Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 22:42

General

  • Target

    78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe

  • Size

    83KB

  • MD5

    8f457274d83c39717e79f3d1444dde60

  • SHA1

    aa4ce4d3c969c65a24ef0880ddf6235f9462285a

  • SHA256

    78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093

  • SHA512

    9c158c77640640684a2fd750d18a5ddfc72adad0486062cdc6a8f7dd83e57e413e065c483f2cac8da6b6dfc908dbb34a89ffd27e25d3e52cb2830c296bf964c9

  • SSDEEP

    1536:q4Gh0o4g0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4g05outQCMUyNjhLJh731xvsr

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
    "C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe
      C:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe
        C:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe
          C:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:808
          • C:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe
            C:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2576
            • C:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exe
              C:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:268
              • C:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe
                C:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1220
                • C:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe
                  C:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2188
                  • C:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe
                    C:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1944
                    • C:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe
                      C:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2916
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5462F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2080
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{72431~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1796
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0B03B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE05~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1500
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C48EA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1300
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{04DD1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{77943~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3189E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\78CDBC~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe

          Filesize

          83KB

          MD5

          e964533f084fa85e97294c195df65553

          SHA1

          b55ee19f3d28c822e3678e9ee777f119f08baca2

          SHA256

          616cfef8515b25562480c00eb9b24c704250fe198ffd5a9be31920ec7fd2d462

          SHA512

          d1cc662f8e97d7c021a7b4fc2b3f38ace96d9263fc8b5a831d2d7d2f0472912478375641e6aaeac83346085b3eacb75b1cb03ec8e9c43fc1219ebb4f7249f261

        • C:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe

          Filesize

          83KB

          MD5

          a4a418000f6c23d190bd9323214d0f0f

          SHA1

          abe3d6616b001279998a25aafb8223e6e0252c98

          SHA256

          2050f0b694fef1870b6eadea1a76e5e9b8c233d25d863fa650533fcc4441727d

          SHA512

          0922bd3ce52ab0a57716444bdb835154680eb1ad8bb267a52814da7fb131e80210af7c1e96dc6776eca1c8adbb374cde732c7e7f444406abb748fcff40737230

        • C:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe

          Filesize

          83KB

          MD5

          6a26ff921d9ab0e115b266db965b16f5

          SHA1

          d04f74359a4c981394bc15bd5d6dcd39177f8054

          SHA256

          f6c24a38df424f40504d9ce98b7ab3ff53482fd6560190a015b57b6f028ed451

          SHA512

          9eaa78bf54d05e4b32aef8eb43c01a8329c98ff28f12c54eac7a31cdab33d3c9624ca988c3347d8f6e01fd47c99eddc3fd732226ee8eb38ba72cf45011ff4355

        • C:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe

          Filesize

          83KB

          MD5

          094b5cd892ea1946f897d21a91d93090

          SHA1

          ef063d3e1385d1a2ae88a849a785e1e4cbf64f23

          SHA256

          0375ef5c521e927811bd53750dcc320b578479e7de91763f8eaaf72bd4b3959d

          SHA512

          70ba9b8e657ea914a35548eadfc15fc5d4a5f3b583aed05bcf90fcabd7c69d19cf94737495eb98a0efb2729ea590912f369c42d8d1112873654f73aff2c4bac4

        • C:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe

          Filesize

          83KB

          MD5

          1872bb45b85e134a34e7ced7609b0d9b

          SHA1

          6141d402fca5a0bc5c12c85cc203691340c35f87

          SHA256

          1a75307785daea4a50c9b73f881ab8ea98ec9857998010eeeb1784bd4572399f

          SHA512

          41c9e156fd65811a82e254f852d95a55b1ab8a0f499d9668337416521275dde9bb8263cfd154bbfcc542a9a3470000701fed43f1aca788dc735129b06a1c4a44

        • C:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exe

          Filesize

          83KB

          MD5

          f74a13bed1112eb76f11db8cf4037c0c

          SHA1

          8ed58d3c064731d48a2bb0da62824e8ab574a37f

          SHA256

          38d355eef8b6e778b9a82f41a5e49f1c4481f6b77fae2d6fef3015e322eb2693

          SHA512

          9e96e6fb6b0e5fdb8df35dd8b471d7dff6cec1a827397e4a4672d9f3a6125dedd7d55094eb0a373768bcd696a4967b6493aee711748daac4fc16a3f8c095b71d

        • C:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe

          Filesize

          83KB

          MD5

          03a79b9538621dbea97a4fe1b796b484

          SHA1

          a1ac0843695a2752d264cd7be86ddf15a63d8834

          SHA256

          2363e6d22695fb4aeabab5de476f7c39865fdd4ed2db7df5ff5b49d8cccf9c30

          SHA512

          2728420010ec25bebfdb76e1e32a3d71b43a1b52e17006d4c389ad1c0b810d7007a921f385ccabdaddf8bf6c195af1e514541a95a229758b682fa0e22d33a622

        • C:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe

          Filesize

          83KB

          MD5

          70bff6040b4c726b73b71ad22ea3fbcb

          SHA1

          76b23be74edb990d5a56ce748e48eeb77eb045a0

          SHA256

          300c134ac213853c758d47082de4e2cbb5ee4fc3e7dc97c42c9444f5d6179cad

          SHA512

          2320a30f1b2af0f4275be21aee01dd3094ced5a841b9b6cb18f01e95750857653da652ebc096c472cab3a81e45c2a0ba8e986e54dc41b5cd297ea5688a3ea873

        • C:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe

          Filesize

          83KB

          MD5

          a49d034b7124cbe2d7f372786017bc32

          SHA1

          b01d6caedc9fbfed9ca619dc260566dc7509f27c

          SHA256

          5cc5dd97d9b4d4118c89cfaaf4d2a10723a68215233a328ef99eb11a59b152e0

          SHA512

          918d03c0d3cfc693809c3e5b86383e4694a46d3c8e3d4b3fffe41a61f16e27b9f48293226cee47cdf8418c61a406134465f581aa098f4b55e37fb2d9f3b05113

        • memory/268-54-0x00000000003A0000-0x00000000003B3000-memory.dmp

          Filesize

          76KB

        • memory/268-58-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/268-50-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/268-49-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/808-37-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/808-30-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1220-60-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1220-67-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1944-80-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1944-81-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1944-84-0x00000000003B0000-0x00000000003C3000-memory.dmp

          Filesize

          76KB

        • memory/1944-89-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2188-77-0x00000000002D0000-0x00000000002E3000-memory.dmp

          Filesize

          76KB

        • memory/2188-78-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2188-70-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2188-69-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2576-39-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2576-40-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2576-47-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2712-10-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2712-18-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2712-14-0x0000000000350000-0x0000000000363000-memory.dmp

          Filesize

          76KB

        • memory/2824-20-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2824-28-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2824-24-0x0000000000430000-0x0000000000443000-memory.dmp

          Filesize

          76KB

        • memory/2872-9-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2872-3-0x00000000002D0000-0x00000000002E3000-memory.dmp

          Filesize

          76KB

        • memory/2872-0-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/2872-1-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB