Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:29

General

  • Target

    221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe

  • Size

    90KB

  • MD5

    30a6d321480dda3cb2bc4c5c1bc991f4

  • SHA1

    01ad7a2a16ed58745c86090b3e5e9c746beebe45

  • SHA256

    221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a

  • SHA512

    9062facdfc86defd1a34caadefb207159d36c0e228ef08ed736d26886feea87b610431fb3569ab4beaa139800113633acbf93dc68692d44a543bf440b06f0780

  • SSDEEP

    768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw:YEGh0o/l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe
    "C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
      C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
        C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
          C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
            C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
              C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2224
              • C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
                C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1152
                • C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
                  C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2336
                  • C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
                    C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1292
                    • C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe
                      C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:780
                      • C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe
                        C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2148
                        • C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe
                          C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{68F41~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:800
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C80~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2400
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC013~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:760
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{81C74~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1952
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{333DA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1592
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{4E727~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1472
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE01~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{806FA~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{321BD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD7DF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe

    Filesize

    90KB

    MD5

    e0f0440074bac29487ae52eb52634b78

    SHA1

    b56a43dbdfb1901dc38ba9a8506ad60dbf4e43a2

    SHA256

    28b4964ade4464effa0e1a855b2497630ed3e6bb63d278451e9280aad4a5fe7d

    SHA512

    c14a41aedef224832e5fec7814d6e0c0a00238be62836ec1e21379e47e15dbdf99334f3e32e72d1316b1f0d6d2d409fa0a1ca2e305b947f8e047c3c60563c195

  • C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe

    Filesize

    90KB

    MD5

    4adb2c4cee2053230f3392c38d69597f

    SHA1

    2cfc699b05e2f127cc192093fdc0303ec058325c

    SHA256

    7cfea42038a6e93d5c5cfbc9bbeac508406055ec08fae51dc6923939e5f94c56

    SHA512

    7823e0d63d33f227ec3a1ad2d2a69ebce4aea59bd33a1e96be7aecb4695e2f0e41fbcdf2df2411c760aa97eb000f54f553ccc2869572d0d5e13959c1e38147db

  • C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe

    Filesize

    90KB

    MD5

    cc62a883d244153a1dd9cc6dc86837bc

    SHA1

    ecc28bc0779911f7e543675100639d1f0684ea9c

    SHA256

    d928164fee36322a7116193d9e65d66c9bb4fb3af265b04ba04acefd6fb7b8ba

    SHA512

    6826e6c0d1630b234afd764cffc4bd1455327fb11994de207594881b0866a0fad3fbcffd72edf9a531964c3629ba49251afef8d0c5510b84f67edc43f48c37ee

  • C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe

    Filesize

    90KB

    MD5

    02fe8e3e099e0236a313dc2f3d651244

    SHA1

    a6338936f2d302923c8f0e3a3328d2664099d078

    SHA256

    acec59430595dec6f1d44e055270835ac396107473598b68bec6477ad3e6eb52

    SHA512

    b61eb0451f2904fab2d177b28d15a82f5994da48057fbd01939e97eca63fc0638990fa64fbe5e47356989d976a3be97c99cfe05bd469a664bba4f17e1273c97e

  • C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe

    Filesize

    90KB

    MD5

    684d2213fe3435a7667ecf3d48889d79

    SHA1

    03194886726475bb2e683b4a0bbad43cb800e9c4

    SHA256

    78727e5627f51083d2e32c76a9a00155d9a4382aff51aa30d5fb1756336a28ea

    SHA512

    224af68bf9049be1ce2969b8ab7a556877fdf1a38575321b3d0a0624bef4516083b37b3a3e15da4b3e62e5e2d4f942c821beb6dca1bfcb5c47969aac39e9af6b

  • C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe

    Filesize

    90KB

    MD5

    90d9e2b0f302fb7a21d68b62682f4c99

    SHA1

    4372e08932a3067a1b4c4335e6ede8b3ec638b92

    SHA256

    ddb646aadc3b95adbefd882e839b37da5d67f93142ef69f4de579599bd221838

    SHA512

    66793eee94e25267ab8bc22b33ecf0fec1fe7b26a712242ab79131cf40edd6d8ee035d9cfc15fa0c14d0c81e8a05345963a3cb31f85523503b07622511cef520

  • C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe

    Filesize

    90KB

    MD5

    f56397d6d5b289c2d5a485244041c274

    SHA1

    d53b73ba9a9240a62d1f27a90ee77a62cb1f9678

    SHA256

    fd73b7b3b26b41703ff7af792f95b2fa9b240af806accad15b6771f9dd21cd48

    SHA512

    6d6d895bb6406d09d8da805aadfcdd01e689e5c076dc94ddc2b68a1bac362f88553d8c292f8a2ea68485f10d6b7cf89605973ef89407fe677ebdc491726ef117

  • C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe

    Filesize

    90KB

    MD5

    f5f5827cce390bb883f14eb10dc21d44

    SHA1

    5be68615a08e5f7cdff6bd5cc636ff94d2f919bc

    SHA256

    b8adc5641110f385c27d671377bde963e046109027305b7812c52567253c99f8

    SHA512

    6bc430005f1e57096a27cb9cd315370c9c162382a7820bb882a1fdf89e6bf4996aff8f093b4cd77dd1ea71a2c24c7402c6132905bbe932590533f38a8b5ef313

  • C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe

    Filesize

    90KB

    MD5

    ecca7a9d9c9a50c40392ce7bb1190a06

    SHA1

    54b356ca54e79b983ca7c678ec0b61acbc5a246c

    SHA256

    9f427b283b75b347f8ed75102160f06141f1eaad66c197f3ee319145b817bfff

    SHA512

    9fbff5663ab89059cc1c58c607ddedda78ef31922fe57590680038844566b4124bfc29e90dd5272ade6e33e45935658d84e4ccb8d87c9fdb8b1301aa685794fb

  • C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe

    Filesize

    90KB

    MD5

    49cba099509e5458c2893a5a00bbdca3

    SHA1

    7c3f973ddbb5ddd7c84a7a00d08f40092473d301

    SHA256

    ad86b16a2c156e544a9f2e1219198dffc7dbde2cd6dd3028f84fd37f77142cc4

    SHA512

    f76adceb8225d479b25fc1244fce249502e0766b247014b82e7b924093ad3849b413dfc48b8a753b073e0e4ac887a67e109d4b4fcf436ab770e79e5f2e705176

  • C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe

    Filesize

    90KB

    MD5

    6f7734a8f8f9bc0d758d6d5dcb4f5b65

    SHA1

    8fb934490984d40fc422f361f0d22ae14470c683

    SHA256

    0956cc9fb2df8f0b80471f9fcdabf15d10477727864bab9a88770f431bd4dfe0

    SHA512

    f66b83d465d5fef41a7478af2d87d13d35110c6f4fb6a424b0e95b1633f7095a11b7f04e9cd1887a3e7190b7ea66a203fcd34dd48e9a7059e6bf2072d60aa13a