Analysis

  • max time kernel
    118s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 13:12

General

  • Target

    f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe

  • Size

    90KB

  • MD5

    053c7dccc4f69f1a71b788276b118d10

  • SHA1

    2b074b5bb48804caa24ce96db33376b1cc94b999

  • SHA256

    f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734

  • SHA512

    9c29bcc720965ddfd4f6a1a0f67fb864ed3f0bfa628739fd1cccc94ab8c200838e97e00123a4c4cb04f18db0463f6cf9bbe533bbadbb50088b2724b6df527f22

  • SSDEEP

    768:5vw9816thKQLro84/wQkNrfrunMxVFA3bA:lEG/0o8lbunMxVS3c

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
    "C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe
      C:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe
        C:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exe
          C:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe
            C:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe
              C:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3908
              • C:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe
                C:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4356
                • C:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe
                  C:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1964
                  • C:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe
                    C:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:976
                    • C:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe
                      C:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4856
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2AA52~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1692
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{63447~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3408
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{852DE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1272
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{16FA2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1264
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1EAC1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3944
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{90F53~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E50A~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23777~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F90C81~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe

    Filesize

    90KB

    MD5

    cef0794409df9bbf0bbd6a11921192b5

    SHA1

    f615f7f8d6a050b54618c54055f3674ab2b1bbc2

    SHA256

    4621ac6feae5072dd4e6f45d9a757008504c898df7d969ef699fdd3734d1f71a

    SHA512

    48d8003db778332bed604e91e7ee54c604246d10f9e4832a37c2bf1239c6588ef30777dcd2b17d64b5479a9c133b2b7fc318c697969c8a0f7088ea87d31d4d1d

  • C:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe

    Filesize

    90KB

    MD5

    ecd71c26be7ac87a94e410691f1eec74

    SHA1

    2aa89621a2c1d52303a8fc7b8b230a575ff8be81

    SHA256

    bd9bb8a1df203a16da0c74060647ff270359c4b82927d56ceeddaeea65d4fb74

    SHA512

    7b76dd53c9dfd7095a6ea4e8ba3eec37a6fbe049c0e843138f99a9d0503205cc312c05227e10febfce948adfc5dc0f57af5b223fbd60945646529e977a4e7baf

  • C:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe

    Filesize

    90KB

    MD5

    10f45f251922bccf6a0562c0e7f2f1e8

    SHA1

    4fa35847050f1e8171700f65bb3a78dfbb55440f

    SHA256

    b749d801363710eed532a152dd7d488fb0f056da8790ba20978317615f12e7dd

    SHA512

    9ff317b6a09c30ac7913f51408d6ae0d305621d790fb0a0d96ee3a65a4446b89941cbfddb328e31861ac11215ba81515bee750ecb325fe91f5e0436fc3521a7d

  • C:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe

    Filesize

    90KB

    MD5

    a2d29cbcbf8dff3f3b33a3600071628e

    SHA1

    69ef4cf10121e765f585975fed2814b1a7d6012a

    SHA256

    4c3388aabca50cf371c927a43bc8bf7317bd924e7712935ccc0c93d4a908df30

    SHA512

    0d0f983381e99e08e559c23faf6221078c66c16ee892b2ccd9d806d4242f564111d64df07001f2a913564ee8766c98ad16525c47f8374d8254ed2196c492aa26

  • C:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe

    Filesize

    90KB

    MD5

    552c64da0c2eb4b60081696f10d5a437

    SHA1

    7b3fb5f60ea32670682cc674999692a6d0965657

    SHA256

    1572ed7d602ad165ab00ace9af651cb131a462a9794748e23851548e9771d201

    SHA512

    93a9c895d1f5e4b9527d948bdcee2f39c5bc6ba88897f36fae9812e61c04a656c8cb126aeb8fa146804a3c40639678e6591e8cd0aedd4c5b99f9a50575da9085

  • C:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe

    Filesize

    90KB

    MD5

    6d3d6176fd83748685620f417afa8d59

    SHA1

    361b447ee2f1224acd63b515ca5e1423bada988f

    SHA256

    a435997235b2ff997ab69501fecf9ee94aa02ca1f173d8492a6f399c1d6af56c

    SHA512

    d9b5c5b36ef2b65e7942b7c352654962796217bb7d5a02f7bbafb3a89c25f9e16833a8374d03db48feafbddc918f5c83e20e645ecfbf3a0722fa949f9d49296c

  • C:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe

    Filesize

    90KB

    MD5

    15f85bf4c7582134afe382d006363362

    SHA1

    e77017f56508a0fa15ac68fb0e142ebddfa796eb

    SHA256

    bb3fb8853777ec283cb22ee72ea035cddf8ad1b11563ad56ae7b95c19dcfb5a3

    SHA512

    f6c29d1831d3059fbebf66507217902b774f64416cb30c4caaccc778c986b4aac9f5ff1002913c468fb77fc91a4b76c3fba6240f580fe479a886fd8b19d077fb

  • C:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exe

    Filesize

    90KB

    MD5

    0ccd00adee2fe451129c3556db0fa5de

    SHA1

    e4ffd881e77db91b527998e6fae31cfd85c3e801

    SHA256

    b06e7fbfee4c7a2531786d1aacb700002eeb713c71e2173ab06a04f36fa1fc18

    SHA512

    5bd97ab46d1d01de35a7e09c54e3bee46f10b18771e1424bd660a85a0435003b1201009956e3e7136c704a9a93d338ddb5fcdeb69b41172316f191b0a4124dea

  • C:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe

    Filesize

    90KB

    MD5

    7f7c32225757fb5851ddcbb7344b842a

    SHA1

    3b15afe2496526414c5858379659fa2a30f30ecb

    SHA256

    90efe14eeaff0a14eb9615fc88904f98360665384644c0a887e244f34114d1c1

    SHA512

    2f72e8aa7793c2731c35f4a6f1d4b2cb185416174c981df4e53596d9f4201e0bc3f52f7655785bed4a182bb9fb5e47a8fe5cde5170d25ce4b14e2be9042d336e

  • memory/976-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1964-47-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/1964-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2124-14-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2124-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2596-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/2596-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3068-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3068-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3068-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3908-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3908-34-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3948-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3948-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3948-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4356-36-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4356-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4856-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/5012-23-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB