Overview

overview

8

Static

static

3

f044998847...fc.exe

windows7-x64

8

f044998847...fc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0449988477c22b4a66d09beb5d108ed984e623b12b39894dc2cadef4908e0fc.exe

  • Size

    89KB

  • MD5

    51006b9d16556ff65b09bee4786991ee

  • SHA1

    4be501b5a03b2f8d77272c5e4a71b0e05e975d8b

  • SHA256

    f0449988477c22b4a66d09beb5d108ed984e623b12b39894dc2cadef4908e0fc

  • SHA512

    e7243cbbc503b49b8874bb5cedcb4689e762418120ab93aa86cfeb67d8e2d9d5ee9dc5f6a7b8f8bab92a286f01115c34de4e60376acbe3e2744f084aad71330f

  • SSDEEP

    768:Qvw9816vhKQLroU4/wQRN/frunMxVFA3b7gl1:YEGh0oUlKunMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0449988477c22b4a66d09beb5d108ed984e623b12b39894dc2cadef4908e0fc.exe
    "C:\Users\Admin\AppData\Local\Temp\f0449988477c22b4a66d09beb5d108ed984e623b12b39894dc2cadef4908e0fc.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\{21A4098D-096B-4d16-9AA1-A20F92360A0F}.exe
      C:\Windows\{21A4098D-096B-4d16-9AA1-A20F92360A0F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\{BC965219-47D8-4604-8556-E7E2F5369ED1}.exe
        C:\Windows\{BC965219-47D8-4604-8556-E7E2F5369ED1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\{4857C7FD-DDE7-4a6d-A1B0-80CE3FCFD744}.exe
          C:\Windows\{4857C7FD-DDE7-4a6d-A1B0-80CE3FCFD744}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3896
          • C:\Windows\{A795BC58-62AB-472f-A062-4C527EABC6C2}.exe
            C:\Windows\{A795BC58-62AB-472f-A062-4C527EABC6C2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3108
            • C:\Windows\{F5E2BD3F-6CEE-400c-99EB-B542099E4A4D}.exe
              C:\Windows\{F5E2BD3F-6CEE-400c-99EB-B542099E4A4D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1360
              • C:\Windows\{A98F3797-CAAF-4fc3-B3BF-4B1D7C963759}.exe
                C:\Windows\{A98F3797-CAAF-4fc3-B3BF-4B1D7C963759}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1800
                • C:\Windows\{42CCEDC8-93E0-4ff2-B9D3-D2CBB1AB5BA0}.exe
                  C:\Windows\{42CCEDC8-93E0-4ff2-B9D3-D2CBB1AB5BA0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1208
                  • C:\Windows\{7DE0EEA7-1E96-4d6b-8A4F-3214E4125D9C}.exe
                    C:\Windows\{7DE0EEA7-1E96-4d6b-8A4F-3214E4125D9C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4324
                    • C:\Windows\{462A3DA2-F722-492b-9C19-BD45C080A163}.exe
                      C:\Windows\{462A3DA2-F722-492b-9C19-BD45C080A163}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3004
                      • C:\Windows\{D11F11B0-A01E-4c0f-93BF-E4382BF8150B}.exe
                        C:\Windows\{D11F11B0-A01E-4c0f-93BF-E4382BF8150B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4976
                        • C:\Windows\{796B8392-62F1-4258-93CB-FF6A7F132B5C}.exe
                          C:\Windows\{796B8392-62F1-4258-93CB-FF6A7F132B5C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3972
                          • C:\Windows\{6849A35C-94C7-4e92-8410-B5A9F6EAA1AD}.exe
                            C:\Windows\{6849A35C-94C7-4e92-8410-B5A9F6EAA1AD}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4664
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{796B8~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D11F1~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2824
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{462A3~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2092
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE0E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:468
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{42CCE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3944
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A98F3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4596
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F5E2B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3876
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A795B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4857C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BC965~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4272
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21A40~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F04499~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{21A4098D-096B-4d16-9AA1-A20F92360A0F}.exe
    Filesize

    89KB

    MD5

    96aa62217bbb2c1780a8bf2e8e3325a2

    SHA1

    6f5b89e7b4c6ab70d3fc3d055ce7565f89ce93ff

    SHA256

    dd5b8142018c318d30d65e1bfe2520f342e9619e79f72d1c07e769e94b2ffdaf

    SHA512

    77f77f1d6377bd99688e90f3ae1f231c23561d9a3dd6723df344e2156f0d1af1a68ec6f568ce1b827ac02bcf08224ee9b506fe8246828f0d89522b40cd124324

    Download Submit

  • C:\Windows\{42CCEDC8-93E0-4ff2-B9D3-D2CBB1AB5BA0}.exe
    Filesize

    89KB

    MD5

    ad3c69e5b27870cee0ac788b8019c2a1

    SHA1

    6baeaa3bec2d9534e7502c775493ac319e41434d

    SHA256

    c566095b1878a282032d8ae52c79b07e246da290eff8b4f52f6dd39ac1cb3e08

    SHA512

    dff27b19cabda131962d1c039b0355c94bbe5df3fd8360429e0781d24be2ba95385665d2671d894787666f5560cb49105b55780e7cb6b6b5a4bd834b1a10965d

    Download Submit

  • C:\Windows\{462A3DA2-F722-492b-9C19-BD45C080A163}.exe
    Filesize

    89KB

    MD5

    40f67f4fb9359cfc091522dd484f391d

    SHA1

    7d2d7df0f3303568ec791d1b1b9b27ba1a431545

    SHA256

    a261fcb9613d4aaebea1f3d0ee9215a2583dea0002fc5d2bc893417014696cd0

    SHA512

    bc06b9bcc90a28edc25105bbddadf65714ed95548ea787691e688d65da82092eb3cf24875ee1db6730d2abade1cab615a739ff2dd6cd95ca9b29618b3475c575

    Download Submit

  • C:\Windows\{4857C7FD-DDE7-4a6d-A1B0-80CE3FCFD744}.exe
    Filesize

    89KB

    MD5

    25fb1c5d4f05319a87ed21f2ecf3ae32

    SHA1

    3b5864ffa4d5851ccedd103844781891fccd6267

    SHA256

    a4f2343545b22b3b22c4578ca2fdbf6bb9525ad13b4be836b48219130275db69

    SHA512

    b17c7a39a51121844b8a0e5551793cbe133ad4ff1ffea14600c2882f5b7b56ae3644c16431597febe87a6c0aa794906c69a57387da978b555201fe10265c42f6

    Download Submit

  • C:\Windows\{6849A35C-94C7-4e92-8410-B5A9F6EAA1AD}.exe
    Filesize

    89KB

    MD5

    9f61ee9498226539c59e36382a73efdc

    SHA1

    238e57da4f9332b0e385125463b8800cd8fa956d

    SHA256

    9472fa2a91c92879bb43cf016f534054a4c7d33646cdbe9c130aaa211e36cece

    SHA512

    1a4e7b11a13edc0ec560299f756e3be5b8e2a66bf925b88c970b242303c5de1c212891989ad40fe72cfd8f84e7796ff72d0bc15d963e2d0fb78ce27198b9594b

    Download Submit

  • C:\Windows\{796B8392-62F1-4258-93CB-FF6A7F132B5C}.exe
    Filesize

    89KB

    MD5

    dfd79c39d0e80a4d9cd2bced8b3f012a

    SHA1

    04af0bb34b0342cee37fbf71762ae0bc31cb30b0

    SHA256

    beb1bea0ff3bd73b7acb22d790c39f5a1e9f1dbeff2fecf059e0e96378c4acf1

    SHA512

    ba44ade17faf9d0a47c81f9fb63c3f08ca81f12424d19f1565f91fb1080433a6e51539023ffa7506201b50ce1e170ba137821307b26120d5c8cd93bf2a7a871f

