9F2-025D-4c02-AA22-68E2FB442B3A}.exe
                        C:\Windows\{E4A5D9F2-025D-4c02-AA22-68E2FB442B3A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3788
                        • C:\Windows\{3C123A9E-3901-430a-BA86-4F3498D611AC}.exe
                          C:\Windows\{3C123A9E-3901-430a-BA86-4F3498D611AC}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:212
                          • C:\Windows\{1EBD5F39-CF94-4c48-AD1C-EF6BC277CA6C}.exe
                            C:\Windows\{1EBD5F39-CF94-4c48-AD1C-EF6BC277CA6C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C123~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E4A5D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2480
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD52E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:912
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B48E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3700
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{75612~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1704
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BBEF7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3292
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1C5A9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4724
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACB4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4304
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBF5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{89441~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CC49~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6D2168~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1C5A9D5A-1CF1-4a9e-B30C-A862D3E66A70}.exe
    Filesize

    89KB

    MD5

    75890bbd94b90a21e3ed463fc26fcbf0

    SHA1

    1c5e7bb61ebb1a1a7f1a78f0d4d000223ebced0e

    SHA256

    7afde4a53f49e1af65f69f47f37c505dcfddaaf8e2a9c56723d577bed3409c2f

    SHA512

    2547a1bd633d12dad854109a1609cb0f0a453052f4935992e3ef39614ec482721b7725ea3abd1f3271b164856c6b152d14cc804094b9fa5a324454ae0820e965

    Download Submit

  • C:\Windows\{1EBD5F39-CF94-4c48-AD1C-EF6BC277CA6C}.exe
    Filesize

    89KB

    MD5

    230aa272524dfd6349d9cacb3cebb218

    SHA1

    08130c7dcb9fafb328c85e3a572392609039b6cf

    SHA256

    4ea92858ec846e0d53f1c3f5aee537974ec429212b866b11fb1714ba95e13fa7

    SHA512

    1191c901f72e56f655aeeffb1d4e26d7d770f575cbb5dbf8a6aca20b12525abf395a50cb1af01066d4fb362fe560f83597b06c46503a4a30a38a7e80f4d0913c

    Download Submit

  • C:\Windows\{3ACB4B94-322E-4256-A2DD-186714B127C0}.exe
    Filesize

    89KB

    MD5

    4ebb4cbfe0618e85e22353086ee30157

    SHA1

    422d01eb386cd5c04a48c7b1fd2f1c95b1ca2589

    SHA256

    74ebc7799fbc490124269ddc6f8f0a638859ce91390d1842f8d007436c2b838c

    SHA512

    37d3f49d3913e632f45e3d7a9f0e6d59ac76ee2d95dd1908e10e05a944e80eed2b090d388c75ee37c6347e854c796230043068f8a68332037e413691f7d63477

    Download Submit

  • C:\Windows\{3C123A9E-3901-430a-BA86-4F3498D611AC}.exe
    Filesize

    89KB

    MD5

    e897196bc71a64c9ecea8c48480020d6

    SHA1

    d4a2acad3c12c113533137feb653b2ff05d0bc2f

    SHA256

    1b41eef5a720486f4fa1f99b6a59099d7bc52168ed626a8d488a52bdc0933502

    SHA512

    15e2c2d49569b6d17d058ba42543985721563cc916d5e77a9a300035e4b08307dbfcaaafacae1c798b5f1c160b7137edd7c562ad14fdb83d322f306219408c04

    Download Submit

  • C:\Windows\{4BBF52B5-ED99-4e11-BDDA-DE9B7FF5DD28}.exe
    Filesize

    89KB

    MD5

    b90359c56eb450159497c817b8364a00

    SHA1

    5a6f98fb856be9eba1628c2bca56677e7e5aabd7

    SHA256

    b68e0bcf1d0b705e486db37fa8851a4f91f3d74c92b644b0af8d97ecfbda849f

    SHA512

    17ef6a837be88a66e39a783c76a3cb219696d5ee845943f324a09eed66f216c26d16a6a522a744513e07832c7e20e5e9b5bf0abc18382817411cf4cbcbe37bbb

    Download Submit

  • C:\Windows\{7561216D-3045-4076-A7E4-05A4C6D27EB2}.exe
    Filesize

    89KB

    MD5

    f68ba2853cf607de57ff691285cca031

    SHA1

    9625b517b327d860e9fb9f7f64475969655c58e7

    SHA256

    4ebb165a0be841f3715c8b95f4a6b67e33973aea299597353602dea6404b6ed4

    SHA512

    af9dda87d361448c0a6160bb85e684f33411f0ed56c8c23380fbf808416795952f70657168de4aaa0873a2c136a01b76a7969169b2c51d3fead11cb1ae7e6c61

    Download Submit

  • C:\Windows\{7B48E475-39D4-4012-8F74-A0A72622F7BE}.exe
    Filesize

    89KB

    MD5

    d2cc21a18ecf6bd3210a47967a6169ab

    SHA1

    f3e0945422299f84d0e5c1e8509230e83610c09e

    SHA256

    a39ddc29ec58db4f8951a7df995a77d4473b20409992c43f0b35132d9ea0aaf4

    SHA512

    1dd536f139064a5581ca3214124755b28ba05e086295593686fc9edb2a93c92587decda05cf308badb9e0e99479de42406c3fc4bf372f14673568e87d9b27aba

    Download Submit

  • C:\Windows\{7CC49266-F927-432b-8E8B-377508CF3EF7}.exe
    Filesize

    89KB

    MD5

    2fd1f7c96274025180f04148fc460374

    SHA1

    97d4912356a21c0c9de8f30a2f3d0ce0f3fda5f6

    SHA256

    09d40cbbf1ec05b47df721ff6ec3ee5273850c52617737830401048f6b7ad0bd

    SHA512

    aee6d508ece4af1d323cf65a507144355b778e935372e883d5fc3e8e8d2570eeebeedee183e76797ca7a1eda36d8392673f992a8f19972db5f94bc823b850834

    Download Submit

  • C:\Windows\{89441A56-4B5A-47de-97B6-53FE7BB7965F}.exe
    Filesize

    89KB

    MD5

    9da10fad7f0a2d50c90a87d86e42903b

    SHA1

    09cf1b3872b4f68a9d5b3ee82ccbaf57f06f70dc

    SHA256

    bd86a4c284f92e7f565338bef37c2d466077560bea3d20997c4efd619e161b2d

    SHA512

    bf83461696e44a1cc27455bf9d447e483a510c87c277bd85b2b4a1a6465330ee2bb28bafe27bc1723f0df017f68557fbacfd8325d2e9019d36988fab4102a81c

    Download Submit

  • C:\Windows\{BBEF717A-9053-4881-943F-2CF8BAF24C17}.exe
    Filesize

    89KB

    MD5

    82396366e89761b344e3ac7152a4e3f7

    SHA1

    1df03a6fb03f3db8605d8689c028cc976722bfec

    SHA256

    a8c42fdac3eec49c5668513008d79bb159c9129ef0875d93baeea921b6d23a6f

    SHA512

    317732b9778f523107f767f6563504686258f7a21408718b5a8993febb6656160de55dad896c2ec5b6b56f293ba3995dc26a5607d33e0fb9ad7cc755f04b7e4c

    Download Submit

  • C:\Windows\{CD52E026-BD64-4979-ABBA-D162980E5C94}.exe
    Filesize

    89KB

    MD5

    3a39f061ab0299d25a9248af59b00f5c

    SHA1

    a3ba309afe7804406d948f533bf7129033e6eb85

    SHA256

    7c24454b0eab9b43193a11f6a50f26b28b1129d90b30244b8b8734a442a27838

    SHA512

    d19769d773071a3f355c13402bf4149787e52ef8ce8449d458fb8cbcd02d92375d69ef30030289298c289e2bd7aa948e9433896cd5fac2d43db95b5358b9be9a

    Download Submit

  • C:\Windows\{E4A5D9F2-025D-4c02-AA22-68E2FB442B3A}.exe
    Filesize

    89KB

    MD5

    2d94c1bc99e47cfac7a47fee752310d6

    SHA1

    f9978949af76c6169bfd577632fdd65010fc24a6

    SHA256

    b2f89845171b32cbe2ad8d50264e029905393b24877ace9e4449764329c53572

    SHA512

    f18edddf4e0a15cf8a2bce2ca48dcd4598809792691443b2e0ee136d56fb493ed239da6047ce9ab0dbda5c0576f1f063067a5aefa07f57f85aac8e12b72849c7

    Download Submit