Overview

overview

8

Static

static

3

95f1e4169f...fN.exe

windows7-x64

8

95f1e4169f...fN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe

  • Size

    60KB

  • MD5

    f9dd43ea65983fd979a987bf8530bc80

  • SHA1

    69886de23019c29c4ea0bfbe07d32667744c03ea

  • SHA256

    95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33f

  • SHA512

    2a5e39a132c3e91c6f1a3424a0c0e4baae0f4e3de455b799091db4a3f2ae1c4c10fea17aa239f53486478d68764319ef51d5ff3fb9a2db866a844816b9a2afcb

  • SSDEEP

    192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw4gY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro4u4/CFsrd

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
    "C:\Users\Admin\AppData\Local\Temp\95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\{5980B42E-266E-46cb-9EC0-AFFE55778B86}.exe
      C:\Windows\{5980B42E-266E-46cb-9EC0-AFFE55778B86}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\{EC0FB27A-2031-4dab-A338-3C437D0C4420}.exe
        C:\Windows\{EC0FB27A-2031-4dab-A338-3C437D0C4420}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\{8C234703-93A8-4773-B548-20CB2FF1D06B}.exe
          C:\Windows\{8C234703-93A8-4773-B548-20CB2FF1D06B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\{B21C628D-0FDE-41b8-8BD9-77388DBC8A83}.exe
            C:\Windows\{B21C628D-0FDE-41b8-8BD9-77388DBC8A83}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\{92066183-F71C-4bca-A1D3-D887EE9E85DA}.exe
              C:\Windows\{92066183-F71C-4bca-A1D3-D887EE9E85DA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2140
              • C:\Windows\{DF3AA661-710F-4fb8-B7A8-D5F7E2D62E6F}.exe
                C:\Windows\{DF3AA661-710F-4fb8-B7A8-D5F7E2D62E6F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1728
                • C:\Windows\{E6BDB4F1-D992-46a9-8545-98E12441117A}.exe
                  C:\Windows\{E6BDB4F1-D992-46a9-8545-98E12441117A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1708
                  • C:\Windows\{A95BC591-C800-4188-9BBD-1F40035848EE}.exe
                    C:\Windows\{A95BC591-C800-4188-9BBD-1F40035848EE}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1628
                    • C:\Windows\{3ACE6246-EE9A-4a3a-81D2-CAB6FF2F97DE}.exe
                      C:\Windows\{3ACE6246-EE9A-4a3a-81D2-CAB6FF2F97DE}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2164
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A95BC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2336
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BDB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1652
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3AA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3068
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{92066~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1736
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B21C6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2088
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8C234~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EC0FB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5980B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95F1E4~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{3ACE6246-EE9A-4a3a-81D2-CAB6FF2F97DE}.exe
    Filesize

    60KB

    MD5

    402b11b7490bd5c5f6afbacd1f61cd6d

    SHA1

    509f59cbd13c21bca93193c245c2de97d97a6c24

    SHA256

    ecb4e6ee1809eb0062a2113ac126b86099493192d5ae512b342e5ee05224d60f

    SHA512

    2fa905df92d912fd345b4c5e6aa30ea8333da058586214155a54bfb078bf91bdc1eb4b215b383c4d7e0f66ec71800c63805958bb7c5a88eb6a9017e812077fde

    Download Submit

  • C:\Windows\{5980B42E-266E-46cb-9EC0-AFFE55778B86}.exe
    Filesize

    60KB

    MD5

    2467f8b44814bbb87af6c2a97900d41d

    SHA1

    cd0d0bdfe6eb85dca2758a828dcc8e1a56bef801

    SHA256

    de58aefeed3b54ea8b362af8688839515bb5055fa1bd10212ab66290b69b09e2

    SHA512

    635ec8ded9b5ecc3f8836d5b6cb95f3b794a9d70ab348decb806f243d4c8930955c923a6af6e9319f44b0fb693f5294395f612d57b353ee3f3416791648e98d3

