Overview

overview

8

Static

static

1

f0a949956d...e2.exe

windows7-x64

8

f0a949956d...e2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe

  • Size

    79KB

  • MD5

    d4d3e9c0ccf1e6fbdc820e4b2b53a2ed

  • SHA1

    511e44b9928870f6626b5a16b8cb709235c298fc

  • SHA256

    f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2

  • SHA512

    e2913092e573703fd8265a2a666b5b2afc901d34373ec43f6217ca40a3dced0d917433ed573adf9a08abb4cf27d6614c1080fba3dca887390d9fa20199187bec

  • SSDEEP

    768:4vw9816vhKQLroD4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oDloWMZ3izbR9Xwzz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
    "C:\Users\Admin\AppData\Local\Temp\f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\{BC37DC80-E2CD-4029-B9BE-DA7BA3E814A3}.exe
      C:\Windows\{BC37DC80-E2CD-4029-B9BE-DA7BA3E814A3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\{C616426A-9B34-48df-B730-5712F0D42283}.exe
        C:\Windows\{C616426A-9B34-48df-B730-5712F0D42283}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\{9D302EE6-094C-4e63-8473-EE762A6F6978}.exe
          C:\Windows\{9D302EE6-094C-4e63-8473-EE762A6F6978}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\{644F6991-5D57-48d9-8A13-1000DA3B8E2C}.exe
            C:\Windows\{644F6991-5D57-48d9-8A13-1000DA3B8E2C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\{F1187B10-7EA4-4757-9B62-2DBEE1464764}.exe
              C:\Windows\{F1187B10-7EA4-4757-9B62-2DBEE1464764}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2000
              • C:\Windows\{8ACE71D6-AEF2-4120-8DFE-8DAEDE03E72C}.exe
                C:\Windows\{8ACE71D6-AEF2-4120-8DFE-8DAEDE03E72C}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2976
                • C:\Windows\{29B8E5F3-30E8-4656-BF51-C3948623921A}.exe
                  C:\Windows\{29B8E5F3-30E8-4656-BF51-C3948623921A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1792
                  • C:\Windows\{6CBF29BC-3BC5-41be-BADE-422254D23F53}.exe
                    C:\Windows\{6CBF29BC-3BC5-41be-BADE-422254D23F53}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1256
                    • C:\Windows\{F90087B9-61AB-4ce7-A505-FF9143F23E4E}.exe
                      C:\Windows\{F90087B9-61AB-4ce7-A505-FF9143F23E4E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2332
                      • C:\Windows\{28960A50-B7CF-40f8-891D-1F85863578A2}.exe
                        C:\Windows\{28960A50-B7CF-40f8-891D-1F85863578A2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1764
                        • C:\Windows\{162A88EB-95B1-43fb-8B57-9CF77F8ABAE0}.exe
                          C:\Windows\{162A88EB-95B1-43fb-8B57-9CF77F8ABAE0}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{28960~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9008~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2616
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6CBF2~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2416
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{29B8E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1676
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8ACE7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F1187~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1016
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{644F6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:668
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9D302~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6164~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC37D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F0A949~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{162A88EB-95B1-43fb-8B57-9CF77F8ABAE0}.exe
    Filesize

    79KB

    MD5

    740b2b61a8e85cbf063dbec2cd2d12ac

    SHA1

    8cc5448f343a9959542b8cc4ecbc6820fa5d0583

    SHA256

    2c18615f2007ef1f129be6d6dffe2a9acab10dad4a95a14204b049903c1e17df

    SHA512

    885ecfa7ddda9aa5b0a71887669e0a98291156676908caabea9aeaa26598fb0a3562eba8f02054a650e88fe65fa95a973b522a5723cae099586a0810a2180f95

    Download Submit

  • C:\Windows\{28960A50-B7CF-40f8-891D-1F85863578A2}.exe
    Filesize

    79KB

    MD5

    b7256bd5872c88bed23081cbaedf61ed

    SHA1

    78e2818f3d6291fb00a27a6aab7954ebdd59255b

    SHA256

    fcbb84312a5efa0377ca1fb44967b9550c5ad43479417229422946d65eacbf1a

    SHA512

    86bf649564c5bc7ee725f1f97b507c827764ca819cc6588d3ec2442c5077e2ca2e5ee0b26137729b1c1a741cf0fe441877c16beee48f6886c59d1a08464b809d

    Download Submit

  • C:\Windows\{29B8E5F3-30E8-4656-BF51-C3948623921A}.exe
    Filesize

    79KB

    MD5

    9d8dea20834729e9aafcab9bb6c0743f

    SHA1

    7950a8c9bc231da84b661717d759f8b7c6270c9b

    SHA256

    94939be8a450473661c0602e0c9b7e8e3f172e6f85d7853e528a1f763d5eb8db

    SHA512

    0deb2fa270de098fe43029222cbe4cff31303cb997039b26cf5a7a3c672b0ec04ebab0a42de61c021a5d5c627f8a587abb768e12ceccf1e3e68c91dadafd6a55

