Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:57

General

  • Target

    3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe

  • Size

    79KB

  • MD5

    3de62953984f94a7f72a2bababed3160

  • SHA1

    25f1da1e90666609ca8bf2fe8a6111da64b04a6e

  • SHA256

    3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02

  • SHA512

    7d4fe7eac0d1dd60d87d5e48c16b75a3014c546348a255a1ff736b29b6d9d352cf74e9920a0818a555059ab10b57507b0d70d4975f22d6dfa5e3b6758003ae6a

  • SSDEEP

    768:4vw9816vhKQLror4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0orloWMZ3izbR9Xwzz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
      C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
        C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
          C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
            C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
              C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
                C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1444
                • C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
                  C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:956
                  • C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
                    C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:316
                    • C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe
                      C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:976
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D629~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:276
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDB7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2784
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{6BFDF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2988
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C3579~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4C905~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2164
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0A655~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B10AB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5494D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A7333~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A655707-6F93-44e7-A14B-110193113253}.exe

    Filesize

    79KB

    MD5

    13e29c34799003e98bb1dc95f66e12e2

    SHA1

    49ba042997f19333eb204c565cd7cf913b518b8d

    SHA256

    8f6ee51aaa66719a4ef69f85e566cd048328871b0359c387e1a31ff75771e485

    SHA512

    a4cd5b2e3d1f77a70baf7edbfb864d3a59750b09aec70b92c842ed7eda7bbe0705e9770a916b984bc3b0325f93551bc15020c93b5b5d6fb05423f0f65618822d

  • C:\Windows\{4C905348-4D36-4ede-B365-5DE741C54AAC}.exe

    Filesize

    79KB

    MD5

    d10211450792d38de51beaabd0b6f5f8

    SHA1

    066a0ced2096e15634c377e3b1559d51acc74012

    SHA256

    1390c36eee912ae5d97a931ceb740c364f9ef6be3b6ded0290627de29b78605a

    SHA512

    d9b00f62afc7362710a5d384e7777163e6c2ad9ef29af3d44adfea469b0173ff128f69eb77dab7b23fbb539fd791bd89f651391e7fac433b607ac3a94d105b98

  • C:\Windows\{5494D5F6-869C-4a30-839E-70A1DCD2C71C}.exe

    Filesize

    79KB

    MD5

    41bbe8aa36764e09496f2ce07e3403dd

    SHA1

    18723c29ebeab71217c7c47953530359048286db

    SHA256

    431d1a32dcf96b7438dbafd2f00c68999de0f9bdc67815993ac3825f55bd81c0

    SHA512

    87106aa175d92a08734e31ffa512b09fb84b7795bd6eb592f81b9f9d8407678fb0967d748820af8240346154ca88470df3dba49e1620330d99cab0fc3a8ed4c1

  • C:\Windows\{6BFDF62C-A144-40f0-8697-A04E04158336}.exe

    Filesize

    79KB

    MD5

    a8b0f06782521c7c89be715d9a30cde6

    SHA1

    63e870bdf4edcdfa3c98ca231ad7beb76ecafd34

    SHA256

    d21e417254a67dba589658e35b2129818ca1680a7b5bfd216f9a508c90dab8c1

    SHA512

    6ddf826e1f7acfb14ed15836db119f19deaaade9fd7b58f01ba1df5bf51203d999b448488b8fd9c237c3182656112f9d6caf66820bbf7e3c83157304ba0f5e19

  • C:\Windows\{8D6294A7-B600-4c0c-8400-73FDF66D6407}.exe

    Filesize

    79KB

    MD5

    97a8a95207694bb5b99eb4c2fa9a2cd0

    SHA1

    9b4e59d34153b6b5f4157a17ff378902606198bc

    SHA256

    fd32471cd32057c79370ad31013eab596ed190dc4969b829bb34b1e31ba463e1

    SHA512

    1119cd70c481a69a07ddf04ba9c2bf5ca2d6962baa54fd64b7dd41bd34225147a8ec14c3ae5a2cf5e10cc1ef00f0fa694502b43d99eecc00d711dae47f74b001

  • C:\Windows\{9CDB776C-5CC4-4074-9A95-D7BB18E4320F}.exe

    Filesize

    79KB

    MD5

    621ac05b7c13e594d046c8b7fb5e75a7

    SHA1

    bbbf1ef45cf316aa1b3456f85e37fccef3b087d4

    SHA256

    dd55fa3190182e85a47ef389651383596581d92ef71444751d6c95af00c59114

    SHA512

    eb64a84c60504d39b5d9596f7808639b2aa3109af9f80a3ba630914601b3613baee76020b6336c39b0677137027a41995f7f9643bfc88795b408f1d0bfe1fd6c

  • C:\Windows\{B10AB623-4331-4c48-8B5B-713A2709348B}.exe

    Filesize

    79KB

    MD5

    d35c4a4f628ae38c8548df1d94e3dfcb

    SHA1

    a7d4601cc6e852d944bb3438258865bec5a90959

    SHA256

    9a2c3ba664569d11ab51f6841ca08073efeb1a4a71720cb2355c1fcc1db3af4d

    SHA512

    4da884f6a8bafcbe02d8876b87a33605c952121ee7f1cbf6426e1869aba04f00986d145df2732e16e7a3bf57db31e13f2d904311584882269f35fe0d0822fb37

  • C:\Windows\{C3579BBB-F2A9-4acb-9D5D-51AA03E343FB}.exe

    Filesize

    79KB

    MD5

    8df82f5e49e8891499f8f7615335d45e

    SHA1

    9e197cfea47a2722dcd8bf9b0de70870a82792d0

    SHA256

    9be77f425fd14abdc0ec2ce67f290c8f96b8d8e07b979e1777776e2bc81354ec

    SHA512

    c4b3e5f015df2206f80251efc26fdc949613bbdf4b148d17ce7773a40834d0b5b1f1a29c421ac2b77b115d275c18a1cae6e86345e30693cbba66def71ae57cc3

  • C:\Windows\{F26E6605-BA5D-45e0-B32A-98647C97D4BB}.exe

    Filesize

    79KB

    MD5

    719954da1453ba8e33d638ec5096bc86

    SHA1

    63233f3dc98dd0941704d2de75bfeedbb48f5464

    SHA256

    91d5b9eb9d648b4a1b1fe8459b679d32c5b777cf3d2610f8bc73775d0614bd87

    SHA512

    34a7de46b0ca424e6e35b0eb5ca7b84d39781a6ad64c27e3d58d870dd93537a0d1f59009bddec42d172fb4e91d282c0babe2076ee8111bc232a16a32156ff427