Overview

overview

8

Static

static

3

5c8504addb...2N.exe

windows7-x64

8

5c8504addb...2N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe

  • Size

    89KB

  • MD5

    984808916af865a78d418efccb9d5190

  • SHA1

    061fca3a3542bad674cbaaaac5d4b0a4cc37169b

  • SHA256

    5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762

  • SHA512

    45ba3d3b32af17f49e2ffe37077035b574edf1c63ef1e35f4dc7625cd86734d23f53e158303e5a3d187c2145f749b0a264291add13498242ebf400cb26a41ce2

  • SSDEEP

    768:5vw9816thKQLrovb4/wQkNrfrunMxVFA3k:lEG/0oDlbunMxVS3k

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8504addb51ee4940a039fd4af5cdf50cc6a2bb98d218bce1932daa8c7a2762N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\{554B1BEC-C99D-44c5-B2D1-1BA1D264F34F}.exe
      C:\Windows\{554B1BEC-C99D-44c5-B2D1-1BA1D264F34F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\{C6B774C6-FDF0-4a65-8ECF-42377FA70546}.exe
        C:\Windows\{C6B774C6-FDF0-4a65-8ECF-42377FA70546}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Windows\{E9027B06-9BD9-43a2-891D-6310AD572E20}.exe
          C:\Windows\{E9027B06-9BD9-43a2-891D-6310AD572E20}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\{6349DF29-8A30-4ad9-867D-23A28ABB2EAE}.exe
            C:\Windows\{6349DF29-8A30-4ad9-867D-23A28ABB2EAE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Windows\{1C24DE5A-398C-4753-A5D2-D0286F9A01D3}.exe
              C:\Windows\{1C24DE5A-398C-4753-A5D2-D0286F9A01D3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4252
              • C:\Windows\{DBFA3FF8-7B96-4a54-BFC5-06239A66D27A}.exe
                C:\Windows\{DBFA3FF8-7B96-4a54-BFC5-06239A66D27A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:368
                • C:\Windows\{95FBA3DF-A93B-4a5f-A196-7E46C679D48D}.exe
                  C:\Windows\{95FBA3DF-A93B-4a5f-A196-7E46C679D48D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:216
                  • C:\Windows\{7C9F47F8-BE11-4110-9019-B03D3DD5156A}.exe
                    C:\Windows\{7C9F47F8-BE11-4110-9019-B03D3DD5156A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3168
                    • C:\Windows\{7D766F72-2021-43bb-91F9-E3A8F3843959}.exe
                      C:\Windows\{7D766F72-2021-43bb-91F9-E3A8F3843959}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4800
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C9F4~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3144
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{95FBA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFA3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4464
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1C24D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:536
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6349D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3756
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E9027~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3348
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6B77~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{554B1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5C8504~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1C24DE5A-398C-4753-A5D2-D0286F9A01D3}.exe
    Filesize

    89KB

    MD5

    1ec9677b434fc5e6ea005824d164dfad

    SHA1

    8712ca8aa3751693cafc5b930054e3cc651a8b5c

    SHA256

    5adb759a843730e71f32771bdcef308dcf0db1a913a2e232ec89987ee5d9b0aa

    SHA512

    2b256df353a06c07e183f1436052a5c46967f084ef80dfed380c8bf7f6bd38e0ffe3687f59f951a279861a90dda09afcd34e10fec275737901f97ca8c3572633

    Download Submit

  • C:\Windows\{554B1BEC-C99D-44c5-B2D1-1BA1D264F34F}.exe
    Filesize

    89KB

    MD5

    1640a9f941ce8059b03243c35a63b0a6

    SHA1

    946adcc7a07e49204a5f77348f69035825824cfd

    SHA256

    dbaa0f665ccd78e3503da86306b03eb0be6c896b8ee51b85e5454e04ca7e11b8

    SHA512

    eeed97f9168a918f792b3a28605ec5152157fe0dd8b37f07abf49b5fc8e7256b21697f2c2e524e7ccadb53a836f7a5e7b0db29bb42a84b5e7df0a9fe4ee46dc2

    Download Submit

  • C:\Windows\{6349DF29-8A30-4ad9-867D-23A28ABB2EAE}.exe
    Filesize

    89KB

    MD5

    6dd578fc807eceee21170bb29d9114ee

    SHA1

    0959dab408aba4579e6bd2e18cd1d49fba6cc6fb

    SHA256

    33a9bce9a8d4810d075746171b379f9d7cff431c32004f3fb6128afc0be83dfd

    SHA512

    d8d4a9368bbeeecc12bda0a31ae01261988fa5f7f4b44d2eaa3e14645357c0e3c9256f43b7b790c3ec7b4c69b808979aa876b6d5d3b3f569bd78bbb8ffd6bf44