    Download Submit

  • C:\Windows\{644F6991-5D57-48d9-8A13-1000DA3B8E2C}.exe
    Filesize

    79KB

    MD5

    0bf57ca0118975d965369dc14667ab86

    SHA1

    95b4e5a1f0b928d25270de2863341b3330895530

    SHA256

    3e1c7a0d4003bca0b4d5087a71ad8f5c841c3c9771c662074cbb456af5103adf

    SHA512

    857a9f0c3ed4ebc602780be98181d9dd2e1534c2bc3818fa07a9206213374e5cfc0b37ff377a9fa614272906f37c26702427cb24f743652711a6fb6dcffada28

    Download Submit

  • C:\Windows\{6CBF29BC-3BC5-41be-BADE-422254D23F53}.exe
    Filesize

    79KB

    MD5

    c52b01564016f278c9c674df67ed57d8

    SHA1

    297b09b11ecbe55f8d9d62ca65bff43ddd5f2e12

    SHA256

    2029cdfc3083b57d1bbdfb5df02a56db9025b027ef52c1a05449456cd3f3edc1

    SHA512

    cff4120415339a7a75e042983b70909ae359284ecae4c316c1ce7e7430afe817d686197eae491ecc04e264af1b3b6849787d3c615f76d6a03000e256c9db0305

    Download Submit

  • C:\Windows\{8ACE71D6-AEF2-4120-8DFE-8DAEDE03E72C}.exe
    Filesize

    79KB

    MD5

    2ffed954d21708e2200b492628988b23

    SHA1

    1489a854bfd7b1461e1cd566c8974eec838f4f28

    SHA256

    905b8218830a71a22556e20ef4178808abb24abd1fdd26d70e33336186af96c8

    SHA512

    c387f64d9472006d337088e0b796d12f29bb28574135d14d91186f026d3e049279d77b54fb54fe26b2de180db9ddf49239e3cc2ce98ffab0b16c685fbd4963ec

    Download Submit

  • C:\Windows\{9D302EE6-094C-4e63-8473-EE762A6F6978}.exe
    Filesize

    79KB

    MD5

    c1b95896fd434674d9b3716856cc6179

    SHA1

    e1e79d391c657f51878d741a3222dbeee5ca39dd

    SHA256

    cf5c6655cd4223017ccdea52a17d9a6dbbee7b5c7e7172fedfafe40a59ac58f6

    SHA512

    986b820c59d252b35b7b25c07a9d2d4fe94c7c4948e60c49e46b5e32f67fe4ff54ab2ff7e20a873f768c464e038d28a8c11db72d0d98b57c2dca453cf838de1d

    Download Submit

  • C:\Windows\{BC37DC80-E2CD-4029-B9BE-DA7BA3E814A3}.exe
    Filesize

    79KB

    MD5

    0aaa1537fec6c928a5bbfb505aeb0a0e

    SHA1

    0c55e7129fbb19d83e92f0ed9314ce12e34aeb60

    SHA256

    5bc11f5f6775b4c9195abf91be3d6fe8fed23910442e3e3fd5933155bee1129b

    SHA512

    aa1f71748d8488d7836528829491b2b272a93cccc6687402a44b688bbd7b00c6d340fb2f41e520cf7460f8a2cda64d9519634343ed8dc950d9e9e7d99b4b39c2

    Download Submit

  • C:\Windows\{C616426A-9B34-48df-B730-5712F0D42283}.exe
    Filesize

    79KB

    MD5

    139f80eea98a270ef5b51861fc64925c

    SHA1

    b7a7ff19745931fbe63bb257e08c18b3f810ec34

    SHA256

    9cafd233698bb98338081608874b0bf683fab2245be3ab4ee46b3af5cb32b263

    SHA512

    99585a1fcc2b254efa05bf806511768874ca3cf53bb97f2ce90bca39f66315351e25a0f48bb2c521770cdfb98c95ee1bf10f280cb0f98d6c9dbc6c5cd3e14a52

    Download Submit

  • C:\Windows\{F1187B10-7EA4-4757-9B62-2DBEE1464764}.exe
    Filesize

    79KB

    MD5

    782fbeec1faa0e5c128fa1bec01455ac

    SHA1

    73f002cfe55fe69cd9449f27c4af0ba399275df7

    SHA256

    f74f97847ba7cd89d8cabf9e62a5b555a22a994358bb3c2475be08df6da5425f

    SHA512

    80d5cfcf1a93dc107ab8cb90c94baffb486592f99e34da76b377cc7982489e240cc50dfaf208330ed9be7531154450c44c1ef98e944423539d06e5bc146fb9df

    Download Submit

  • C:\Windows\{F90087B9-61AB-4ce7-A505-FF9143F23E4E}.exe
    Filesize

    79KB

    MD5

    22c6ae47b4eba42b24ecba423ddaa903

    SHA1

    0a896dd5b3cdca54a3f089ffe4ab37cacdb8e1f0

    SHA256

    76324bc962f258d13645e160fdef11a484cb87d3272bc754f41162baa170069d

    SHA512

    90164814edcb401d4abec71e343d67f6e4a76c5750ec0bb90c665ec86f1048d53d58e78988fdc99f94b1b0d5f1a84b0424942c421f1763f6d39086be0e2a19ef

    Download Submit