Overview

overview

8

Static

static

3

e2ac578cae...dN.exe

windows7-x64

8

e2ac578cae...dN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2ac578cae71dceb95ff01d68545369ea482ebaa887d5af3c7f34b193077c47dN.exe

  • Size

    90KB

  • MD5

    92f93f3d3f753f6f405e50fed97daae0

  • SHA1

    9d3babe310768384b0ef6c6b24fcf71137f69b19

  • SHA256

    e2ac578cae71dceb95ff01d68545369ea482ebaa887d5af3c7f34b193077c47d

  • SHA512

    935d2c88664cea86bbbfd6e0b9928706f760e43615c917ae1883d469eb2bad6cc9872c12002cee19660cd438cfa43975c6d70794fe717fb02f09a48b70d232fc

  • SSDEEP

    768:Qvw9816vhKQLroiL4/wQRNrfrunMxVFA3b7gl/:YEGh0oiLl2unMxVS3HgR

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2ac578cae71dceb95ff01d68545369ea482ebaa887d5af3c7f34b193077c47dN.exe
    "C:\Users\Admin\AppData\Local\Temp\e2ac578cae71dceb95ff01d68545369ea482ebaa887d5af3c7f34b193077c47dN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:100
    • C:\Windows\{98C7E499-F765-4998-B358-5349EF321E6B}.exe
      C:\Windows\{98C7E499-F765-4998-B358-5349EF321E6B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\{5A88080A-8E3D-49c7-A0F4-F3DF5E296A51}.exe
        C:\Windows\{5A88080A-8E3D-49c7-A0F4-F3DF5E296A51}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Windows\{8FBBB402-E8A0-4a2d-95B7-916538FEB96A}.exe
          C:\Windows\{8FBBB402-E8A0-4a2d-95B7-916538FEB96A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\{D7870E0E-18C4-4c40-B46B-E75E4FC33C72}.exe
            C:\Windows\{D7870E0E-18C4-4c40-B46B-E75E4FC33C72}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\{0625B39D-00A7-47ba-BE41-94EA9D5BE962}.exe
              C:\Windows\{0625B39D-00A7-47ba-BE41-94EA9D5BE962}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\{6778B3F5-3345-4e6c-9ACE-1AC31D50DB3E}.exe
                C:\Windows\{6778B3F5-3345-4e6c-9ACE-1AC31D50DB3E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3124
                • C:\Windows\{206C455A-809A-4f79-8160-29F56E66807E}.exe
                  C:\Windows\{206C455A-809A-4f79-8160-29F56E66807E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3716
                  • C:\Windows\{DED36FE1-7A2B-4a4e-BEE9-C70F2B536564}.exe
                    C:\Windows\{DED36FE1-7A2B-4a4e-BEE9-C70F2B536564}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3420
                    • C:\Windows\{A6D5C9C4-8353-4255-8BC3-AF502207BA76}.exe
                      C:\Windows\{A6D5C9C4-8353-4255-8BC3-AF502207BA76}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2192
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{DED36~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5068
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{206C4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3224
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{6778B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1604
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0625B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4984
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D7870~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4240
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBBB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2444
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5A880~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C7E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E2AC57~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0625B39D-00A7-47ba-BE41-94EA9D5BE962}.exe
    Filesize

    90KB

    MD5

    a44e396a47a02e8d1383e3ac9a84aa46

    SHA1

    df28a8c38de6b0b5b918d280e9b91dc630fdccbc

    SHA256

    bf6cdfaf8875eb93f469aa7723b95f490cc7d6b44a41d9d7fd529066a9083d1d

    SHA512

    b71c0c9d2e93937cefa0bcb636c47cc290bea837ab1acba18780232058c3ee34e798ca2df7eed2a984b95a328e52bd30d0ee3c29057ce5315bc0f2fbd400a60f

    Download Submit

  • C:\Windows\{206C455A-809A-4f79-8160-29F56E66807E}.exe
    Filesize

    90KB

    MD5

    a314824e22c74d9c5908a00658806835

    SHA1

    705cba9fd7a45dd27f74f659e1a2656aa8f70e79

    SHA256

    6550431cba01923bfbccaa238186dc9352c7e076ad12a32882572fa4861c7626

    SHA512

    181e2b20a4b97ecca3e2e069e84575a17a93d58213e5e8fd5150daa8a597bf7ade22db85d688f8ad98f6e4143fb44398edf3f4992805b5fe0ce65c1ab8c90be9

