Overview

overview

8

Static

static

3

f619dda559...aN.exe

windows7-x64

8

f619dda559...aN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe

  • Size

    89KB

  • MD5

    cedcef677784b59e571f645f4350dea0

  • SHA1

    b5a536b738e59bc5aa19b2860d955e9ae8200a91

  • SHA256

    f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128da

  • SHA512

    725f8e64a544008a00efe27c7c32157adaeb18dea4e0b8cbe7854bebd8ae1984443e1b438238c7d1d96980f0600c5a6b1be49ddceb1910f7062e9cbfd6385d29

  • SSDEEP

    768:Qvw9816vhKQLrop4/wQRNrfrunMxVFA3b7glL:YEGh0opl2unMxVS3Hg9

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
    "C:\Users\Admin\AppData\Local\Temp\f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\{44FC080A-7531-4474-B9AE-AB25B39F1022}.exe
      C:\Windows\{44FC080A-7531-4474-B9AE-AB25B39F1022}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\{44D9757C-D1D7-4e2d-8248-614B5FD7B249}.exe
        C:\Windows\{44D9757C-D1D7-4e2d-8248-614B5FD7B249}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\{4D3D52F0-4E7C-4ad0-A043-B7BBB80FDDF0}.exe
          C:\Windows\{4D3D52F0-4E7C-4ad0-A043-B7BBB80FDDF0}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\{0BA82302-1CA8-4cb2-B8E1-F93F50722CD6}.exe
            C:\Windows\{0BA82302-1CA8-4cb2-B8E1-F93F50722CD6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\{FE3E4041-6EBF-4f04-B6EA-B5C13D4969C6}.exe
              C:\Windows\{FE3E4041-6EBF-4f04-B6EA-B5C13D4969C6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3020
              • C:\Windows\{D3783E75-1505-42c0-9A23-0D887C0B6849}.exe
                C:\Windows\{D3783E75-1505-42c0-9A23-0D887C0B6849}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2488
                • C:\Windows\{9FAF1DA4-0C84-46bf-A1E1-A586C504F283}.exe
                  C:\Windows\{9FAF1DA4-0C84-46bf-A1E1-A586C504F283}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1972
                  • C:\Windows\{25A98949-75FD-4fd6-A6F8-344077FB4C87}.exe
                    C:\Windows\{25A98949-75FD-4fd6-A6F8-344077FB4C87}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2300
                    • C:\Windows\{B763C95B-1048-4fe2-82DD-02EECFE73E62}.exe
                      C:\Windows\{B763C95B-1048-4fe2-82DD-02EECFE73E62}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1032
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{25A98~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAF1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1728
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D3783~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1352
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3E4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1444
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0BA82~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:768
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3D5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{44D97~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44FC0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F619DD~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0BA82302-1CA8-4cb2-B8E1-F93F50722CD6}.exe
    Filesize

    89KB

    MD5

    fd0afedf2301ab8e50a0c2d1256a8516

    SHA1

    3bc5b3cdea879ff10ab65225106bd43ca6db1f1a

    SHA256

    fba57ba5a4a3c016d641f7074fdc5ac104be47e35c693ca6791fd7989ccf552d

    SHA512

    2fd0a8d2c54b74e94294aeb06f8b769b621b244b9c0553d9666d13631d78e19ff0adc33bd3c5d176b2af32d4bc40f15e371b02ce7305546fc0c36edb61f95bbb

    Download Submit

  • C:\Windows\{25A98949-75FD-4fd6-A6F8-344077FB4C87}.exe
    Filesize

    89KB

    MD5

    a36432feb07e253e8a1e2005b1229e21

    SHA1

    94e7de201ee5de96b790b1ef8eedd57ce95b1068

    SHA256

    37362dc8fbd6d05505e834e956cb725b3d0b57b5980570c9bb7aab58a006905d

    SHA512

    89d3f9c061ddde86cd60f356bac7465221edd9076c0b06e18d84b96c0ca7b3e0d1ed0a5627d3ec62530e06042de574d3e344a72ccb30ef60ea608d6b8f74938d

