Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:29

General

  • Target

    221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe

  • Size

    90KB

  • MD5

    30a6d321480dda3cb2bc4c5c1bc991f4

  • SHA1

    01ad7a2a16ed58745c86090b3e5e9c746beebe45

  • SHA256

    221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a

  • SHA512

    9062facdfc86defd1a34caadefb207159d36c0e228ef08ed736d26886feea87b610431fb3569ab4beaa139800113633acbf93dc68692d44a543bf440b06f0780

  • SSDEEP

    768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw:YEGh0o/l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe
    "C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
      C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
        C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
          C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
            C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
              C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
                C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:540
                • C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
                  C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1996
                  • C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
                    C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:672
                    • C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
                      C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1580
                      • C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
                        C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3520
                        • C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
                          C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2404
                          • C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe
                            C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0EE~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0380B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2360
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C88~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2508
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3044~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1400
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9862E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3484
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AC799~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4372
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7CBBC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2620
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3EA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4072
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E11DD~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3D6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAA7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe

    Filesize

    90KB

    MD5

    67e235d0a385e4e4b056267b3792a983

    SHA1

    4ee3f316cfcc4c96d6217f5160b0af4d8132a734

    SHA256

    b535f3fe06da3c855211d17ec75587bbe1dfcd8cf6ab27e871178327ba45a004

    SHA512

    16238c153b0b762bc0b32a383a0accd544f753e98029bcfff571280376df087ccd0f63e5336ce56d2f6f9ddd200ab0be95bcecea2a25623bbe9eb0029f909a30

  • C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe

    Filesize

    90KB

    MD5

    319c3ea26eb77cb2600a3eab7b35986d

    SHA1

    bf9e8ed702f03090585a7c3f2abcf61f67fb9d7d

    SHA256

    ada1ad0d602db58ae7e0254f1c11cbeb87a42f8cb1ab1a546bbeccd0cc28b27c

    SHA512

    a1f378a71aaf1910c01391fe244e90684f7c212362885d5c52440d375c1e8f5cd063223d625213096e418200294e1140ccf99f34a7658eb128176deea29db6e8

  • C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe

    Filesize

    90KB

    MD5

    c75f9909291fb0e57cc6336420dc416d

    SHA1

    35a3a1340fafb58b3988de0d308ed8171e752934

    SHA256

    4b10f42c4af86467ddf0e53b1890a3ab44b31c5d53caae29f84e2bd617bd3abb

    SHA512

    d9f50cec803f0c3156c523532a137aedea13608b6b99a44ccb8e67b8a2abc4b7ba52b79f2378c7e8b1d5a03e2cf9b3fc9e530afa4b68e42912a0bc680e51bcbd

  • C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe

    Filesize

    90KB

    MD5

    70901328e4abf0b2199e690bf34878c2

    SHA1

    b2f354a27e934b7210e33ce98dbd38c1a58653ff

    SHA256

    8fbe90ff7f68303cef628fda5b52ca40217b64f20e64690a8f09579b94655efc

    SHA512

    60d3a6578cfc9497b9d832d87f19855e18deb4a382e061404a7d6cd06cde4cd897e50ec391e1d1ed0f4739d3b58a2a423577a4465c162da156368d1a3bf85c22

  • C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe

    Filesize

    90KB

    MD5

    c5506a1fc2d37f41aa86df28910f5981

    SHA1

    8b0504fc770815c9b5b9a2bcbc401db10d078a93

    SHA256

    a82b95ff4b4aad8fed08f5af247a246eaee8ae524ec604b2a133adacb3a183fc

    SHA512

    116edf39be420bbfe03e233b8ad1e17ab7f6eedaff6c05294465014a60e4af94a58dc423a42b9c0f1b00d540e03ee7b6e25d793b5cb64fc3c945b898b5bb43a7

  • C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe

    Filesize

    90KB

    MD5

    3bb618823146cf7d16437f28ead95527

    SHA1

    74a52432ece42863146bdbac8ee1a065506291b0

    SHA256

    65ddcbf24e8db9038cfdc37a0c2a61c614492d0e83dbc8935c784f91fdf4d288

    SHA512

    cf6f738ef329f6f59980b7d9d3700990e0ffabfe33e40f09380112b0eaa3a48163add3af657a129275a76cac084a30b291369030a4810256c482e74a15b78472

  • C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe

    Filesize

    90KB

    MD5

    05ac59ff6861b8c318708d23ec35a3fb

    SHA1

    b54ef50fe8e5ffda28660fc9709ce3f8ca5a39c4

    SHA256

    e48fbd8fc847f50d6f1bc0ca8ff4145ab5bfa66ae60d8bd3f5ae7ac2f697d997

    SHA512

    ebe388dd3a223e378c451c36989ee0d93df5ef06275b5c1549daa2f595810f1312cac1747a642b7971a391294abfb346311faa7b32b203ee057b18b557e28fa4

  • C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe

    Filesize

    90KB

    MD5

    2a29295af098067b5d56300cb3ecc5b3

    SHA1

    fd686e88f85e21029b9bb38bb226427428b2a9da

    SHA256

    6c94526a3f7a0c550c57de2131425c42c52a9d77d83dbfc4bf19f7001bc422e7

    SHA512

    258dc5188019edce06bb03cf0a1479b905eaa1dd6ef959b31b7dd3d409e19d392204b70b75e298c45ef0cf1d9341cd7724ef6da5c4903ac0a382f76d611fa70b

  • C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe

    Filesize

    90KB

    MD5

    09c33b72e164d76177455d88e503c156

    SHA1

    789f2cf97eb25b962655e2e5a263b7a6d24eae4b

    SHA256

    54cb7037f2bcc83acc865d45b170194e853177cf89c34c842ed66bc549532f48

    SHA512

    a6f5c9bd59a79d0c67b78088327629aa6772ae025e15255367b294b965796ec41ddebb2f14ca15a3980af69724e0747ed3adc1073defc99ca397184c26fb58ef

  • C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe

    Filesize

    90KB

    MD5

    10adf0b43ec21e6d2b8d01920bc559c0

    SHA1

    ba13708ba2e4e70d60f4e8ca819bd184d4f350a6

    SHA256

    ddc8c70c83837d095b24627d61e14480a317a4a31ffdaed586874a19141d6dd7

    SHA512

    fb34b4d8d4c43fa277889bdc4bde1f5f0021d4b58006bed682fb7ea20e12e83eb006d1824b96d221a461f0ba56455229851ccd55094054dcca7b09b705efdda9

  • C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe

    Filesize

    90KB

    MD5

    50bf7ee6ac0eeaaf502912f3f5c8fdf1

    SHA1

    46ba283dd15c6d6531b3ca3770486472b728ef2b

    SHA256

    293e2d3717e7466355874f9e0c4154302543d0326216163c11902d785fd234cf

    SHA512

    7bdd9097612893407e902fb075d5336a4d5b7afe982a723021613dab5961353269212eeb2aa83836a4b99961792a26495e80f64b2f87fd78038b2238c93f2e88

  • C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe

    Filesize

    90KB

    MD5

    f347439c3f63c73200083a06ce391785

    SHA1

    eaab98cda111cd523867a68c5341a1af5df9bbd7

    SHA256

    dffe782e19572cc04d9d05842bf07a0e3d3b99c4ac2d41a1473ad90cbf853c59

    SHA512

    70350345c093914f40c74ae6c8c25d4bbf24190b30f02d2b6f127d746eb3e06de5eab7c67a5e76207392e8de85a06053bae0109b65b3f9dfde79dd8de79be72a