Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:48

General

  • Target

    713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe

  • Size

    87KB

  • MD5

    b0bf294b4fd731b84360e1bbcf4d8be0

  • SHA1

    5e39a181470843c1714399e78af18103394629d2

  • SHA256

    713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557

  • SHA512

    07a99fece68a18e0f48dac4397638bf786352e40a02e154c6ed3ae6d35a01e57eb45980b55e7a44d0c7aa3f0641630e70302a218fb6a392a7a7509ae5e51d36e

  • SSDEEP

    384:5bLwOs8AHsc4sM6whKiroZ4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUO3:5vw9816uhKiroZ4/wQNNrfrunMxVFj

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
    "C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
      C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
        C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
          C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
            C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4740
            • C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
              C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4560
              • C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
                C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5104
                • C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
                  C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4036
                  • C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
                    C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4556
                    • C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
                      C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3528
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3D612~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2412
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6ED2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4764
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F2917~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4672
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{15B8B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2604
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{250A4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{67AFF~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3D0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A83E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe

          Filesize

          87KB

          MD5

          2a2c04ac39201c8d046778757215f454

          SHA1

          78432332070cecae05d0d5594c682d84a54c30aa

          SHA256

          c85b0eec5600d942b8bfe485822a056667f550167faf89b556fefd9d49f1c747

          SHA512

          d11e58d672621a70ed9677d960030cab8327630418c2fe5d201a7722e57a74154f0c8330c8852635fd765b75e986dece616a1d464081d006ba19e37c5a7e0e93

        • C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe

          Filesize

          87KB

          MD5

          0acb9e3a90c35532f9de3f3a37208c52

          SHA1

          4c33e5d1c6dcc5845c816e42880d64ad3958d24d

          SHA256

          30ab586b3759f869b348169a646264e0210b53d227db7c4093ecd4ff54b8804c

          SHA512

          a107fa6c0e86b600b5bfef7cee95673f1268b60377da84c32a264d9081fa7ace0931092bd0a8dbcc2aeac597256a07b894a6b9ac8afc1922a0e5d8de5c260c98

        • C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe

          Filesize

          87KB

          MD5

          73c016645f066042e21ce34b2f5731e3

          SHA1

          e87aec85b28063342654bc7e2286fb10598d7552

          SHA256

          2561708509b6fb1c7a4eceb1c2148957f45b3dc3c780e0c0bef6667c25e8e639

          SHA512

          79711bf16828973a5f9433560152c5d1e23268dea585593597c835ac919196fbe150cca65d56b34dcfd450a6751da81609c66939c00d908f40effd1b91d8894e

        • C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe

          Filesize

          87KB

          MD5

          9e90b1e21e136380008bce9beba943bb

          SHA1

          39be035e807330b6732a01bb5a8d3c724cfaeb82

          SHA256

          535105885bfc3c1d3a3e8e5a7336802b0bfb31c24bd3ed9039d876ab48a898e2

          SHA512

          9efa9e71741fd5cfec03421a4201b620398e5a029854e9a381f272eab94e6474c93ced078f9880885e147118f3eea3ccfe157bf5a604f44cbf7f5bfd030c7729

        • C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe

          Filesize

          87KB

          MD5

          3ea8eb488d2c03a1b2aafc479bdad308

          SHA1

          7e0ebe05040e56e96c6e8d51e8d482c2be80f9f9

          SHA256

          a88c03e74d09f696d990d48a0590637966fa8ccc7d4f01e93e3f7c70be547e10

          SHA512

          8f9f2a2a6c76b00ca1350e371822d03f019dbf4a45f324227ea1054124fa347316999aa0e58f030a17191167915a42fe3d1322bb752151e0a6751e03832c15e8

        • C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe

          Filesize

          87KB

          MD5

          44e87882e71544fdd1a39f9f0908e11f

          SHA1

          c1fc0e9bc84766474dda3ff15c7e31099f26bf4d

          SHA256

          e4ef5471c81d2045a471fab212d3844cda164b8fea18b90c78bb3f3586c5110a

          SHA512

          8889b9d19fe46a9be3e6a249dbda95e16c0e73af8b55506133617a8f706e120b863196d646b77759c3547fc72c35c1db3d2a086398aa0704bf06a786c414b4ef

        • C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe

          Filesize

          87KB

          MD5

          5c89603187dd11d676859cd80d268cfb

          SHA1

          0c78dc4dbfc72d4bc94776b6011136a5877b965e

          SHA256

          99921341c32464844a3a5e258c505f4524ab4cff210be16d1fccf78e096b9e44

          SHA512

          28b2a2fdaceddeeef0df6f7516c117812512e4ad55e259e39b9299799f177a1acd2721efcdaa9e83a37429720e5cb97178db151a9cec38ce3befb3dd7362ed03

        • C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe

          Filesize

          87KB

          MD5

          4d2c5e8ba4c00bcf43e75dcfd95cc460

          SHA1

          48ea815a62b0d818cb72a6c142cdd1e2afcb285e

          SHA256

          93227d22e9720e5ab8fef4d5b6c877ccfdab318eef3aeabba6aff3c9a5dfc3d5

          SHA512

          323ef6e7a2c1e9d36f7350378872738159f929927ea2b4b121547bc79f909e361796ee376d2e6a6c93c2e1656111548f82d2448661ed722a97a1dbcfbc2605c4

        • C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe

          Filesize

          87KB

          MD5

          b0625623b1a0b5a4ee1b2c9c6cea6941

          SHA1

          a9b975b5cc8e718c6b906578d2bef5a4c7ac3fd7

          SHA256

          1063f7c06aa1aae9ef612bc6a765a05c4d526e6abfd92e6a098e33328abdfc00

          SHA512

          4c1d223b657df493721a18a896cb94833d04853c85af291be52d14926135c1288832406115a7160f175833b657a4e52f82d4414df90b070b9f0cbf7416e3159d

        • memory/1092-1-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1092-7-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1092-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2452-12-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2452-5-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3076-13-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3076-14-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/3076-19-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4036-48-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4036-44-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4556-50-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4556-55-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4560-32-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4560-36-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4740-31-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4740-25-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4876-20-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4876-24-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/5104-37-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/5104-42-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB