Overview

overview

8

Static

static

3

3fbcc5d573...4N.exe

windows7-x64

8

3fbcc5d573...4N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe

  • Size

    89KB

  • MD5

    0d0fbd64b0015e9a99e1462c9276c050

  • SHA1

    1c2a60ec872e3aa7c79325748512bec390f1ffc2

  • SHA256

    3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684

  • SHA512

    4903f02c33fc27ab9e6619e8f6a8b02136c53f2c4343cd4fa6c0018d86765c13aef5897d4ea46a2476a8157b662878e78087d633aed6a64578a5b913b0b3a6d9

  • SSDEEP

    768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl5:YEGh0oHl2unMxVS3HgX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
    "C:\Users\Admin\AppData\Local\Temp\3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\{623332CC-07EE-4f81-98A4-22A28F64D7CA}.exe
      C:\Windows\{623332CC-07EE-4f81-98A4-22A28F64D7CA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\{39705BF6-6E57-418b-B824-D185ACD49DDE}.exe
        C:\Windows\{39705BF6-6E57-418b-B824-D185ACD49DDE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\{9E21709B-9762-4013-95DD-4F852A227B18}.exe
          C:\Windows\{9E21709B-9762-4013-95DD-4F852A227B18}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4904
          • C:\Windows\{BEB50F86-C4D7-492c-92FD-FCE5801C9A0C}.exe
            C:\Windows\{BEB50F86-C4D7-492c-92FD-FCE5801C9A0C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\{1146574D-9B30-45f1-9DAF-2C0C1D53880E}.exe
              C:\Windows\{1146574D-9B30-45f1-9DAF-2C0C1D53880E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Windows\{E02B9B85-AA72-41f1-A383-A5748E342C6F}.exe
                C:\Windows\{E02B9B85-AA72-41f1-A383-A5748E342C6F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3740
                • C:\Windows\{72D3C665-CC0D-4dfe-B817-0F089AD6F607}.exe
                  C:\Windows\{72D3C665-CC0D-4dfe-B817-0F089AD6F607}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3100
                  • C:\Windows\{99CC3B6B-2E80-44d9-A3DA-E516BB221174}.exe
                    C:\Windows\{99CC3B6B-2E80-44d9-A3DA-E516BB221174}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3752
                    • C:\Windows\{B9118A9F-7B78-4e11-9CD2-8685196D1971}.exe
                      C:\Windows\{B9118A9F-7B78-4e11-9CD2-8685196D1971}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1924
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{99CC3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2560
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{72D3C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2556
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E02B9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3312
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{11465~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2868
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BEB50~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4656
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9E217~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4004
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{39705~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5080
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62333~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3FBCC5~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1146574D-9B30-45f1-9DAF-2C0C1D53880E}.exe
    Filesize

    89KB

    MD5

    9b819b8fd28966ea5e3fa0ab36011841

    SHA1

    7ae017c0ff99f15a15f975051f151c8699d73cba

    SHA256

    0e2c401db5c140cfd37d8edded1b13add4f72886537fbaed180c11aa5630c66f

    SHA512

    96ae0ebd5cca5f1fb55f527b82c733b5d33e8af97ee5ccdc1bda83a5970c2fcd8f093b828234a80e305ea4dd8f5c7635b1344f19469ed9749d4477a404230588

    Download Submit

  • C:\Windows\{39705BF6-6E57-418b-B824-D185ACD49DDE}.exe
    Filesize

    89KB

    MD5

    8812b3a67d814eb2ddc47e01bffbf592

    SHA1

    817bfb47b76ae0d6796f1e5d8a24bf7d6256fdca

    SHA256

    12489eb874786d0271bd1563921c900dabea31f1d946a49c853922aa267b43fa

    SHA512

    1d8fe08923d3c352253255b1c9ee90adc1e17da3982c69956b09879077d436858a41cf74a8b20ebb2725655ce2d41a71759494b14cac4e2d29a0a97b0c01e10c

