Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 19:48

General

  • Target

    713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe

  • Size

    87KB

  • MD5

    b0bf294b4fd731b84360e1bbcf4d8be0

  • SHA1

    5e39a181470843c1714399e78af18103394629d2

  • SHA256

    713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557

  • SHA512

    07a99fece68a18e0f48dac4397638bf786352e40a02e154c6ed3ae6d35a01e57eb45980b55e7a44d0c7aa3f0641630e70302a218fb6a392a7a7509ae5e51d36e

  • SSDEEP

    384:5bLwOs8AHsc4sM6whKiroZ4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUO3:5vw9816uhKiroZ4/wQNNrfrunMxVFj

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
    "C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
      C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
        C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
          C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
            C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
              C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:836
              • C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
                C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2920
                • C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
                  C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1996
                  • C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
                    C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2164
                    • C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe
                      C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:752
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5D4~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3000
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D68~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1040
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AF03F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1204
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{72F24~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2936
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{49B72~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2828
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9F6~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{2631B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5785E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1108

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe

          Filesize

          87KB

          MD5

          bfeccaeab99b0c98313c61a65de3102d

          SHA1

          e9de292a121851daaa326a2d2e08a7b6d6453597

          SHA256

          154a2455827c6fb7b8869a91dd8747225ec199959cb6681c3e7940753ce8e1f4

          SHA512

          ccd67720eea04bd576653441ec1844d168992352fcd737b2cb0ef2ac910ed59463aaa5203401542b23aeb0b29209b4297d01945ba2fe2a246cffc7f1546d912e

        • C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe

          Filesize

          87KB

          MD5

          220250738f54fc7932ccc75d78cd1457

          SHA1

          ce855c9def53928476d328205dff0680cedf355c

          SHA256

          141b679178b0b868e98e8218273f431d1155a2c157b7e3046ad7fe74a5e1534a

          SHA512

          df58a859fe6ee5075a7226f571b7d2b9462a9f731d6bed6fd28738be9c58843925122aec85d21cf6c97f4499a5deb6565b66f9a863d8e382f9882a04aa9ba969

        • C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe

          Filesize

          87KB

          MD5

          fce388c48a7702fe11cfe9663029bdc9

          SHA1

          a682a29da553f8fcabb1afb86a623f8808fe616d

          SHA256

          d3f66a1f74f93ff2cc0c020e35b7f4c2377a14128089ef8fdcf14d5febc24541

          SHA512

          f3fd11d957875addf46d6c7a8fc86e86433db524210419ebd5bf392b7641cc876bd8b4da72b5870aae82bb91b744fdb72c3af7f45743c1e81f9231310ba9f97d

        • C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe

          Filesize

          87KB

          MD5

          dad5e32fdff8b9261f2bd5ad03d965c6

          SHA1

          b19c85101b36a375970010771b5aca33238093bd

          SHA256

          d0fcc934ca0c663f4e515d9c2ccdaf6f579c1dee0ac9b781aa30f352b4ed1259

          SHA512

          4d0e56a679268514b7ab054b8094afdc299df08809eec12b4302af56d2ee1210a468125e3e59174a20617ede0f75278d7ee6c8fb430a5dce03fdb00129c71273

        • C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe

          Filesize

          87KB

          MD5

          16a3ca5899f03911ea95d1fbcd394fec

          SHA1

          26914c92bc18f1bed89a2bc7d00a216322c915bd

          SHA256

          11620bb104af87ec575b6077434ef01864764969d445fa62d7a01058aac0123b

          SHA512

          dc00351926d150ae7413830b45a6a9a8665382ee91829ab60fa51402baa1b71f9a59a97d709355d785b826abf19ab23725cfc699008991eac4b49c6bbf859e85

        • C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe

          Filesize

          87KB

          MD5

          c08ef3b387f4a82201bfaf2e462953b7

          SHA1

          3904b0bad0f9afdb6c05ee1a4b2356158e967921

          SHA256

          77b31e6b995e749876c0b7b72f2ee9d341d9fd156dbe5ec6ffc71e12ebe78a0d

          SHA512

          f19d827b820830e9a5c59055a40ac1a47dc3ce646440309c36bf57d0f8e3465f9c4c2f8304ba716776dac1a8b9f1353b93defee0dc2c8a9447c020cdcceadd5c

        • C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe

          Filesize

          87KB

          MD5

          95ae5a19f060cca1d0a2ee342239efb2

          SHA1

          0620a3dd404b53158fb9c5faddc39cf5dd94f753

          SHA256

          9a36599a2fc9aad33094eaa1302fd330b0ad4bd21e08b2d8cab87f56be7fba4f

          SHA512

          88f5974f4e0991dfbd52f03d9f66528981a0a3ffb38f745f808c0df86a9a5fe9525c4c05d98360a2ad5ab0baf7df31b484dbb6e5e02972ca4b99ee35ed7b0779

        • C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe

          Filesize

          87KB

          MD5

          fd7c5cf7c437347c0ec699e6973f493b

          SHA1

          cb49fe0b5f520bca7b568a7f15084f86d2f9c14b

          SHA256

          f93f78ca1afa2362b926ff178aa0a4cc8c11fc9c9df971238d3832f3dc25d07d

          SHA512

          4fc89379d18c0f2668d101bd8bb519e06a1ddb015f16c2c9f8d5613469ee031e5cde43146f2e2fb89c243dad8ba7e96eca5dec13205504864a833600da065e38

        • C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe

          Filesize

          87KB

          MD5

          2241293ed4fc69772ce9cd8e8b58d38e

          SHA1

          aee8a26af9f2d2e0693cfbb09ad07aad22e2a4fc

          SHA256

          8a1cf3a9151c7a0503b98c96c5e545586e9728fe7f391d90d00cbfe65719d397

          SHA512

          a27d51773d264ff2dced7439d09c01eca60b6d1e881eb7c2900fd0cd43e32bc0f57aee3fcd4d476db9031fd9d634f4dfdd88f1ff1232241e9e13ef0b5254ff0e

        • memory/836-61-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

        • memory/836-57-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

        • memory/836-52-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/836-62-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1848-10-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1848-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1848-8-0x00000000005B0000-0x00000000005C1000-memory.dmp

          Filesize

          68KB

        • memory/1848-4-0x00000000005B0000-0x00000000005C1000-memory.dmp

          Filesize

          68KB

        • memory/1848-1-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1996-78-0x00000000003E0000-0x00000000003F1000-memory.dmp

          Filesize

          68KB

        • memory/1996-82-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1996-73-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2164-91-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2164-90-0x00000000003A0000-0x00000000003B1000-memory.dmp

          Filesize

          68KB

        • memory/2400-19-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2400-13-0x0000000000420000-0x0000000000431000-memory.dmp

          Filesize

          68KB

        • memory/2600-24-0x00000000005B0000-0x00000000005C1000-memory.dmp

          Filesize

          68KB

        • memory/2600-29-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2600-28-0x00000000005B0000-0x00000000005C1000-memory.dmp

          Filesize

          68KB

        • memory/2600-20-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2756-34-0x00000000002D0000-0x00000000002E1000-memory.dmp

          Filesize

          68KB

        • memory/2756-39-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2756-38-0x00000000002D0000-0x00000000002E1000-memory.dmp

          Filesize

          68KB

        • memory/2920-70-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2920-74-0x00000000004B0000-0x00000000004C1000-memory.dmp

          Filesize

          68KB

        • memory/2920-71-0x00000000004B0000-0x00000000004C1000-memory.dmp

          Filesize

          68KB

        • memory/3068-53-0x00000000002B0000-0x00000000002C1000-memory.dmp

          Filesize

          68KB

        • memory/3068-48-0x00000000002B0000-0x00000000002C1000-memory.dmp

          Filesize

          68KB

        • memory/3068-49-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3068-50-0x00000000002B0000-0x00000000002C1000-memory.dmp

          Filesize

          68KB

        • memory/3068-41-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB