Overview

overview

8

Static

static

3

c44a311c7e...3N.exe

windows7-x64

8

c44a311c7e...3N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe

  • Size

    91KB

  • MD5

    9ddf8f3a225c91e4843a89cd8c98ee30

  • SHA1

    34b36e7ba162bae5982d27d07abb84a3ec176c4f

  • SHA256

    c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483

  • SHA512

    204840e7e6ec77a0335d7aa7070b8bf735454654250bef008b52c95708e05ed32349e73a869e83952c2afb077e1d1331d056fe372de244eba0087e0c4c6e4b58

  • SSDEEP

    768:5vw9816uhKiro84/wQNNrfrunMxVFA3b7t:lEGkmo8lCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe
    "C:\Users\Admin\AppData\Local\Temp\c44a311c7ec3ee6fb95de04bbe87916b4e8a556a083d9bf12961c2ec09273483N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\{B45A544E-5750-46eb-A23F-9551CBA95999}.exe
      C:\Windows\{B45A544E-5750-46eb-A23F-9551CBA95999}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\{72F47C73-BEC4-430c-ABF3-2C116B0BE743}.exe
        C:\Windows\{72F47C73-BEC4-430c-ABF3-2C116B0BE743}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\{4400486F-2FE9-4c43-B875-28C8725D22AF}.exe
          C:\Windows\{4400486F-2FE9-4c43-B875-28C8725D22AF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\{66655B9C-621B-4878-B9B9-340DAC2B63EE}.exe
            C:\Windows\{66655B9C-621B-4878-B9B9-340DAC2B63EE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4080
            • C:\Windows\{74508B11-718A-4ff0-8055-3DF1EDBC87EF}.exe
              C:\Windows\{74508B11-718A-4ff0-8055-3DF1EDBC87EF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\{2C065BC8-C0CF-4325-A831-6B10550E25EF}.exe
                C:\Windows\{2C065BC8-C0CF-4325-A831-6B10550E25EF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1348
                • C:\Windows\{C696E458-447A-47b8-BB25-6BA5CEBDBB80}.exe
                  C:\Windows\{C696E458-447A-47b8-BB25-6BA5CEBDBB80}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3612
                  • C:\Windows\{E48AC4BC-6134-4662-9B7B-CE57214AB27E}.exe
                    C:\Windows\{E48AC4BC-6134-4662-9B7B-CE57214AB27E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3488
                    • C:\Windows\{E9602791-5DF9-4735-922A-6F54D455C7A1}.exe
                      C:\Windows\{E9602791-5DF9-4735-922A-6F54D455C7A1}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1004
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E48AC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:764
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C696E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2240
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2C065~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4888
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{74508~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1000
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{66655~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2156
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{44004~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3480
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{72F47~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B45A5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:456
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C44A31~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2C065BC8-C0CF-4325-A831-6B10550E25EF}.exe
    Filesize

    91KB

    MD5

    f7f9a9c41e63cde469bc7d4949e495bc

    SHA1

    5779a7f1b986c0db36a992c36803b95dc61925f2

    SHA256

    e180d23f62e06598def8eda586ecac74d1e963cf507a6e3db6bf4fc1b812ed9b

    SHA512

    93c4b7cc2d9230e51b4150486b0958d21dc44debe22a4add17ef15257e009713627d987a0161ce6d712ce2111460be270462a9d4c596f74e5502c2b8065a8b63

    Download Submit

  • C:\Windows\{4400486F-2FE9-4c43-B875-28C8725D22AF}.exe
    Filesize

    91KB

    MD5

    ccdb4cef21d16fea3d59f26d2ef2c165

    SHA1

    17ce5feabdbcccabd0ca26fd74f3d22e86b9a666

    SHA256

    655eb51ef008066ec146d6e3cb4d02f69cdfa0d2a3ae7630c0ef156fb647dcf6

    SHA512

    8f023d39b4e80b173e4a2e8325a7c33bad62c277716da25e7e0c9764058bf8a9e9cc0a8e5dcb779f07be382383c5e3e8981b71eda75f8a3a57cb2e0de19c02e3

    Download Submit

  • C:\Windows\{66655B9C-621B-4878-B9B9-340DAC2B63EE}.exe
    Filesize

    91KB

    MD5

    03aefaeefe5a06a20441d646371d1734

    SHA1

    fa0cc9f48751097344aaf8ab44333200f15f78e9

    SHA256

    86d0152d42bd2a71b8b463c61e77f7cef1f92f50936b4de54bd5068420aaae80

    SHA512

    127a2156762a253d8e48c903dc8aae9f80bbdc63d92319b64562c03b8ddafe1d1bb07c2bff3085b81125a6286106ceb20ab4ebfce390bb14db6ac5ab42465df8

