Overview

overview

8

Static

static

3

eb591fa865...aN.exe

windows7-x64

8

eb591fa865...aN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe

  • Size

    90KB

  • MD5

    ccd44d9cf191c8ce2e496c321ee07d50

  • SHA1

    7725bdcd91468f036ead971b347b096e46e31a00

  • SHA256

    eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2a

  • SHA512

    b915d53e94a01e862071f90bc7d2c5605a18a134e556b054d88c82a67785610989c7761072b261a5f40ca74019272c104ebb5875af1a606c45167869b8bbe762

  • SSDEEP

    768:5vw9816thKQLroq4/wQkNrfrunMxVFA3bA:lEG/0oqlbunMxVS3c

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
    "C:\Users\Admin\AppData\Local\Temp\eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\{3061DDA5-7C98-4627-AF15-9CD11A6949CE}.exe
      C:\Windows\{3061DDA5-7C98-4627-AF15-9CD11A6949CE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\{703EE580-AA47-4e54-BD6E-D5A5D202E002}.exe
        C:\Windows\{703EE580-AA47-4e54-BD6E-D5A5D202E002}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\{F61135EF-2B09-4950-B209-6EB94CDEF800}.exe
          C:\Windows\{F61135EF-2B09-4950-B209-6EB94CDEF800}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3680
          • C:\Windows\{2EFDE4B6-E379-4eab-A3A9-D0CFE05EBC5E}.exe
            C:\Windows\{2EFDE4B6-E379-4eab-A3A9-D0CFE05EBC5E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Windows\{845A8B0D-458B-486f-A39B-719939C14533}.exe
              C:\Windows\{845A8B0D-458B-486f-A39B-719939C14533}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1660
              • C:\Windows\{D2FCC6CF-DCD3-46e9-9DAC-56C248014F64}.exe
                C:\Windows\{D2FCC6CF-DCD3-46e9-9DAC-56C248014F64}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2588
                • C:\Windows\{114497AA-2CF8-4197-99EC-4DE76FA01447}.exe
                  C:\Windows\{114497AA-2CF8-4197-99EC-4DE76FA01447}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:824
                  • C:\Windows\{F43AC086-F8A5-442d-BAD9-B09BE466B8FB}.exe
                    C:\Windows\{F43AC086-F8A5-442d-BAD9-B09BE466B8FB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2304
                    • C:\Windows\{6DFE212C-CE0A-4c7c-A4F1-EA30853D7E71}.exe
                      C:\Windows\{6DFE212C-CE0A-4c7c-A4F1-EA30853D7E71}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4900
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F43AC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4608
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{11449~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4336
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FCC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1428
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{845A8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2196
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2EFDE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1576
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F6113~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{703EE~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3061D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3176
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EB591F~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{114497AA-2CF8-4197-99EC-4DE76FA01447}.exe
    Filesize

    90KB

    MD5

    90446a1ddad54d008faf870ff3c285fe

    SHA1

    6fea1f95d9cc2632592e9ac9094b42c8da99cc65

    SHA256

    34613afb3b2c7675051484697302709595ce7cf1dd0753f4212b31b56ff7306e

    SHA512

    5a8f9a48309631675cb62de42fb551ef2dacea91493b6d276386ac016fb13abb20a38cca484dcec75c689f72cccd430549070bde3b2f26ee9de99ecdf55a2b7f

    Download Submit

  • C:\Windows\{2EFDE4B6-E379-4eab-A3A9-D0CFE05EBC5E}.exe
    Filesize

    90KB

    MD5

    2a3e29851a505ebb6d46b3073582f90d

    SHA1

    0319e3d5aaf85f962654a8e9399198ea2b27b4c0

    SHA256

    50297daa6d397b683a7c6ae2e8e7dd4a7298f5b637f5c9e6a5d89efcdf2526d9

    SHA512

    f01282822500b7e047531d8fe82313a1a4f6dffb8079afb11983faec3a00ad4daa82b21bc4e450b828b505398a164e0e650cded3b9e1f2fd3dfd32c1fcb60b55

    Download Submit

  • C:\Windows\{3061DDA5-7C98-4627-AF15-9CD11A6949CE}.exe
    Filesize

    90KB

    MD5

    8dbe577a833e6f55911e99312d4cfd3a

    SHA1

    136a7757033b5400dab37674ae581894e05c6b33

    SHA256

    7ec632b71f3146313a8801e910215e0ab78464bece6a8966637430f28456bae0

    SHA512

    be415156a94b7b90666c92d82a0ee859b6b5ccc6c7df3cd316479fd57baac0f305fe9a9a537bf4c3c60baf8495dd30b9a18bd36169afff2a6094a41fa58710e7