    Download Submit

  • C:\Windows\{5A88080A-8E3D-49c7-A0F4-F3DF5E296A51}.exe
    Filesize

    90KB

    MD5

    9c53c6b6fc48fb4dc5dac3b54601afb1

    SHA1

    13126935b36be8713ce21523b74eb91ab57c6287

    SHA256

    99bbb97185e730124a1df5e4cc80ecf4f7fa9d4e3f885de6dbb907ff1917434e

    SHA512

    bf1aef0c79386a50205bf96f726ad557bca10a95d928b3a22405a14fec6850f289351ded005ae2d1c4124bc4e666d8d8dbc2ea5d5015ceddfff7346fe0e29253

    Download Submit

  • C:\Windows\{6778B3F5-3345-4e6c-9ACE-1AC31D50DB3E}.exe
    Filesize

    90KB

    MD5

    23dedaf21466a70a027e34e2c9194a6b

    SHA1

    9b95d5c54eae704aaf3bdde0f002596bc90db41f

    SHA256

    bbdf1dba15f712445a9e7b70bfe4d95a73b8c7cf5fdd0ccd9ef8914e3ddd4300

    SHA512

    aa71f98297bc50720d780daa0840866c4174dd83afe8d3dee36bb8a6ad35736dc6fda4fefbf056c4fb273e2eecdf07d6bf83e3e8473fe71958fd489cf06bf29b

    Download Submit

  • C:\Windows\{8FBBB402-E8A0-4a2d-95B7-916538FEB96A}.exe
    Filesize

    90KB

    MD5

    600108bfa7b5481b95671a2e2ac516ae

    SHA1

    070f6dd817f0be028b791429155e7a8af21dd8c6

    SHA256

    30d8f5b610de9018e1e6b29a819d08c32af11f1d44a3b7827f594e1d7a2b19ed

    SHA512

    534a10762091b62f5b16e9c30c3eef1ab0d753a3d76e449c59da49ce7450158fe319c9bfd51084666eb32e6943df3cec1783c6f50b5f12333efef189412dc500

    Download Submit

  • C:\Windows\{98C7E499-F765-4998-B358-5349EF321E6B}.exe
    Filesize

    90KB

    MD5

    4c86979880ee0866e6c4660d63532f55

    SHA1

    09ab15d8d1579b9cf16bc43ab601bf7609730a4d

    SHA256

    19ba4e1a5537604c1042e17e6f454c8d4b24b9ece96aeb479d776aa312e256aa

    SHA512

    4b9a631a3b668e493433d203bf0588743d5d9341231fa0143d8c7056c6b4dd11e53182b2c88f0963b25ecbc8b4e1626406238e38860d364e17f7d2f092dd3287

    Download Submit

  • C:\Windows\{A6D5C9C4-8353-4255-8BC3-AF502207BA76}.exe
    Filesize

    90KB

    MD5

    e4c6bd3d22eee7069c1dadd7936a6b49

    SHA1

    8387b34c416e27a75dfd324bef60730a0b551d96

    SHA256

    601fd07fd04d40e54e5bed24c9c8edcb8f03c0179ba144715dbc717537ad7c34

    SHA512

    61347b05b7ae2c4d4ec36e8d219fd67e2da17d12fa99932c94258348fa24047d7f41945ab7cfe466606be6574bb898594ef2ad17773ed8c54d135167c602d220

    Download Submit

  • C:\Windows\{D7870E0E-18C4-4c40-B46B-E75E4FC33C72}.exe
    Filesize

    90KB

    MD5

    fc6702e3cca0ca3b9fbac2ab9786129a

    SHA1

    bcd25bdf0f5ed6fd4f8c53acce3a2fd4a3774fd0

    SHA256

    04630f3b9a2894595978759a7d61788e3316c718ef37b58f4f2c03dc11e05df5

    SHA512

    4a253dab6d6a1e93cfc7d41286c4db9639fca3349657b16b362dbc93f7adb0a2f5655612a816915c37c1a96ca324c8fa1b56612a5afc4fe34118e4a4eaa886a7

    Download Submit

  • C:\Windows\{DED36FE1-7A2B-4a4e-BEE9-C70F2B536564}.exe
    Filesize

    90KB

    MD5

    1c5789ba8067672346b6fcb1167da4d7

    SHA1

    806db9d8c50148b35de9103ef12b817edac2662f

    SHA256

    5740ee60ef806f0e65e11a966f5d52e1dd9404f89166d294d346664756d0d5b2

    SHA512

    f14d3ffd3a184c1a0e1aad03fea2551e885a5e6842f87d8aeab9ce01d6dd470607e2f90dc81370bf4b33820d16642a5ba8cda5da2b09af58b4b88e04022750cb

    Download Submit