    Download Submit

  • C:\Windows\{7C9F47F8-BE11-4110-9019-B03D3DD5156A}.exe
    Filesize

    89KB

    MD5

    4b9003869c4beea3cbf314f5eb8c97b4

    SHA1

    5b269522a163d9a0fe2fe132747eac0d6d1606b3

    SHA256

    b6e78ec34ccbc351395bd774d2e6e2bc25927b4d868dab1250be00c41b257a80

    SHA512

    538a6282d575fe39100d1d4b6e10a2267c639a12bdda1ed8ed9c2a173744cf5e11483a628edae3045921bf65a8145b8d248209a66113f18ab13b08568a237a97

    Download Submit

  • C:\Windows\{7D766F72-2021-43bb-91F9-E3A8F3843959}.exe
    Filesize

    89KB

    MD5

    9bb9e527a474015982eaca8d3ce60a77

    SHA1

    e5cd78c4464a820cae0aae0b62f4aad4a45428cf

    SHA256

    87bea83dfa4cf50bcb0bdded92c03761acd6cae706247416ce2916045f109b09

    SHA512

    884d04f096f152f0bc8a8f89759eff180aa9fde5f346b84679f5fe2b6b12a58cc5d36795c1147c323fb00646087c217d0ba3c7c021d0624f3e085095b7fb42d0

    Download Submit

  • C:\Windows\{95FBA3DF-A93B-4a5f-A196-7E46C679D48D}.exe
    Filesize

    89KB

    MD5

    e5204a5232af00328de3a379d099b7a0

    SHA1

    90105758ccd5984218868222490ed0500d3f2ef1

    SHA256

    b7e7192fb7081db70591a617bb627c935a1985fd99f388e3098521213067f8fc

    SHA512

    0837b304139699b41609a9c1c17bdcce05c5cee40eb409e729990f9771a2e9fd1f98c7abeeed97111cbd0f8cfed63ae99ee486ffb4f78778671595c965483ea9

    Download Submit

  • C:\Windows\{C6B774C6-FDF0-4a65-8ECF-42377FA70546}.exe
    Filesize

    89KB

    MD5

    eae61ab3642274e90ecd5d8a5430d12e

    SHA1

    c1b1bbf4eebf6e6a8a31d3eb9d8a029bd80e5749

    SHA256

    70608858542baebf3c029a2e4376fe82d3390eb19532b3e40ca9254b90762948

    SHA512

    b54b617bf321bf82f7ecfdc424f297f7095b9f2bfb18024f0d586863819635c94df1bcd89b847792b2cccc65018520481aaa8ab6ea8d0e9e2970fa4d04250602

    Download Submit

  • C:\Windows\{DBFA3FF8-7B96-4a54-BFC5-06239A66D27A}.exe
    Filesize

    89KB

    MD5

    b700fe4d827e7076e0371d2179210708

    SHA1

    3892f5416d0edffbd9449d6cd988625280fe32f6

    SHA256

    716e02d707b5b41492b0dc5649f48322ee4e508854d3c59c6baa55664dde5b4e

    SHA512

    30bdba1936b295c19fcbb22407cae7bc47f0464df4a449319e65266548b16582105b97fb309d71d97cdb150b8b476e240591226434427d6f41821345a29426c9

    Download Submit

  • C:\Windows\{E9027B06-9BD9-43a2-891D-6310AD572E20}.exe
    Filesize

    89KB

    MD5

    f2fa4749abe4d37ed3a027dced37f84d

    SHA1

    757727cc749d9a9c9fd0f88ce42248633353f7eb

    SHA256

    f6e1042978aa0c2853e1b72a15cfdd0f29af7e855999e9300a4ab0dd65cf935e

    SHA512

    62975becc9838e496f453b58518d255a1d4852b62ae896385676e85e89a7938c829ed78474f87c8412ba1f8aacfc49ce43d48a648d338ee18c270ef7e0abede1

    Download Submit

  • memory/216-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/216-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-38-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/368-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/720-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/720-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/720-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/884-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/884-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2296-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2296-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2296-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3168-50-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3168-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3568-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3568-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4252-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4252-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4396-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4396-26-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4800-55-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download