    Download Submit

  • C:\Windows\{7DE0EEA7-1E96-4d6b-8A4F-3214E4125D9C}.exe
    Filesize

    89KB

    MD5

    bfef50255549925f8641979a40788176

    SHA1

    a863b2b161a0446537d577563ff29cee3a11beba

    SHA256

    f87cd28274fadf2a1fcf29db4fd07bcedf9ea6d5addeb430192c46f219976629

    SHA512

    01eecf045a7fe54c1f3e721fddee892fc44d069ca891a7c724d323dcd2269c0a43d10ae7e7ce508b0e32f520b19df517429999bcb1d73d244e6a4b7c86efe354

    Download Submit

  • C:\Windows\{A795BC58-62AB-472f-A062-4C527EABC6C2}.exe
    Filesize

    89KB

    MD5

    043acd76c80a2959659322b84e697cc6

    SHA1

    7efbfc7089f4d15f6147f1b3621db973f5193def

    SHA256

    a3684ff050620257fc0d859a1c6cdf14768ec912e838434373d12ff9d4262e8b

    SHA512

    3f90f5d54c2924dfe351b6e3e5d663d7bf01d99343ac74d5d7a2a4940f72242eddce1d1d1cee8bec263c66479d6647bc92a43854ca14180f3086336a2b870160

    Download Submit

  • C:\Windows\{A98F3797-CAAF-4fc3-B3BF-4B1D7C963759}.exe
    Filesize

    89KB

    MD5

    e28824f549da9f8fcf547d09ea7b8b0d

    SHA1

    7392fa528fc2997ed7159d64e7675a0d59ad7a62

    SHA256

    93a158fa677a7ead5188a941546b85a543934631ef99839e4cd912f894e8c69e

    SHA512

    2d73cd6aa2832dba3e8abc933ac78df575ae7f58f643985a1d2d14d7764a8f0a0c9e7fd4a87e7e2ebbcffca472f179046f1c70e49d17cb5291f5b32978eddc7f

    Download Submit

  • C:\Windows\{BC965219-47D8-4604-8556-E7E2F5369ED1}.exe
    Filesize

    89KB

    MD5

    812fa06bb589011f084a9012efbb96bd

    SHA1

    59763584f1fe416dce754063b2d5df54cd0949dd

    SHA256

    1a9326e36e7afc9409cf071faaee8842e0bf6119371f7b23416461ffae5fc840

    SHA512

    4bff3f629b54ce18aeabf995df22203f8eff7834012a81c72a6a387d4b5aa814abbb837c9d5c1887f00d921727c46f3ee344357ffd6bfcea3b608df072fc109b

    Download Submit

  • C:\Windows\{D11F11B0-A01E-4c0f-93BF-E4382BF8150B}.exe
    Filesize

    89KB

    MD5

    105f65a200bad3713738888c6a94758d

    SHA1

    83a342035a6bf05c2208d52fc9c3ba98daf18eac

    SHA256

    4a89eedd6f696435e4e634fabf3dce5f6219a84821cf48d214ba31a2816fa6d5

    SHA512

    935ce7524d47ca92ccb7770533e23240bf9ada0ef17fb89df70bf51152d4922df4cb0239b86abbbf41422cd96eaef33f0d01c85612bbebe82daf808961d0849c

    Download Submit

  • C:\Windows\{F5E2BD3F-6CEE-400c-99EB-B542099E4A4D}.exe
    Filesize

    89KB

    MD5

    999fda987143f6ee324960a1c0ebd047

    SHA1

    81a050cc6a626ec8dc65164dc592f6c5a4ca5224

    SHA256

    c4b5060c60e3ac0f04e532a68e2a66764beb721ea13c18259be0c239b751d140

    SHA512

    fc3d7518c622d77b9e547b6f076f7a9ef46d0e1e8dc890a09d7b9928ffe3aa3aa0c5e32023db49a97f194d68c7c58d65ee096a6c99dd0934a3098f98e8c7c793

    Download Submit