Overview

overview

8

Static

static

3

46803e966d...dN.exe

windows7-x64

8

46803e966d...dN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46803e966d397456fdb5a44df154004e5388ab3f7843fc8bceffc0b06721123dN.exe

  • Size

    60KB

  • MD5

    9e4c3e23b2abbd529173c1abb64cfa30

  • SHA1

    0e663f3dd90b46f5351edd2a859531d8a19e474b

  • SHA256

    46803e966d397456fdb5a44df154004e5388ab3f7843fc8bceffc0b06721123d

  • SHA512

    4032bf27b23fd1ee833b015a8e36a33f2ff5966effdec72a9a8d41b5e710364634ccd272d9e1221295c9bf261c36bb266059c03f16112e09a5df093384af97cd

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroBSKT4/CFsrd:vvw9816vhKQLroBN4/wQ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46803e966d397456fdb5a44df154004e5388ab3f7843fc8bceffc0b06721123dN.exe
    "C:\Users\Admin\AppData\Local\Temp\46803e966d397456fdb5a44df154004e5388ab3f7843fc8bceffc0b06721123dN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\{BF009984-EA4F-4e54-A7AA-B568FD85BE1F}.exe
      C:\Windows\{BF009984-EA4F-4e54-A7AA-B568FD85BE1F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\{E9AE4401-755C-435d-A977-EAB1A7382024}.exe
        C:\Windows\{E9AE4401-755C-435d-A977-EAB1A7382024}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\{E922862C-5411-471d-895C-640159FD2772}.exe
          C:\Windows\{E922862C-5411-471d-895C-640159FD2772}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Windows\{729C707E-B33B-4ff5-AC8F-E377FADC2454}.exe
            C:\Windows\{729C707E-B33B-4ff5-AC8F-E377FADC2454}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\{87BB2E58-4234-40ef-A1ED-18499E735664}.exe
              C:\Windows\{87BB2E58-4234-40ef-A1ED-18499E735664}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2936
              • C:\Windows\{81497DEF-0847-425c-B23B-1748A1139697}.exe
                C:\Windows\{81497DEF-0847-425c-B23B-1748A1139697}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2520
                • C:\Windows\{5C39FA7F-CBFF-45be-98EE-D271C3CCAC2C}.exe
                  C:\Windows\{5C39FA7F-CBFF-45be-98EE-D271C3CCAC2C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2044
                  • C:\Windows\{D9DDDD3E-09F2-46d7-86C4-CB3895AF338E}.exe
                    C:\Windows\{D9DDDD3E-09F2-46d7-86C4-CB3895AF338E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2932
                    • C:\Windows\{F8779B32-014D-4743-AE93-FBA53F179435}.exe
                      C:\Windows\{F8779B32-014D-4743-AE93-FBA53F179435}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1852
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DDD~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1840
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C39F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3060
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{81497~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2960
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{87BB2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1692
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{729C7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E9228~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2832
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E9AE4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF009~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\46803E~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{5C39FA7F-CBFF-45be-98EE-D271C3CCAC2C}.exe
    Filesize

    60KB

    MD5

    9043ed46b4b2ba533eff0bf726ee4e13

    SHA1

    a118258fea6951f1b37b55fab0dce4618aa26efd

    SHA256

    6d64420192d73ac1f334ad16d5e0a2f385f4d0c564e92e4e172ff4c44601a9ed

    SHA512

    7ad29a10bf490e53b0681b8bca11d7893b041e73d086f33611b5fbe096b04db557775f268bdb8cdd533ddd78889f1010636fc05b4bd93c6c074d10e2d625f783

    Download Submit

  • C:\Windows\{729C707E-B33B-4ff5-AC8F-E377FADC2454}.exe
    Filesize

    60KB

    MD5

    1a9e682005a51376834c0b69da10fc92

    SHA1

    cbfc1d5cdd6650620f1c8cc5f3d243a4c025c811

    SHA256

    9d8cbef5f9594487669d4a6cc9f4eb6bb6f1ce77486c6a9d3f2e464b39ae6800

    SHA512

    fe99d640394bc3d863b44ffceeb57f3e491d5ecae84d0e8c2832728e4df5ba58a557ee63fa53984c4a5cc9d18dbd133f37f52698ce8542ea6da7017963787594

    Download Submit

  • C:\Windows\{81497DEF-0847-425c-B23B-1748A1139697}.exe
    Filesize

    60KB

    MD5

    c2c44bd9959094c8b6d5f6ac91174327

    SHA1

    62e557a084903c75723af96cbba5fe3e204e9a53

    SHA256

    508b19dfca94a9eb2c4d2b5b20b65ef14337ad6a9b0b26be545e5cf8b3b7b613

    SHA512

    8f371a353b2185abd99eac398203ae5a1c523db9de12509890506846d6b0938207b6664497e10215445accc7f52113a0af1ae6ff17b150228ddce5f8102e64c7

    Download Submit

  • C:\Windows\{87BB2E58-4234-40ef-A1ED-18499E735664}.exe
    Filesize

    60KB

    MD5

    6c0c2d4aa5789236de32a0cb7c513297

    SHA1

    2b3f517e94dbe96c27b556d8907793384151044e

    SHA256

    fe94cd3b008e2f9c035d7e56b8f67146a1b39cd2aa00255c8868134bd6525b58

    SHA512

    ac5d4bd7654655f2f6cb22709d83c637fcbc08e3c6c38b6a5ec804043417812af45dddc4a3a3fd9f1c27468437d2e6c2cb5ac31782fe067ce2144c5f0286dd89

    Download Submit

  • C:\Windows\{BF009984-EA4F-4e54-A7AA-B568FD85BE1F}.exe
    Filesize

    60KB

    MD5

    eb757201856c319716f4dfec017c20bb

    SHA1

    ab90d69dc1638d3b7c0b242aee6eb4bd475e75e1

    SHA256

    4025dbd8620d316b1602cceb157b4b79c3c664e5f526565480ab5064ec395f30

    SHA512

    5c41e1887a41a6b78203b238b10435651aa2a1ed477793711598e25a465ca43c99800004f5a56f493ad29ade85ecd0ecd332032edda491100df94187c21c1094

    Download Submit

  • C:\Windows\{D9DDDD3E-09F2-46d7-86C4-CB3895AF338E}.exe
    Filesize

    60KB

    MD5

    69a8cc54e2199b47314769f59fdf8afe

    SHA1

    9797ae1e8b4a6ba66e519306c936991aca852608

    SHA256

    76f220a3f603e9503f47e42e55de6ecdaef727a6f54724944787d63c7427b32f

    SHA512

    32f1d681a29dbe7c425eae6a2bc7a71e86e3a5874f3d1ce1f1945ace0dd21d1bd4ff90482ed8bf0d8f76e15d2a2584c682783cbce787bfd689a3cfff579dbda2

    Download Submit

  • C:\Windows\{E922862C-5411-471d-895C-640159FD2772}.exe
    Filesize

    60KB

    MD5

    e4ab1b0507504db863eb13f4b9d39c64

    SHA1

    3c68f7767454cef332b134be88541951ee4386a4

    SHA256

    a0fb2c3ef409c95865ca025d80d6ac10db19422ecc35fc81953d096dff6298aa

    SHA512

    ae6aa0a32f9da66bdcb2d71a1e45276d983c06aac139fcfb71d268942880135b60e8a06988fb4fc72bb7ed450687e169152399d5e9159f37dee1190645b5c1b0

    Download Submit

  • C:\Windows\{E9AE4401-755C-435d-A977-EAB1A7382024}.exe
    Filesize

    60KB

    MD5

    f5c5a7694083989d9fb260712487e8f6

    SHA1

    6ad97f3d512da6ef4446ebca3b93a81e7eb9678e

    SHA256

    f149bc842001c23db12732f2ce0de0a949b3535b9185a50265023d99dad160ad

    SHA512

    db7fa6db95738ddbd3e935c4691c7e922884df3f5bd8481fd6cb5e24e1caa375cf799fb778ef9dce10b24d174784a5d21cc634e7a7d94110f7b5ebc9a4836123

    Download Submit

  • C:\Windows\{F8779B32-014D-4743-AE93-FBA53F179435}.exe
    Filesize

    60KB

    MD5

    3faa1549de4969b7ebc95858e9436615

    SHA1

    5af94817948a5b833d679a4daf3df0122efc33fd

    SHA256

    e4c383907c32efb833b33d31ba0ba1d505cce98ec90a5528970262e304b761c6

    SHA512

    3d1704592a139297d542f801f8dcb5f46da41540ddbd4342f61563df90fbdfce0a1947db2765754945f6d8eb6560f0a977eb1f573a1050f74c81242c996f827c

    Download Submit