    Download Submit

  • C:\Windows\{623332CC-07EE-4f81-98A4-22A28F64D7CA}.exe
    Filesize

    89KB

    MD5

    2dcc4177c4a9bcbbc28083a3c5cfdaf1

    SHA1

    8f8ba40aa88824ea5ec00be2cd078ee34e04d8f6

    SHA256

    79895804e2c7bbc013a0eb3ee8b7b2be21b332aa4b0c54eecd5bb8b5498a9ee6

    SHA512

    914bea88076d1116ac16fe0aac10bf908b009ea8d62df2967fb0586f5e08b45d8b848ba4e46bc9bf57223faf8c22dc9a44abd6473b4e5f00edc9b01c86c4fd69

    Download Submit

  • C:\Windows\{72D3C665-CC0D-4dfe-B817-0F089AD6F607}.exe
    Filesize

    89KB

    MD5

    bc45b76ff4188572843806aa9a600cd0

    SHA1

    7d931c1ee821b8d576ab9b4292c774eaf404ebd6

    SHA256

    7cbdc45fbc84d76291abca1730b2347c62a20e1f8287a6322a4a4feff2df4460

    SHA512

    05db5ba32936189dab970761910ea95b1d2cdf44132649eab11e6188be4546c65ddcc3b1dd227f96f4a0df4b16f1a0803632377b4349d715c22892c74d34ef93

    Download Submit

  • C:\Windows\{99CC3B6B-2E80-44d9-A3DA-E516BB221174}.exe
    Filesize

    89KB

    MD5

    e0c60f1a4209aa885a8e5622d872d558

    SHA1

    62c85da628921559bd96718285d2d190e830714c

    SHA256

    917ddda690c0efddfd1cb6e2066f00004da24577d42f089a5adbb8253c552c31

    SHA512

    1d50cb6e90b6c8117fffa03d6512575e35982412d9df39895634064cbd979e4f4b8c79304d79a3724ae5826e009a7ab8f21eff797a01e95b84662d1d2d9e764f

    Download Submit

  • C:\Windows\{9E21709B-9762-4013-95DD-4F852A227B18}.exe
    Filesize

    89KB

    MD5

    db1c2b3f5492c1f07675411489b16b24

    SHA1

    886536e881d1b47d1f85d687dc8d22360bf4d0da

    SHA256

    da8a6a3b4bba1e9a96f0507e2a6576a98fcd6b95c8abe930a5cc039c7791274a

    SHA512

    8a6748df5dd155ee910b9bfc29cb42105f9555cb57a1e4d81deee72c49252ea0b792d2fb401f858aae35f6e2680a496ed760f31dddceee6b646a6766dd97edd6

    Download Submit

  • C:\Windows\{B9118A9F-7B78-4e11-9CD2-8685196D1971}.exe
    Filesize

    89KB

    MD5

    51f3ed5ef854acae73d5d59b471ab3eb

    SHA1

    7970b21c179c5922cf6b3c9c79824497ee18f852

    SHA256

    7479555d6769bb51bb677767f636a8e8888fa39dfd0dfcac5b972383a0002570

    SHA512

    a46362c01f7c794317ffa69311a1de04b63f80eb9de06fd9faa4d64648dc5d249f81676a576d0754237850308dddf35a85700eef3616c5861b57d8c367a0616b

    Download Submit

  • C:\Windows\{BEB50F86-C4D7-492c-92FD-FCE5801C9A0C}.exe
    Filesize

    89KB

    MD5

    0add3e7529de798e6e34c2895fd3ccc7

    SHA1

    b939e2f59e7717665d50c47f96209591296b5433

    SHA256

    18ab67b7211461f0294558d3b7e6ceee3b6ff120416b561977303eab78f918f8

    SHA512

    7bc0f812f1a0f1fd7e365fff9b8f8af9b794c29611f1af6f6fecf6a037ad303010cd9e2b1227e72d7292c2332d04dccfc4a6ebafaa5bea9c6ac5ff017442591a

    Download Submit

  • C:\Windows\{E02B9B85-AA72-41f1-A383-A5748E342C6F}.exe
    Filesize

    89KB

    MD5

    a000242a3b0d031ccd12411b204fe550

    SHA1

    0fae5782df4fe64564da58fb85023e96c8dd6c61

    SHA256

    3808bbc6b29480854f46a3f8e6d822a8ff1339eca3f4618ab285eca6ede9eb2c

    SHA512

    6ceb1c8a237d2ea13995c6081402103437b5c67e3f10f16a4e95f577b26a40b1780b16e0998a6b8ad95687ab79a0308a129d2101ed12027861b25fdc42b8aa73

    Download Submit