Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 04:38

General

  • Target

    9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe

  • Size

    88KB

  • MD5

    b381cdb0ea1410e3fafc78ee82b34ae0

  • SHA1

    1643547a70af842cc1e99f2fdfd003fedaa958bc

  • SHA256

    9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8

  • SHA512

    fcf53fc43f82c5e57177d5f3848d144c45e43beab869b0aa2961dca4099dccb75114f91bd463f44c088fe2dcdaca38b2bba573467fcab30a7394fda4dc0cfb5a

  • SSDEEP

    768:5vw9816thKQLro04/wQkNrfrunMxVFA3V:lEG/0o0lbunMxVS3V

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe
    "C:\Users\Admin\AppData\Local\Temp\9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe
      C:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe
        C:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe
          C:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe
            C:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe
              C:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1140
              • C:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe
                C:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe
                  C:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2120
                  • C:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exe
                    C:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2968
                    • C:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe
                      C:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2184
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{91928~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2992
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0EF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5E5A9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1256
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{798AF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2860
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2470F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1480
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{2973A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A0FB6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AD9~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9EA1EB~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2180

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe

          Filesize

          88KB

          MD5

          191aae5ed44ce19d1b03bbb30cf1b4bf

          SHA1

          d5480e034805992e86e2e5adb72b06d75589909d

          SHA256

          28364b88d47c72664ad0117700cefdddb43bd69b8e406e8cb14a53222f86bafa

          SHA512

          0c341b90d585e356d647de825c0d3c6e7cd3dc887d9a69a046f1618565f5a64faa3c5a59afe4a19723ab1cf59d9316178d0397cccf37dac2d6e130583e4e8cbb

        • C:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe

          Filesize

          88KB

          MD5

          0ceed3904a758cefa8dcc61ff3981e79

          SHA1

          d6561fc129d21c582364f9b3df15eb11d2013fa6

          SHA256

          b1671545147b195009a0d52c7975b53e40c6c5ef9b7564f2bfb873f2cb306dd4

          SHA512

          ad32d0913efd8db8407f2f450ef3395cdafe96e52863dc16c98e8217de5ceab746f10cdd4c71b546c6bae6d1f4b29afb0aeaad8d865954496dd655a8877248bf

        • C:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe

          Filesize

          88KB

          MD5

          cb6a5abdb726b8e1cd4ef5b269cfd1e5

          SHA1

          41e146b9dc80bc8e76c3b52b0692f0579f0de3f4

          SHA256

          a7f7774352761884985c41fc8f6bcb72328c7af1d40e782b996270deac876f58

          SHA512

          c805224f5c28473db5180b8a2faccaddc4825ca2be6ff4afa9782b4324e662a1ef067d9712b13f8c13488ddfbd8f343460297dce7c38fc928d26cb1a99827f99

        • C:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe

          Filesize

          88KB

          MD5

          e1ea60ccbc87f485ba02902258095563

          SHA1

          ee9c3f1793a6af90b3d71a4686395f06ef8372d9

          SHA256

          63f3b6a0147d57f70d46b88a38aa970f5d791272b07092a440f77dee82152fd1

          SHA512

          0859f46b63c3398c28aee7a6088d8254b53695d7c8cb7ff2cf9dfec5e2fafd082709ea653ed0c9b0630efaa6845f2504bced58541ee441c6c7d7bf1df4184f7b

        • C:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe

          Filesize

          88KB

          MD5

          81e64fbcfc4bb473db70b5eaffe1adb8

          SHA1

          2f8d75a197f80624aa810445f59a6def2766cf9f

          SHA256

          d528314d15c14d5b03eb0c8494e7167fcb543ced4e648317614bdf3666fd5e8a

          SHA512

          e7f4b62a3b0cd1bba981902898b59faf9b50209fe82c08e62d62a5f27d9c13b7629f5839c0c57e5aaf6911f0c19459b68a67e896362c8cc51338bfbe93e1a7da

        • C:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exe

          Filesize

          88KB

          MD5

          26dd6d13a4215bb563a5b2e90a86ec40

          SHA1

          9a6df293e715c6dd425f6f00fe7a1682b5a19af0

          SHA256

          1b3423f60550adfe63aa924f97201b922ce0b8fba559347dca87899c00f7243f

          SHA512

          d3f50a1a30d0164f96fd50e2ea96671bb489e838031b570e2491bb9dd1151d8ab805eb69a30bb5f51b7a017e80c408f9512b1ad5426af4583d2d23168d3a7910

        • C:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe

          Filesize

          88KB

          MD5

          31199f4d55331b22872e4759c2c30bef

          SHA1

          d706adbbfe4d00ef431588ea2984efcce2349753

          SHA256

          c7982dc0a9a15a7d7b09824659b6b495dccd0e7105e828cf89def5b7677867db

          SHA512

          14aefdd6bd768182e4c0be8701d1354e4f989460078804f28c4c57a74f37ae53388595fef2201d8858f0ba7f60d4d84f5d57f4c7e70e6a3be5cd5ea7e40a2acc

        • C:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe

          Filesize

          88KB

          MD5

          625171a0e209b61951c80dd57ba19602

          SHA1

          5e881286a94ae11520bcc4d5d449a66a1eac453a

          SHA256

          72ab11b0898e52eb62475fe61e4f1475b9fcd09282a684f1eb2e0ffd6b3a651a

          SHA512

          629fada808bd4b2e9c9cc2dcd7eb9d81eafcca98e0b455b5894660531b93aeef93a920ae347d5af5035b4689fd35fb4b2e7772f8786eed9dda650762106b0f7c

        • C:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe

          Filesize

          88KB

          MD5

          0ad8fad41bf1a49d5e5966c340d150ab

          SHA1

          dc4a187ce5c9b9aef39f76ca39ce808785dce790

          SHA256

          7366fe141b98d109e215aa81ac8bdbc601f58a7a6da8315b3d7458bc3cc667af

          SHA512

          0b9324163a23bc9a05ac66abdf17b15312558b9e88e2f247f29b510d7f9275a524fae70ff2086825688d2be0c7dd497331bfd97797e2b24a3a794abf9661634f

        • memory/1140-49-0x0000000000270000-0x0000000000281000-memory.dmp

          Filesize

          68KB

        • memory/1140-55-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1144-28-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1144-22-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

        • memory/1144-19-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2036-64-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2036-58-0x0000000000290000-0x00000000002A1000-memory.dmp

          Filesize

          68KB

        • memory/2104-9-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2104-3-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

        • memory/2104-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2104-1-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2120-67-0x0000000000700000-0x0000000000711000-memory.dmp

          Filesize

          68KB

        • memory/2120-73-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2684-46-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2684-40-0x0000000000320000-0x0000000000331000-memory.dmp

          Filesize

          68KB

        • memory/2928-18-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2928-12-0x0000000000290000-0x00000000002A1000-memory.dmp

          Filesize

          68KB

        • memory/2968-76-0x0000000000420000-0x0000000000431000-memory.dmp

          Filesize

          68KB

        • memory/2968-82-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2996-37-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2996-31-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB