Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 08:39

General

  • Target

    11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe

  • Size

    90KB

  • MD5

    a33799b4413ca558fefbd2815dd58d70

  • SHA1

    4254fbb8eae91c7be70323de60a0bd32023d54b4

  • SHA256

    11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53

  • SHA512

    2a82fee977e72c4040ae93c0dd75c71fc6e5caa32d853179b270b45ed3c168fd180b6dfdeacba999046735fac2beb105b8b7daf4346a06cb9cfadb52e26aca9d

  • SSDEEP

    768:Qvw9816vhKQLroY4/wQRNrfrunMxVFA3b7glw:YEGh0oYl2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
    "C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
      C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe
        C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
          C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
            C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2212
            • C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
              C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2460
              • C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe
                C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1508
                • C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
                  C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2452
                  • C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
                    C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2720
                    • C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe
                      C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2184
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0119B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3000
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEB25~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1308
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F30FE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2148
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{177AC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1992
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{72E53~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2080
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6A1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{417BB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A1D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11CC40~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe

    Filesize

    90KB

    MD5

    7d626cf2ce8ae026397bc0a80e2bbb5c

    SHA1

    a1ddfb520b6b29cbf2465be5f9514f4518fa62e4

    SHA256

    b715e43aeb664a32529c18e3e94b335898d723489ff7de295964e24690bb4e9a

    SHA512

    80ff66ecb5c0a130f53e962044e67f977202c7b78556565fe3080471a964f68ba0057321cbe8d8897342580d3285ccf355cb84254fa0a22f95b28786b9edd548

  • C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe

    Filesize

    90KB

    MD5

    dffff7ab20811d338c78c102d88a376e

    SHA1

    d93aeca9335c72050dadded833a872ecc74cbf42

    SHA256

    bc6aed0b624c72c0340b4c553bc558c8c878e14ad3239d9421ab595f8282bec3

    SHA512

    74d5c284987967119a61cda2cc7f0fdb94379ffa53836c05ee767c3e86d63e08e3a5b38aaaf98d74ff050084f58326a4b63022a20a5b7e00d736f19a2d379a06

  • C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe

    Filesize

    90KB

    MD5

    06729bf2808be92511de144806c6b944

    SHA1

    be9ab5f28030bca90576f18093246ac1aede9732

    SHA256

    7bfe443e9086464ddbf08b6575f9081fb393313c99d50f839462520fb831a026

    SHA512

    dbaec5336cad5b874f33ef1fd21378d027f1e1af3b2b3b531e722183cf847c1320291709aa4e7d9c947d84983040ea5bfeb0b0f179edc6b408d5ae1ccd1d45ee

  • C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe

    Filesize

    90KB

    MD5

    c4c9849678c41b78cfe71f97ceb2f2f3

    SHA1

    708d670f0ed1d94c3175d907528a8905d2e95b0a

    SHA256

    e66b114667eae13799da43cd40d98bac1edebc6a39c6eaf8c94006bd752ee823

    SHA512

    526f9b9d6dc4d04da8f5bcd6b8ae0e521d4eb592a21426e7575739f08c6b3335dcdf44e2fcbab92701810840bf75657301e05dd427c93df8265268f04a51c28d

  • C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe

    Filesize

    90KB

    MD5

    15ab301e0b8d56f95139a14de7667a7a

    SHA1

    e775e6f84cc5dc90dc17fde6ce638569e2dd7209

    SHA256

    9f7962dafce56f61bfcdd943d717acb7d92f0c4b6d07cf1b1aec842a489e9fbb

    SHA512

    32121cf0f78426157a098677b97976388dd5bc771f256edfc21ac75ed6f3f4177a5d44609a562b6d07321fa7ec31e9e1093ef6764552636c13b2bae2487d2a74

  • C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe

    Filesize

    90KB

    MD5

    7411e3269e22feda04e83b8bd299dc49

    SHA1

    fc80e8c6fc3d817e71be1a850157ad8b3418ccc1

    SHA256

    8aa5bac0e90a493d6f562955417fd6929217da27898c0c4661125515632491ff

    SHA512

    788e5324da12f032c219b7bccf41c787bb357b8941310f11efad6b6eb89cbd4ca68526c5f80a0292366ae85fb14a7e7e2492503ba1f07ab22b5e5dd1f1cf524b

  • C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe

    Filesize

    90KB

    MD5

    64d251d498ff2a4c50ab737c2a7d7fde

    SHA1

    d3f258d60eb5fa62975f15de4217265c13054c9d

    SHA256

    78453f3f65272fbffe5c6b7e052f5976d10f24363e07cb6b9f413d2d15e819e9

    SHA512

    950a1a53e69bb0a6067b7306f096684c33c8658b1970682c5dc572e11c75885ccdb5733bf0fee0e668463c89a9e4298073a875518cff2c55f29a78956ac79773

  • C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe

    Filesize

    90KB

    MD5

    8d74b99bc1c92a641bd9f82c388a240e

    SHA1

    016c5699274a99f3ba656862c8ec2b951eda69f5

    SHA256

    d3e169f860e4aae3252df3a97bd2d185bdcb3e67f00a297f9272765519c0b42e

    SHA512

    c8891e7546b5ba95fc8dabb3aa95dac6fa0b831127e9756733d43442d6f2c3eb7d69acde19f04bca44220cd502cdec48962c685af0a014e0c87e923023c3da8a

  • C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe

    Filesize

    90KB

    MD5

    5796e0029fe9d3ec099061f450429e8a

    SHA1

    e4910384fb24650ca4a90ff5fa09da50a8b2351a

    SHA256

    c2fdd15b45d7e178ed7965f1293210e4408e05d29a9593a0473921e7fdb5c9a7

    SHA512

    aa03e98866e2ce95570cb31a5b310c257e76a114641c2349b48f3425b2845ddf9355925287b06c3e34f025974011df9004d7cba3cf352b0488a9ef4b005e29f0