Overview

overview

8

Static

static

3

f3950599eb...1N.exe

windows7-x64

8

f3950599eb...1N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe

  • Size

    89KB

  • MD5

    9a358d41e5ef8bf9d0c9dbd12a166b60

  • SHA1

    ce805212f5f2432fb7966fee5fedeb2f6aebc3db

  • SHA256

    f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1

  • SHA512

    96c189ada8508b92a9840e88618fe1d5c83ae78f04ac19627ef6c2195c03a9a221570a811449fc86f3054cc370103d9c29dab309dd1ddef63d281de9ddec42ad

  • SSDEEP

    768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glL:YEGh0oul2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe
    "C:\Users\Admin\AppData\Local\Temp\f3950599eb050afe282c46fee597cfc7e4a72e4967f02014f77486aeb5beb6d1N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\{74CE0483-8E82-4507-A007-005E1AF993B8}.exe
      C:\Windows\{74CE0483-8E82-4507-A007-005E1AF993B8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\{EF891BF0-1F3F-451b-91A4-297EDE291794}.exe
        C:\Windows\{EF891BF0-1F3F-451b-91A4-297EDE291794}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\{3102630B-6713-46c4-B9E3-AA1B30942E6C}.exe
          C:\Windows\{3102630B-6713-46c4-B9E3-AA1B30942E6C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\{8AE21D0F-5352-412b-839B-CF6489EB6DAF}.exe
            C:\Windows\{8AE21D0F-5352-412b-839B-CF6489EB6DAF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\{9A2F6B73-D321-4864-9854-546E17221B5D}.exe
              C:\Windows\{9A2F6B73-D321-4864-9854-546E17221B5D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3048
              • C:\Windows\{57F116BF-0AE4-497b-8595-545A79DABDC5}.exe
                C:\Windows\{57F116BF-0AE4-497b-8595-545A79DABDC5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1284
                • C:\Windows\{0E34793E-F682-4bfd-82FC-47A04EBB2CEC}.exe
                  C:\Windows\{0E34793E-F682-4bfd-82FC-47A04EBB2CEC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:864
                  • C:\Windows\{5B1E54CD-F8A7-4461-939D-CBB5A88F5616}.exe
                    C:\Windows\{5B1E54CD-F8A7-4461-939D-CBB5A88F5616}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1972
                    • C:\Windows\{6D4183F4-13DF-4926-B661-937CCE2102EF}.exe
                      C:\Windows\{6D4183F4-13DF-4926-B661-937CCE2102EF}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2796
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B1E5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2196
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E347~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1016
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{57F11~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1820
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9A2F6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1388
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8AE21~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3060
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{31026~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2728
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF891~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CE0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F39505~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0E34793E-F682-4bfd-82FC-47A04EBB2CEC}.exe
    Filesize

    89KB

    MD5

    02bf1082c950f86c62c78abcb90d1816

    SHA1

    7bbf80b0654bd95b9a0d2f4fbb4f686b7a876882

    SHA256

    dbea27d8b0c7ba4150b8a206dab1ea9bef3049a8085b438a7700e5857a002699

    SHA512

    303dc3092aeebeba90a0dad62ac67246785f144fff3dcec0c1173ac7e8631988758e1c51403a569d08ad6ced9b47dc441708d09c2405b0a085fbaff5dedb17b4

    Download Submit

  • C:\Windows\{3102630B-6713-46c4-B9E3-AA1B30942E6C}.exe
    Filesize

    89KB

    MD5

    0783f80ea34935e23b063f173ffd780e

    SHA1

    69cb1ae741d983de382803879fa42395bbe6e18d

    SHA256

    73d9608576cd30b19bd4ce9ee823763cbeb131c07435679fcc17d65fd7b17f2e

    SHA512

    9670af3db0a1d9214011c4dd3d4050d88e2c57ce39f0377743b745ae3c67565acf42e8b3943cab85b001c8cdc757c83c2f4c7d9b7c22c1dafa31a643adc6a362

    Download Submit

  • C:\Windows\{57F116BF-0AE4-497b-8595-545A79DABDC5}.exe
    Filesize

    89KB

    MD5

    3acd4fe7038e47b24d201d7628bd43c5

    SHA1

    903a8086180477ca603190866c92788090bcc340

    SHA256

    fab6dcc9b756930b3c0aba8e871044143666337a23b15324d0a1df2844b829db

    SHA512

    b77d76a58f10db7fca78a78ce9cd6d23c65f603f1420767293ec581aed9b6a09a8fc53711e637de60f03ed408a9c489dbef136e122aa70856d0c4dbf3041bf28

    Download Submit

  • C:\Windows\{5B1E54CD-F8A7-4461-939D-CBB5A88F5616}.exe
    Filesize

    89KB

    MD5

    5fd089451c2925665709b6d96d61a13f

    SHA1

    2b7d20fc8ba025ee2a9c12a93e972ab0a6027544

    SHA256

    f75b38ff472f089e9c31950e16a1a8b9755ea4f88ac5b6558799acb67b506856

    SHA512

    f3c67c575a4df4452645a8b870c3d78c86ac68cbb7c1a7a610b52f6b78180211168709e794d84b73004ec17412edf1581741db4ac850ce81ff4528764cb986fc

    Download Submit

  • C:\Windows\{6D4183F4-13DF-4926-B661-937CCE2102EF}.exe
    Filesize

    89KB

    MD5

    c447cef6b15a6dc1139bd10706abc59b

    SHA1

    0ff6ea295380ae92617b22ed99158c7878aa86d4

    SHA256

    6556115ffdd4b0da8147da0c71aa4baedacc533fd6ee3b569a525a39fe729f10

    SHA512

    ef612eea92729e101673e48f98252daf6a0b42f642e8c954eee1183657663c36ef77346e1363b74f97417129d42e1bbffe87f2c1832bd7292cc6ea860e2c97ac

    Download Submit

  • C:\Windows\{74CE0483-8E82-4507-A007-005E1AF993B8}.exe
    Filesize

    89KB

    MD5

    4ebde9759228194235da75c6ce589a98

    SHA1

    0137aec80736655738cec4cdcd74fc6ed87b8a51

    SHA256

    d08ccf0fa60f150079d268ae38d3405e6251b60a4d8537f8cfe18ea6b10874db

    SHA512

    20303724e69a0c0049e3dc2ac1de3163e9bb066dda853b34ae231640c6cfdd059a7f900cc106bd17969dd52dc768994c8a4f9dd3493defd0218e7810890c7b4f

    Download Submit

  • C:\Windows\{8AE21D0F-5352-412b-839B-CF6489EB6DAF}.exe
    Filesize

    89KB

    MD5

    a3a6e03b3823b006e0b7c8c509719228

    SHA1

    5c66f6c76bcce7e31547feddfe819524c28a8820

    SHA256

    5d4dacf45417ff2f5a0e6c7d01b9ec67028a7a570a9b5619c355acea6e693b29

    SHA512

    79774ddc97a774b754d00ba31af4aa37f191f9c0178fdfccab979be748b48e8517f8c138b76f6fc4a7fcf3554a33be48ecdd1c91de0746a1220f4175dc7882f4

    Download Submit

  • C:\Windows\{9A2F6B73-D321-4864-9854-546E17221B5D}.exe
    Filesize

    89KB

    MD5

    04d4481536dd8e876454f15c764602f5

    SHA1

    c21b3f59f4a7315700338acd2fc88ec909c5449c

    SHA256

    5f6b9d29b2e5f58c6f61b2452a9499f207eb48f092aba8502e9296636519ff83

    SHA512

    d31589aa3774170e53d2b372279151a67f9916cff5c792c710564cd9cd46f3a3518b1493a78e4fd48c2d8e9d9ed77254587256275282abebee0ca339b43208cd

    Download Submit

  • C:\Windows\{EF891BF0-1F3F-451b-91A4-297EDE291794}.exe
    Filesize

    89KB

    MD5

    42237ee8428001e65b5b19747f3fe2a1

    SHA1

    534c70daa150a386f93fdd284386a1195e4f2920

    SHA256

    7c2f9d7d022bf7b978b8b9d0e13d7912228dd204eb6892b5bd595d2e9b079a66

    SHA512

    59438fca6cbfdc94f608f78b929c52287602ace5fb1bd9ffeac83ac418c656791d7ee520c0e0aa76f4f7b6d57200c529b5633860ed4d2f4069649f05a616b741

    Download Submit