Overview

overview

8

Static

static

3

ab9d3fdc8a...1N.exe

windows7-x64

8

ab9d3fdc8a...1N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab9d3fdc8a97b7f8d5fb328bcf293e42a5be889666422d7011f44a4d31843e91N.exe

  • Size

    89KB

  • MD5

    a6b0ffdfe2bdf1a125eda532f3020ac0

  • SHA1

    09bd0cfbf4c7684a5f49cf973c213265a975c33f

  • SHA256

    ab9d3fdc8a97b7f8d5fb328bcf293e42a5be889666422d7011f44a4d31843e91

  • SHA512

    6ccd3e075377c31e4324d865fdc95130e98c9836e1afc3c7ca99a1f7cbee0e516507d573d67b3fbdf81deae9e4e878d6aab18dbf1868ebc70db43c392d6e15af

  • SSDEEP

    768:5vw9816thKQLroL4/wQkNrfrunMxVFA3k:lEG/0oLlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab9d3fdc8a97b7f8d5fb328bcf293e42a5be889666422d7011f44a4d31843e91N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9d3fdc8a97b7f8d5fb328bcf293e42a5be889666422d7011f44a4d31843e91N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\{3CD55C33-151A-4bd5-A0BC-A7503C9B77DC}.exe
      C:\Windows\{3CD55C33-151A-4bd5-A0BC-A7503C9B77DC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\{37F1370E-2077-4fa2-8EF4-6BE20038F408}.exe
        C:\Windows\{37F1370E-2077-4fa2-8EF4-6BE20038F408}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\{9CAE7883-660F-4ffa-8674-CA6BDF1E3C04}.exe
          C:\Windows\{9CAE7883-660F-4ffa-8674-CA6BDF1E3C04}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Windows\{F1E50CB8-81F1-430e-9CD0-D29137F7A7B7}.exe
            C:\Windows\{F1E50CB8-81F1-430e-9CD0-D29137F7A7B7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows\{7B5F8691-F6CF-486a-9E59-F06DB1EE5C56}.exe
              C:\Windows\{7B5F8691-F6CF-486a-9E59-F06DB1EE5C56}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3588
              • C:\Windows\{E66C454B-E50F-4f8c-963E-99E33409E7AD}.exe
                C:\Windows\{E66C454B-E50F-4f8c-963E-99E33409E7AD}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2108
                • C:\Windows\{8FE22140-20F4-4967-B3BE-1EAE67F03823}.exe
                  C:\Windows\{8FE22140-20F4-4967-B3BE-1EAE67F03823}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:552
                  • C:\Windows\{537F31C0-9636-4c67-A142-7574CE198E90}.exe
                    C:\Windows\{537F31C0-9636-4c67-A142-7574CE198E90}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3496
                    • C:\Windows\{5F41DC8B-11AD-4d03-A4BC-9458B70958F3}.exe
                      C:\Windows\{5F41DC8B-11AD-4d03-A4BC-9458B70958F3}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4144
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{537F3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1500
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE22~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2432
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E66C4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3752
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5F8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5084
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E50~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9CAE7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{37F13~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD55~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB9D3F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{37F1370E-2077-4fa2-8EF4-6BE20038F408}.exe
    Filesize

    89KB

    MD5

    a9914d663955ae773ffda1dc81a2713d

    SHA1

    d4688a33310a5e88b60b1cfde3fe0667f10d429b

    SHA256

    6213f369b3c786e7b3a145c663de73596124f891654d05f77388cfec2c375968

    SHA512

    4bbb8e2db0c3905255128c33a5a585874e7ea8cad2503629bcb39052e3ced6c89d0167f05aaaf3e05406b2cf2a6062ed35ac825236d229d2295f9dee604ebcec

    Download Submit

  • C:\Windows\{3CD55C33-151A-4bd5-A0BC-A7503C9B77DC}.exe
    Filesize

    89KB

    MD5

    af4be744db677b61a03e8e76f5aefc99

    SHA1

    61e7e379df192aee5974e5cdf2574038123e04f2

    SHA256

    22c59ff8aa0943e6772351207b51277d81c123d63241eb16ddab9adb2aa61af4

    SHA512

    8c5b38faea579f6b9b7da41c0032e064c9afecd4e25157208ea60ff1736661e5fbca9f9f5f006dcabbfe5f57a333090db91fce445544adc525aa08511ab364e6

    Download Submit

  • C:\Windows\{537F31C0-9636-4c67-A142-7574CE198E90}.exe
    Filesize

    89KB

    MD5

    c9ef13ef7f8600ec9c0d9483339ac1d5

    SHA1

    47490a0c7c830eae6248d3b944d8f25913471b46

    SHA256

    b166a35f357e0e4647e9aabf465f0005aa1f8116241d12e1a0655b6695966d6f

    SHA512

    9e7733ec94f2c2f92f79e1bfc190ba270cb8bbb55dfe212594758908206b1efc3823750c94824184f327403dfb32a23cd6608e604948e8d095fbcbd16e4a44f5

    Download Submit

  • C:\Windows\{5F41DC8B-11AD-4d03-A4BC-9458B70958F3}.exe
    Filesize

    89KB

    MD5

    15f680418e56141f90201a251f47b85f

    SHA1

    8838c20049c3abf95c1706fad3edfd558fc87bdf

    SHA256

    032238c02b674987e26b6cebc548c5442081431aaf5bf26c6f733f974bb1b864

    SHA512

    b248c3b5e41cc5046bd21187e35e1455e98cc7c69183539e01bf5db79d0a0fcc6215dac541c9848ac8cd20195dd3f195b87e4ad9e85fc964233d962df8dd3dbf

    Download Submit

  • C:\Windows\{7B5F8691-F6CF-486a-9E59-F06DB1EE5C56}.exe
    Filesize

    89KB

    MD5

    bcb8c028bf5d208d0bb365442b95f4c7

    SHA1

    d0829fbd717b2369bc5bed6ceff92797122aad15

    SHA256

    cba40a04c16b80466edab2b52fda13c0195689b6e100e78ae628c745bf7f3064

    SHA512

    db621f07735f741b59e96563f684a6ee8d45d3e48b9e55ed34c0ad9e0a58098c4e23e904b1079a5e9948c2714a134916a7d42ddb97ac090c4037cc8aa6e32109

    Download Submit

  • C:\Windows\{8FE22140-20F4-4967-B3BE-1EAE67F03823}.exe
    Filesize

    89KB

    MD5

    7e11c5b194d868539b2b4bbfb0513d59

    SHA1

    b3ebd899a8ae9da7ab1d3fb2ae435ce0dc1329c3

    SHA256

    34ea9741d465b01ab9444ada615393efb3b6a03d7699c785bd31f6d5a1f348dd

    SHA512

    ff0aa931529bf5d16e563b19a3cadcbda512089adae3ec5bbcf2fb60ee8624806d1b1204cd01fb222ab68165bc73e8537387efafda14c8c2718856350608ef75

    Download Submit

  • C:\Windows\{9CAE7883-660F-4ffa-8674-CA6BDF1E3C04}.exe
    Filesize

    89KB

    MD5

    ad1e955b20a5d36d0ea408af006fc316

    SHA1

    f5c1cc4f168389ef2b046bfd4ef20e23b91a7312

    SHA256

    557ce73548082b7aa2255b6c65fb82320ca0351324e9d02a6a7a88eb1b32ce47

    SHA512

    0f8e71ee5e3a4d4705a5e21a9fe309d1a04475e034fa2f2b71ba55187b7c593103fb7d60189bed20d9a53f5a0ceb4a3a11d494b70fe2576c675ebabaad670361

    Download Submit

  • C:\Windows\{E66C454B-E50F-4f8c-963E-99E33409E7AD}.exe
    Filesize

    89KB

    MD5

    2580e190e7f8b412f2aa12fa42b77ba5

    SHA1

    df6045b022b50a89dc07c86119d374d06901433b

    SHA256

    e4def3eceb09737835f10a7a3e1b3039ff89538850b4a165e47a666477f62c3e

    SHA512

    34604fbea67f1def892d8c4ff9e6eabd755cdcfb7a5038f239ff1f15c593c6cafb3569abda8288a67d8be821902a21833d481dd2180443437f1c0f5e9ff91574

    Download Submit

  • C:\Windows\{F1E50CB8-81F1-430e-9CD0-D29137F7A7B7}.exe
    Filesize

    89KB

    MD5

    ba98e1002a119e8ebd98ee4cc8b9f1d0

    SHA1

    172b588a327776e22fb25f4fcc5a30803b28b7ab

    SHA256

    a88db4f17346f1e3ff21117bccbc0f183a4e8c59ef8baee5b52842851ca77389

    SHA512

    09f4ee09a93ff5e866093e7207da15eaefb042ed3421e0486b31e81a61ec844d8a227baf6460917a3560aaa6fedba911d7ae59d1a1979d6d13f543f7135e3cd8

    Download Submit

  • memory/216-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/216-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/216-14-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/552-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/552-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/564-11-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/564-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/968-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/968-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/968-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2108-38-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2108-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3496-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3588-32-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3588-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4144-55-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4184-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4184-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4964-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4964-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download