Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 02:16

General

  • Target

    089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe

  • Size

    90KB

  • MD5

    036af28a3626935da0c91c6fb5330de0

  • SHA1

    0592ebfd56003f59065eea1b10087021188c5447

  • SHA256

    089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71ceb

  • SHA512

    05feaec791bb54c847dd41d8501db632ff8d859dfb25e7655208f95336d5083aae75a0b28004ca385e5226aac12b2b7c82abba732d8c6e5c6172adfe88cfe7bc

  • SSDEEP

    768:Qvw9816vhKQLroL4/wQRNrfrunMxVFA3b7glws:YEGh0oLl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
    "C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
      C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
        C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
          C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
            C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
              C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
                C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
                  C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2928
                  • C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
                    C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1428
                    • C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe
                      C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:480
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CADBD~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2164
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{1546F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2152
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3714C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F87~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2196
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C24EE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:632
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{95057~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DD227~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47E4A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\089DEA~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe

    Filesize

    90KB

    MD5

    95ae1092503a1a3af1446652ba61ef4c

    SHA1

    91605d32eace7be360bc1871c23c7d71e5e4ee34

    SHA256

    573a1a0c09bb59c609df5a1c32b9d9c8cf159a0c36ce835ae5bc1c177e869eae

    SHA512

    f40c215034da596a4585b33d4f7fbb6e35e863991cf3686f1eb52dcb8df84c0cfbef14d061da4f32da787726f9a52e438dda473cd3adcb6df0cad4e4c06c35f4

  • C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe

    Filesize

    90KB

    MD5

    162dff49e69cce835b9b9732c03b5303

    SHA1

    27be131dcbe3afb6f85fce02cd8d8fc2eeb4678e

    SHA256

    950e8abc252ac5a20dfb1ec5588eeb91d6c776cbff56bd13f410f06791646009

    SHA512

    f3421906c3d43e0c5de4906f58672af7ba781aa522e8b0fa1a3c72fecd9f7fd852256c9a6ade6783e8732a228fcece4c21cb1247fe0086e7dc893a85716af0b1

  • C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe

    Filesize

    90KB

    MD5

    4f14d5261473c577b99231f1ae567252

    SHA1

    bf3ba43e918da1501b33c6fa3ddedc0d90184b2e

    SHA256

    f91ec6bddd6ac214fee0eb7a94d528ca892cce74e7e3082f41853c33616580af

    SHA512

    bef63f6376d170ceccaca4d957e74a17880db3cadfc57a96ba916b1fd0dc82b73fcf97fbfd85346e9cf882a2f434f2c5f288e11d1517d2d2c3739362a1a30b3a

  • C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe

    Filesize

    90KB

    MD5

    e7dca4d121f81694a0089c88744d972c

    SHA1

    702b48e00aa7095040cc5de11617b9c0508c1d30

    SHA256

    5ba35c0072180eeecfe5e164f1f1ad9f3b701208a8b512d7e2dd8c077b0772bd

    SHA512

    51b4a8117c40f4898478a95055fbf147a1554d9e6bdce4bc4d4c3b25ea739e97b4a67207ffa91626398ebb562b2bd370b00c8ed570c8b6682cebe364b24001bd

  • C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe

    Filesize

    90KB

    MD5

    03d7cfe7f37ac5b2b5ab24961df56209

    SHA1

    4cde407bc6afc64c797a3e0387165c885fb3c207

    SHA256

    9a060cd55311a505dd31645a91e90366f00d7442a41a74c7a14e5408534ec4bd

    SHA512

    617093ca9bff518b410926c9cefb27618605c0104bc8d0245cd54629c65ff3ea545fb2f6d40ca078f007e55445ee002927594aa83bbeccb0e8eb89b6e372fe24

  • C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe

    Filesize

    90KB

    MD5

    e1eed4ab20564de6eae72d6e3a21e909

    SHA1

    887baffa77d56a9ef03f803777d9fc9c473a9b11

    SHA256

    018706579adfefc1315598874be8618320a7b22344f9a4b8b0cc4f5ac8ba0b5e

    SHA512

    54401d0573ba981827a77df76820ea3854af70becdbc33c2c32eca56c00ca5f2bd53bf2e5a62ccb84c373664b849fc2424d71f11036ab0db0ef4e1f699c21b0b

  • C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe

    Filesize

    90KB

    MD5

    43153ee060818ca5dcea9a08499c8730

    SHA1

    d62abf2505cf1d88f4e64ed35fe302facd60104a

    SHA256

    0eba6aa23e61526ffaafd8718f24012811ee22e72529d75deaf97c78ca3d37e0

    SHA512

    598dce636c0a73487583661df7616d5164a70ebcf53ce29c29a762597a749e607adf782eb88ab101a04721f44c55d69949a6c6f80dbb7d714459a6a3b694e41d

  • C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe

    Filesize

    90KB

    MD5

    c17b1f1c3b359a9d02be90a3113e67ab

    SHA1

    efc41b605b12ad73d37e949be14e0e579388572a

    SHA256

    fa32cc3240f1029187814a2eed8d8d61724fef35ed60a77c836cdd3a5209a894

    SHA512

    19a176cec8a283d3df5c3249527f366cec4b395b72b6db409a95d7928b8e9ad4c3ad432a5a1ee70075fb08f6409743094d22e90f7e187283e2e62b68eead4276

  • C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe

    Filesize

    90KB

    MD5

    3219c7b42299827288c4f7966beea5fb

    SHA1

    efedcb152b26760f1632b89522a2f4e936ad62f7

    SHA256

    53547ae7e517dcc14d5a777840b2a3ee0ca30750e0a83953bd7ada5f2635859b

    SHA512

    e5c7b3cde2391a3529ae9b6fb6ea373e763dc003c65a4926d7a874b29bb1d192e20ba1166da9864a3f27e5e687a1301eebd59ce2a9f8dd8d52ff25ab5f0331cb