Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 11:37

General

  • Target

    cb9f1d2dfab9a279b7d01c8eae8ca0b0N.exe

  • Size

    89KB

  • MD5

    cb9f1d2dfab9a279b7d01c8eae8ca0b0

  • SHA1

    2b686cf8a9d19ed3ac93c987d4ef58e37bc5c914

  • SHA256

    d7de95930dfcd1f4357cf96264a0d8c79c525c864ba4abf397df89cc1ce5af61

  • SHA512

    b37ac743f197ad2a9310a9a8e2ee08589e2cd273894e6cbd31e4cefea347d3690faa041faf5626945e68680e6ffc8b04e9e88e3cd187fb39a3ed4428e3f49379

  • SSDEEP

    768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7gl5:YEGh0otl2unMxVS3HgX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb9f1d2dfab9a279b7d01c8eae8ca0b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb9f1d2dfab9a279b7d01c8eae8ca0b0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\{75D21479-0E1A-41e6-858F-5590CFAC89CF}.exe
      C:\Windows\{75D21479-0E1A-41e6-858F-5590CFAC89CF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\{442D8C72-C516-4210-97D9-0D7F2C43356B}.exe
        C:\Windows\{442D8C72-C516-4210-97D9-0D7F2C43356B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\{0246B8EA-6512-4d72-9782-7750F44E1D0B}.exe
          C:\Windows\{0246B8EA-6512-4d72-9782-7750F44E1D0B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\{67BEFD65-35D8-41f5-AD9E-45E8CBF4CCD7}.exe
            C:\Windows\{67BEFD65-35D8-41f5-AD9E-45E8CBF4CCD7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\{F95587ED-9F65-4452-8C52-B454B18F293F}.exe
              C:\Windows\{F95587ED-9F65-4452-8C52-B454B18F293F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Windows\{B0D489BB-8A62-490c-99A0-3546CEE09C62}.exe
                C:\Windows\{B0D489BB-8A62-490c-99A0-3546CEE09C62}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2904
                • C:\Windows\{E44299BE-F885-4275-9BC7-1672B918A375}.exe
                  C:\Windows\{E44299BE-F885-4275-9BC7-1672B918A375}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:568
                  • C:\Windows\{4F83D38D-C334-4e19-8066-5AA66C015A5E}.exe
                    C:\Windows\{4F83D38D-C334-4e19-8066-5AA66C015A5E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2996
                    • C:\Windows\{CED83A1F-83E8-4521-BD80-51AE9C045770}.exe
                      C:\Windows\{CED83A1F-83E8-4521-BD80-51AE9C045770}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1952
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F83D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2168
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4429~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:560
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B0D48~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2752
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F9558~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2836
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{67BEF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2344
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0246B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{442D8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75D21~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB9F1D~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0246B8EA-6512-4d72-9782-7750F44E1D0B}.exe

    Filesize

    89KB

    MD5

    a8b45010652f07e5c4a92f2926e21499

    SHA1

    a45e8318c3c1f781a1327db8ec9a4aaee7beae86

    SHA256

    b37d9196e0388d39ae4160e3608f44e9fbfe3fe41ace49fad78a7a3ad92237f5

    SHA512

    4e3e590df3493f41591babb761f19c57be2c8db70bc973abddc2a85a6425ea8c59a02c9c7f840bfce559bacddf7ca80931fa4c377026f583b1ab97a0ffc0b9ac

  • C:\Windows\{442D8C72-C516-4210-97D9-0D7F2C43356B}.exe

    Filesize

    89KB

    MD5

    f1790f6dba74598fcc1c238a5e550504

    SHA1

    79527b0d54694456f02ff4079c64917f05cd48b3

    SHA256

    36106e8769596013a3c373b22a431f2107bf84096bd1459fcf14541ffd0428e7

    SHA512

    a474b27c74de052e2f443826ae4abad31388c93f42977ef2ecefdd74888183734dbfdfb5f204cca04833abe522414d9ae3dd80851c30fb9704e3810dccacf72b

  • C:\Windows\{4F83D38D-C334-4e19-8066-5AA66C015A5E}.exe

    Filesize

    89KB

    MD5

    edc59e45c2d692607f59e6bd020d653d

    SHA1

    f07f006021accd625975e7ede6baecc09b1019c8

    SHA256

    9fe54a8818d0824a4f9176c408e83f364eb79c914ebaac6a40b5ae2512d79805

    SHA512

    bdb11a2731d71e57999f0d2d4218803d4164aede5d87b93b19b18c5ac927e74b05aadc33c9991178f38635b4653b22f59b172f442013e0fc550fc816df26e47a

  • C:\Windows\{67BEFD65-35D8-41f5-AD9E-45E8CBF4CCD7}.exe

    Filesize

    89KB

    MD5

    b29cabd693e30603a5f5d2ad56ea19f9

    SHA1

    8efb428c8aca5134563eb5a47177539ceb74fc12

    SHA256

    eaf9d0bc99014dba4f3bf6a11813067bb34b2837ea53fc500c2330cdcc69a20c

    SHA512

    6b9218889b269ee0d4dd5eddcf89c9ea0c5ce27648abe557a819618a79c054b684d75a82c710ec0e747b173bac9dabc60b36ff281d37fabf8a992a1f962eb53c

  • C:\Windows\{75D21479-0E1A-41e6-858F-5590CFAC89CF}.exe

    Filesize

    89KB

    MD5

    05557bf6ed180583bb999b24303a9868

    SHA1

    39f658c0ea118b7729faebddcb7a8e85bd87b878

    SHA256

    28c162fe18b0c5d99ae6ee5bc91d65d9c525c7627deeed0c8ab86b22b8a51a76

    SHA512

    e6f7629ed82f18a58da17b627847c369e8ac16b5636c56e1238b0580b6c0663ecce1c676858dc455f2f947292d6c6162d51f665169f339cae3cafba973837287

  • C:\Windows\{B0D489BB-8A62-490c-99A0-3546CEE09C62}.exe

    Filesize

    89KB

    MD5

    0c74d23a3409d6efe657e926be81b9aa

    SHA1

    e2d2aba25b2647f8b581837e26de7e9d81c56edc

    SHA256

    0a43ec5c29d28e87e89e28bf03c840ec1a339cef66e21ab370215f0b5cd2076a

    SHA512

    d6af557fdc7308fd3883adb419d42799727df1c98b17eb590f8da52dd913a9497b8062847a873d060e4477dcd222eb8ba72fff85f2300abb6798e7c070ca0cea

  • C:\Windows\{CED83A1F-83E8-4521-BD80-51AE9C045770}.exe

    Filesize

    89KB

    MD5

    45a9a20a74d9cbae09c6d8cf77d579cb

    SHA1

    cc5e942934b27b2140fae33b4ff90c474a90b90e

    SHA256

    d0c4688cc3d2a755e9cb7d15dd5869b9816e20cf47a2838d129a954662de7e4e

    SHA512

    70d4f350703dacf5c71a9ecf1ee644006d3ae3d74bd3fd388aa6fe23ec23520e7f6a5ecae5d2a1677c71bce82a51a0f9c48476d36882198016b2e4e3e68623db

  • C:\Windows\{E44299BE-F885-4275-9BC7-1672B918A375}.exe

    Filesize

    89KB

    MD5

    326e2634564874bc224f75a3bc079c34

    SHA1

    c72e4e90dd9c646997423ddd4c6a4db3258954df

    SHA256

    6f9d98d1e7dce29fcc8397b9c6fa75bcf84f2fcd6400a8b0253e8acfca35fd48

    SHA512

    01bd671e6730609fefe1c1e671023ff97762865ba94ac0b39aeed9bedc9b2f0f66f768b00527b30c5af00c13f9a657016b65e41eb64924a4b1d79f99df4758ee

  • C:\Windows\{F95587ED-9F65-4452-8C52-B454B18F293F}.exe

    Filesize

    89KB

    MD5

    3506df69afa93eeb73c5fbc1ab3a8fb9

    SHA1

    76e3619326d5b335e089290fd90019b37a7f7f1e

    SHA256

    532645b6ac4a0bc3f4cf9e13f45ca0e3c174b9549e1b56dca71f3b3966683192

    SHA512

    bc90057d7a70a34e98d6e19b9a78179e8bd284b1f3f8a9fbe71fdc8dc647d5416a88d9fec52668b7e89cbee8aeabf92e7e7e7948ed2e8d230ac40bde12113ec8