    Download Submit

  • C:\Windows\{72F47C73-BEC4-430c-ABF3-2C116B0BE743}.exe
    Filesize

    91KB

    MD5

    d1be5416e54d31d5ba817ddf6666aa5a

    SHA1

    54fb3b1ce893260b8fea7d517b27ac8bc5a94487

    SHA256

    de21436a4d21293207494a6a77fa56c3d4f07bc70d227f8be4deb06f16688579

    SHA512

    f7562ddc9abee899d084b93f64ebad6be1556cb91a3c80c0e1120743d1795ffb038306da06bdd4875a06d308a6a7f3a9b87beabfb60144033883cd22bb54e96e

    Download Submit

  • C:\Windows\{74508B11-718A-4ff0-8055-3DF1EDBC87EF}.exe
    Filesize

    91KB

    MD5

    82882447b8f3ce739a6614d7f3b4d05d

    SHA1

    92164b4557fd493530ee5841542c7cf735089700

    SHA256

    2e63dab68ec41d15baa8ded74248fa5c65ea978d256accc4f131eb6951fd2f65

    SHA512

    43595990fdc7f5bc129d944f31042ea076a0e104313659532afa00282ca0d704d98f81478beb5a3a7e0988b4de97c83267084a5e6ab3c340a762cfc4c9e32cd1

    Download Submit

  • C:\Windows\{B45A544E-5750-46eb-A23F-9551CBA95999}.exe
    Filesize

    91KB

    MD5

    a16c27bfbc6e06aa38888130bdb200eb

    SHA1

    2d6736ed90ae80a5e13beec97958b7ed666728d3

    SHA256

    57e42dc7b5c8c3a6873418394e7a61e088d2d64203bd3fc942252c48cdba0381

    SHA512

    67949525e9d4cff6cf78e5429eff556f1e7da0bef64ae795ca3a007568c0b9e354e9dab5a217daffff9144f98514479a12e331c92aafc0b17fd9bcb7a7c6e929

    Download Submit

  • C:\Windows\{C696E458-447A-47b8-BB25-6BA5CEBDBB80}.exe
    Filesize

    91KB

    MD5

    16df02c5b90ec3704fb57601aa3026dd

    SHA1

    bc9ff18039fa693d349aa85fbafbbc2a6e3f6fa0

    SHA256

    f0c61587f6929b9b5bab838c28c3b7cc560d0befcca73796c9283695b74b6553

    SHA512

    60e4700884ef18e6bcb8c4fc74ec2f7d1e19147a585189075bb7370d9bb5c24d1810054a067f58a86f480f37d3f5102b89d600b68b9121dc6e3f2e6524cc2df7

    Download Submit

  • C:\Windows\{E48AC4BC-6134-4662-9B7B-CE57214AB27E}.exe
    Filesize

    91KB

    MD5

    a5d350c62354ee8cbce647a4afb13ef5

    SHA1

    e96c033a89dbcb4f5639b0762b611bbd6e187524

    SHA256

    4964e433f090ffe1216c571d53b6ee1aa7dcc8fdcb61687ccac804429aa3f1bc

    SHA512

    a8be0e9f0c2da5a7e2bcf333fc970826c6a8823b8df09f5b64d0744c1e1e31f4ae113c5cacee6cea028387f14f07703fab633462d20093149618c4ad43165dc7

    Download Submit

  • C:\Windows\{E9602791-5DF9-4735-922A-6F54D455C7A1}.exe
    Filesize

    91KB

    MD5

    daf1f3ba59b18d6f2e86b520d033ccc9

    SHA1

    fc4e053e55debbb12939e81516bb647b3665e612

    SHA256

    aca171c94d9bd00f4852814f09e96e06e7fec5d87e17868600bbe96c0cf87883

    SHA512

    aac14ea3c586d827f2672af46a3f4d77451480ff318d90b6479609d82bd21646d8bfdab9514b4cf2101d9de2c11c845ac852587bca21a97a1044dcfc333745f4

    Download Submit

  • memory/1004-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1348-40-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1820-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1820-22-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1912-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2196-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2196-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2196-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2808-34-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2988-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2988-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2988-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3488-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3488-52-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3612-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3612-44-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4080-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4080-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download