    Download Submit

  • C:\Windows\{44D9757C-D1D7-4e2d-8248-614B5FD7B249}.exe
    Filesize

    89KB

    MD5

    fd2fe5af6fbb91aded1be12ec82bd4cf

    SHA1

    a4d2e99dbd24b6310be1acf35f1aa2fecc0064ee

    SHA256

    7acb8551d37c7cd49a5638d24c730fcd8c6686edd64097f664a7027c1ea9e601

    SHA512

    21073669b838fb8fe4d186a4159cef8548f3e0852ae1f476fdfbf79ae59c66a51d360053d8686da29c3d09172311c3ca483e91f3ad3ce8ed63feaa01b13e37d2

    Download Submit

  • C:\Windows\{44FC080A-7531-4474-B9AE-AB25B39F1022}.exe
    Filesize

    89KB

    MD5

    b490b0fe6dbe03e7cde09b0f9c4f68da

    SHA1

    b939e2276aa6c412a2af7e1f9a4f89b888e61bd1

    SHA256

    99948138d671b657b41337fc23217513eab77ede0f354e58c9623e5d7a77929b

    SHA512

    3a67805b24b27a13827acd6007c0106c9167061a4bc34b59346732c22ab3ebd665a2799e6e5d65c85a7790b4ce1a737d85e1b014050f7addc4d8c0d2b0b4808e

    Download Submit

  • C:\Windows\{4D3D52F0-4E7C-4ad0-A043-B7BBB80FDDF0}.exe
    Filesize

    89KB

    MD5

    023a446e038b74cae111104823b4f2ba

    SHA1

    30e3a350f5e88503b8351167f0a85c1df52166b9

    SHA256

    e18fb0271f39242ef94afb4c6bf16163f1e05f0180e0c00ad84f881c4ee78f85

    SHA512

    62e30e4f586983c369dbb43809137f670ec08e1210a131a5d5d32ebead756db59bd045b8ab2f83916bb4889058706e6e4e296829b4737f31e3456045a70bc640

    Download Submit

  • C:\Windows\{9FAF1DA4-0C84-46bf-A1E1-A586C504F283}.exe
    Filesize

    89KB

    MD5

    a79ae512713625373e648476614c14ae

    SHA1

    e97c3bd4dcf0ef2ee58a7ac361199a34ab4b9a04

    SHA256

    7ffc44ae9e7652b3ac8ce6350da710a6c95d1bc8433ee04c88184c0c2baa9ab6

    SHA512

    1b1c79bf5159cf5fd322f5cc29cb115376bd926091c7a9f856eb7282d559d502f6329ca1542bf8d2cc32bf16f989916c9451c1d9c08dd690a0d7c3c619c917cb

    Download Submit

  • C:\Windows\{B763C95B-1048-4fe2-82DD-02EECFE73E62}.exe
    Filesize

    89KB

    MD5

    69db5de6e55c0f24283938ecd63b5108

    SHA1

    9e21e005a744e583a2639d2e77ad19de306e33c3

    SHA256

    db63484a99e6ab0298076e32d7a0e583fb64b952f4efc0116af0e56e45e7b604

    SHA512

    54c11254af032f7d623382f3da211ea81c5ecbad404746d1a60ea1e78563756819465a84ba1f431ef26c50c9a01c0ca9de04a55874018544060c5b71a28240e0

    Download Submit

  • C:\Windows\{D3783E75-1505-42c0-9A23-0D887C0B6849}.exe
    Filesize

    89KB

    MD5

    e98306e5db6dc6cfa5e256ae45c87918

    SHA1

    9fbde109f453d62595ca6427f5ec89228c806903

    SHA256

    097fd8835bb80c40f873efe4aa84e823c9c740a96b0fb0f549892b7f4cf7f2ae

    SHA512

    587dae7e52611e8370d09898efa31af02843a7b00c1fa049ef01a0a8216618f26f7c7f1939d7018003029e07f775e07fcee2233600616d006269c85e8ee2b035

    Download Submit

  • C:\Windows\{FE3E4041-6EBF-4f04-B6EA-B5C13D4969C6}.exe
    Filesize

    89KB

    MD5

    fa09a84b2829daf5cdd012acc01c85ee

    SHA1

    3043bded88fb1bc4bec245ed1a72bcd60615eb1c

    SHA256

    df114bbed4c50030db56548e120965c39024e784729173ee46e9b2cbde29bc36

    SHA512

    bbdccb5f1ed82e2675a6312e510711fdf82138f612a0529320e14e47191c1bcc0a08c7e3c797434a721aa87889ebec99545e8d47631690fff64c817e7cc05c6e

    Download Submit