Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:36

General

  • Target

    949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe

  • