Overview

overview

7

Static

static

3

33690e71f9...1N.exe

windows7-x64

7

33690e71f9...1N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 16:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    33690e71f9bf7990215ecedae8b51870bcca005286c713c88b80ed13492aac21N.exe

  • Size

    464KB

  • MD5

    d9773fb73ed6f0816bee658b380223d0

  • SHA1

    c58a6beaa9571bb399ab0773a9c583f0b50369ff

  • SHA256

    33690e71f9bf7990215ecedae8b51870bcca005286c713c88b80ed13492aac21

  • SHA512

    e9b8a31478f5181a4dc7fd5d16f0f36eea72836a344fe3cd4bbaf1fa2e016e30785b50fa8d6f9ece3297fd6d40e51b83a5db3eae4f52f9b70b4c9f22ae1b7701

  • SSDEEP

    12288:rWlc87eqqV5e+wBV6O+ujKZ44fr+66uWEzmmH:rWSqqHeVBxFOfi6SmH

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:3408
    • C:\Users\Admin\AppData\Local\Temp\33690e71f9bf7990215ecedae8b51870bcca005286c713c88b80ed13492aac21N.exe
      "C:\Users\Admin\AppData\Local\Temp\33690e71f9bf7990215ecedae8b51870bcca005286c713c88b80ed13492aac21N.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\Users\Admin\AppData\Roaming\ARPalog\raseonce.exe
        "C:\Users\Admin\AppData\Roaming\ARPalog"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Users\Admin\AppData\Local\Temp\~9143.tmp
          3408 475144 2756 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1480
  • C:\Windows\SysWOW64\extrad32.exe
    C:\Windows\SysWOW64\extrad32.exe -s
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4912

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~9143.tmp
          Filesize

          8KB

          MD5

          86dc243576cf5c7445451af37631eea9

          SHA1

          99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

          SHA256

          25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

          SHA512

          c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ARPalog\raseonce.exe
          Filesize

          464KB

          MD5

          dfbaef112b52393bd35eddf428a48e4f

          SHA1

          623ab907087d33d73cf2f49084c10687ce44c94e

          SHA256

          7700a954c0e18dad4ec8622bff8ac4fe1e56d2f5fbe318e8e27aded4363ca455

          SHA512

          1dddc44c4f6bdd0a365ba3e5a39385521cd500df4ca5c6ad174d0de563a4eb6c98355dab069f2cee44a0719def94ce798c38f8ea3b31591d27691a93a6021ee4

          Download Submit

        • memory/388-25-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/388-1-0x00000000006A0000-0x000000000071D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/388-0-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2756-7-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2756-29-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2756-15-0x0000000000640000-0x0000000000645000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2756-11-0x0000000000550000-0x00000000005CD000-memory.dmp

          Filesize

          500KB

          Download

        • memory/3408-28-0x0000000003090000-0x000000000309D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3408-27-0x0000000001140000-0x0000000001146000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3408-26-0x0000000002FC0000-0x0000000003044000-memory.dmp

          Filesize

          528KB

          Download

        • memory/3408-18-0x0000000002FC0000-0x0000000003044000-memory.dmp

          Filesize

          528KB

          Download

        • memory/4912-14-0x0000000000550000-0x00000000005CD000-memory.dmp

          Filesize

          500KB

          Download

        • memory/4912-13-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download