    Download Submit

  • C:\Windows\{8C234703-93A8-4773-B548-20CB2FF1D06B}.exe
    Filesize

    60KB

    MD5

    94d971fcd8ed956e7abe611c92284868

    SHA1

    1ddaabe012dd7ae46eb51ae2b98ce23506041934

    SHA256

    60d6f7c00ccb191b141cb2fbad56b623771fe7df55b84159154f06b2dd91da65

    SHA512

    3de03df3a69ec4c733723cec905928e6c8686b96cb8b93b8d3b4bb77c3413d7389b272f994362c57318f412211cf050aca38390df4dec761b28e92b799cb90f8

    Download Submit

  • C:\Windows\{92066183-F71C-4bca-A1D3-D887EE9E85DA}.exe
    Filesize

    60KB

    MD5

    44c0b3e99a9ba51a6055242c9e6145a8

    SHA1

    96bb8e230914881da72d76bbffcdccb1538de0f4

    SHA256

    941f271c301e74377e38b44f98af19bc59b3d97a71ea1fa5c1b5f34921a3c89b

    SHA512

    93bee35e43beeede0acfa3aafeb7205b092ae166546b627f5f1dc7c3e815e0a237be14b9292aa9365045be2c45be3d3bcd19320ebb51684a84e4334187ea0393

    Download Submit

  • C:\Windows\{A95BC591-C800-4188-9BBD-1F40035848EE}.exe
    Filesize

    60KB

    MD5

    c34705bc58feb7baf84690023de24115

    SHA1

    9af887f4fde2e3624467bc000b1df38e048278c3

    SHA256

    173192e11ced7eb02e4bcdd27f2c4060d98834ee00453dac1b54525e0cd3222e

    SHA512

    03745349e95d694b91615e504a1fb443b7b989909764e42d3c63c18b1ef29ac78cb849f5c89f2e9210516552eab7ae4f3b8e04831d72c66c45fab7fd76cac7ac

    Download Submit

  • C:\Windows\{B21C628D-0FDE-41b8-8BD9-77388DBC8A83}.exe
    Filesize

    60KB

    MD5

    ebb8fd24692502d96b8fa496be57b934

    SHA1

    33b7b4bb103b3363363a3973e69b81be233d8b93

    SHA256

    a1d278cd4db7e11e9ff8d3167c23993800353c3f96f9d1636eed65f359894b42

    SHA512

    949cd8608d2f8664bb3fffb8d602b8b7e48cb4bddc5f76e7edb5831dfed69c5e0dc7a38a08b62348e79299b0723b10cdba330839a59b9a595717869785533a71

    Download Submit

  • C:\Windows\{DF3AA661-710F-4fb8-B7A8-D5F7E2D62E6F}.exe
    Filesize

    60KB

    MD5

    a8d889ccade1dbb2c0f253283424bc39

    SHA1

    5c2008119611e2c30accd423dc99e7a73eaf2855

    SHA256

    34d47d6911cefff92908c0cd6462f2887015a2c7fc99264b64b3881076aa7048

    SHA512

    6213a0db79a09dd4ff65f9286f866d4729dc25a343778cded14b1fd8f759a244fd26a12d38f65a6283ad6c81e80f23638c2277004bf33fcc46c03062d9919914

    Download Submit

  • C:\Windows\{E6BDB4F1-D992-46a9-8545-98E12441117A}.exe
    Filesize

    60KB

    MD5

    5481024b27cf94c82d4ce249fa1a2bf0

    SHA1

    6eaa40906c5444390732beda28c86ca827a364e5

    SHA256

    c10586a3cfcbc2742442040ff22e113567d288f6d1b8342e07d06413ca55e750

    SHA512

    e72072787ac11457fa2d0a2af534130e1b24b0a0092ff318681a6c78c456e9bc3b70139d4d1e23849a00be5a7d2234af1c12a9c27c7ddc68d835abf0bff8627d

    Download Submit

  • C:\Windows\{EC0FB27A-2031-4dab-A338-3C437D0C4420}.exe
    Filesize

    60KB

    MD5

    0a89e932e04991fa2de5081faf054873

    SHA1

    424803d94ceacdb31061903c4529f0a8749a53d7

    SHA256

    144f4bd228e7445096f6f3f98eae8bf306a54a47ddaf7b0bfa744a2320b607b6

    SHA512

    ee7aae43e759b2a02d4c946c19b21decc3bee08dfa008a537448e2a8f773cb6830eedf89600be3bfd6f25911d43f2ab317e000ddea311fb9ad5a81d0ba9f5dc9

    Download Submit