    Download Submit

  • C:\Windows\{6DFE212C-CE0A-4c7c-A4F1-EA30853D7E71}.exe
    Filesize

    90KB

    MD5

    853e84b83fd48fac20a0d09381ace8ef

    SHA1

    c1fbcc854dd23638866bcf5a9ea3ee061b7d369e

    SHA256

    07c0e1380de92e29beab7da3f6870f7a7486a30d4274b9ec981dd219426194fd

    SHA512

    1a6c88732e53bdd8aac8269b4ff79b73a030763c4b2de9a5f1b846cb5cfbd9a89a94770ebc6f41a6f89809d9b05bc706e4f22f48f1e700239ed3c101bb4bb468

    Download Submit

  • C:\Windows\{703EE580-AA47-4e54-BD6E-D5A5D202E002}.exe
    Filesize

    90KB

    MD5

    079e1d5d208511a6270c624c74157231

    SHA1

    f642074ed4ba2d9a95b98fda59d7321977bb22b7

    SHA256

    1395fb6f99cabb7a6e6a1f9e06daaebd4bd6db489c439f8a3d9da9536215f135

    SHA512

    d65df5ec2e9ed6fb499af1b6638403b532516d7cfd0ff9efb1dad3d6aa20e83a313a25dfc2352c8284ce2d38da2c8fa18ef924675aeffaf593742143a3847864

    Download Submit

  • C:\Windows\{845A8B0D-458B-486f-A39B-719939C14533}.exe
    Filesize

    90KB

    MD5

    513b0066c0e1937df0cea9486d397cde

    SHA1

    915efc10b3972986de63e04be82538142059cb1f

    SHA256

    04b52b609b442562e82620fd391e344239c5f4c5ce00ad4814092b00da6ed8d6

    SHA512

    4c98e75095d49adf75d2684b07e847c640fd410e60d7afedc0be93f4f3951040b7485e6e17de139a65bdc350ebe8ae7f38d1fefe91cf1210b20f6583aafed7ff

    Download Submit

  • C:\Windows\{D2FCC6CF-DCD3-46e9-9DAC-56C248014F64}.exe
    Filesize

    90KB

    MD5

    68982fd635c1636ab3eb8034a0edc17e

    SHA1

    6249520943c7d935fa2f54eb534cc4b54eb3163d

    SHA256

    67f946ba02d6a2b7efba23ecc53246474cc8a46e83fa1816a2d67ee618dbd813

    SHA512

    fc9ce4adf5b8f005fa0f22723a4a2b1ca571b6d81bba7e110d9122920c4d8eb92d71b18088d81255c76ed89f431c629411d611e6d5601e878d00de4f69e62eb4

    Download Submit

  • C:\Windows\{F43AC086-F8A5-442d-BAD9-B09BE466B8FB}.exe
    Filesize

    90KB

    MD5

    66e91b5592afc75493baad8ba4bcfe3f

    SHA1

    587aace588abd23dbbf4f14a327896a388672802

    SHA256

    9c58d39f5da9f785f3d03b571346f892b88a6f9757d8878706ca37685087dd96

    SHA512

    234008c824375fbd88f1d9b24eaf45bac9509e8c80feca18376feca4688eadafbfa7d3a9a96a9032cd00847db867f2d2f1b04d9586ee615312eaf3d8c229e4c6

    Download Submit

  • C:\Windows\{F61135EF-2B09-4950-B209-6EB94CDEF800}.exe
    Filesize

    90KB

    MD5

    677438fc3ff8c702d22dee9ffaeeee02

    SHA1

    e0b471a53d8ba2ffa427ad1858682fe1f0bac4fe

    SHA256

    35d94916460d3ea6586bea38d2fd0a09e8264e6b6cc18bd9fbd8958957948432

    SHA512

    154b1f1dfbf8c4b7aeba580553413d2e71e7846d486eae60472b23368605c948ce749c14095ba822df0a7ebf3eedf30ac3c6a8c5fcc7dc7b8be4f28b2c5414d3

    Download Submit

  • memory/824-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/824-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-32-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1660-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1820-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1820-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1820-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2304-55-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2304-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2372-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2372-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2588-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2588-38-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3384-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3384-26-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3680-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3680-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3680-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4652-17-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4652-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4900-56-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download