Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:57

General

  • Target

    3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe

  • Size

    79KB

  • MD5

    3de62953984f94a7f72a2bababed3160

  • SHA1

    25f1da1e90666609ca8bf2fe8a6111da64b04a6e

  • SHA256

    3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02

  • SHA512

    7d4fe7eac0d1dd60d87d5e48c16b75a3014c546348a255a1ff736b29b6d9d352cf74e9920a0818a555059ab10b57507b0d70d4975f22d6dfa5e3b6758003ae6a

  • SSDEEP

    768:4vw9816vhKQLror4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0orloWMZ3izbR9Xwzz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a7333aa7c3eb7ddccd7e338e19597711e798b84bd8966241855b5a2a42c5d02N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe
      C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe
        C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe
          C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe
            C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe
              C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4844
              • C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe
                C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe
                  C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2104
                  • C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe
                    C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3672
                    • C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe
                      C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2236
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{27E3F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2300
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{640FD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4560
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{15900~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4380
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0C6DA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3164
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{179D1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5000
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{11051~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{84755~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D892~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A7333~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0C6DA687-B3E3-4177-B9D4-63E8DE790E58}.exe

    Filesize

    79KB

    MD5

    7191e492cd1ef18739ff5bbdec5dbed3

    SHA1

    36e1d03dc301c4d4de671ffb9b0e066dd3035970

    SHA256

    4c99f7327e07c74d802da6e5778254069349ed1e3bc6889ab9577282a835bd64

    SHA512

    d66d5ef47653683ac34db6bd8d442b96909162b4375165fc261055af60281839c548671c944af1ff31d7ddb8b5a855cdfd56aa625cb8cb46501b5ed174492f62

  • C:\Windows\{110512C6-A217-48ed-B7DA-4B94A50BF357}.exe

    Filesize

    79KB

    MD5

    53f120bd701c16ed39692a808ae57e4a

    SHA1

    8a4c3953133ffdcffc6da39fd41c8578f5996cb3

    SHA256

    3f1c6b015b57862d79d891ad055acbcbf1acd1aa1d8beb3589f8a0f651b29e98

    SHA512

    0a851dd81a052ef6d4a45babc29b13f7ec7be308404f55f89503bbdd08a80f55e1902b8f76beab0cf89761facf74635738b1ecf74be03ecfec105187159aafc1

  • C:\Windows\{15900012-9144-4bf5-B06B-1224CE75B3C5}.exe

    Filesize

    79KB

    MD5

    8bf2dc1f01dd09af8002efdc0f917227

    SHA1

    06be7b9a3747c830a4a3a6f24b971f218a7b16d9

    SHA256

    efee5c33841c2a798ea5b291f10624c52214b4a877655fa8e74a6686bd6d90d6

    SHA512

    1d74d57fe039be34c35a82b2b469b70da2347ea9ab3d154bb9d316d78336187c93d07e029ea5ad0140d8ba62de646756b32d3af70b545dc73cd52afd5a204631

  • C:\Windows\{179D1D7B-C3D1-47cf-B15C-8B4D2C26407C}.exe

    Filesize

    79KB

    MD5

    41c3e0ee818ed1cc6566e2346f1ff862

    SHA1

    a33762984d88a6da972b6c1fe1fd95d30ff3bb03

    SHA256

    799d55a89a577f9fe19bbd978848da7eb1b1fef4bbb5b73caec043e443582593

    SHA512

    2d8d12f1ef2e87a71adb5cda5baec9ed775d2ef1c075ed1dbe36ec38369bd85fccfacb9f1294326b98dc0ad3157645a391db34b15d7b7b54b1178fd564d3a6b9

  • C:\Windows\{27E3F2C1-1992-4f67-BFC9-654AABF47BD5}.exe

    Filesize

    79KB

    MD5

    d608454c51e2b040242d08fcc2ad53e7

    SHA1

    e0440b4766e2968987326ed919030834c094f4e1

    SHA256

    f76001bc7fa13b5443a27f28f0cd3da477169b015d42471caf5260d0033650b7

    SHA512

    c3b5327178c609d3de0c795652089c8ed7b7a45cf169c87ec16790147f42e6f04da4138fe7d71a2ba2b37ec87ca8d88ab150b1fc2d8079d753fdca6f1d293662

  • C:\Windows\{48DC7265-BFA0-4c1d-96E6-6D4FC010AF23}.exe

    Filesize

    79KB

    MD5

    d07adae407fe22b932ca84df03b5ca35

    SHA1

    83014b25f87c4c6ef5d517df281ce6fb6aed12ee

    SHA256

    8b583982e240af6110d4738cf18b83c8b27682f466eb429073d130f73e9c119f

    SHA512

    cf9232b3848c68b5ff68277dd4bcff671e2a70602eb8dba3ac997b2f47c77131a85716c88e0f01d81b156e1ccea36e25a2e0cb20403ccba855669febf9a1c382

  • C:\Windows\{640FD6DD-E5EF-45ff-8FE0-3CFF50235318}.exe

    Filesize

    79KB

    MD5

    e2df25408083361b0e5ce3f8b6066da4

    SHA1

    2dcf283656b2669729dd331f92482d431f372975

    SHA256

    7983bc5e8254ebc00199f540448c79f0619681c15a0bad91361c521f74c50a23

    SHA512

    e205380666fe474dd7dd3d593274c5ecab88a269a3f8e81e0887a0181425a0b97191fb265b8bcd982ef26abfc62e85b22ac5dd08716d4270ea6d49c992931633

  • C:\Windows\{84755F7E-93F2-49f8-A2CB-BFDFB0F2406C}.exe

    Filesize

    79KB

    MD5

    a7e2e39b932beea4e40f24c6bbd25fff

    SHA1

    d5b3f239c47d202f1487ee75bea313a7cd741b94

    SHA256

    f9a380a180ff6fcd5fe9ff3e8f069a248d59045f3e77efca1dc204712bde4f34

    SHA512

    ba667b83cc53ca60048c3fd8c4b3800fcbb91f98d726d2919fc75ded7aa3dc18e581d395dda3b1b7d27968c909fbb825dc7dcdeb981442f3b449cb31bc50b5c8

  • C:\Windows\{8D89223B-2661-413a-9BDE-C69E53005914}.exe

    Filesize

    79KB

    MD5

    255df5c3a495f74175c77bbb50a3f5e4

    SHA1

    0bfea9f202e679e6600a454e853a6ba7ad311ae9

    SHA256

    1f00cf60557521dec87ebe1c576209e7717537daff61bbae9a7ac61463e994c1

    SHA512

    97529f10f866c6a169033dedecab356d295fbfd6f05bf9219622d28e3bbf371fb976bc7da2583dc02dd87d6fe46edd37725044e5716ff35af5e9f7f8d12f2c78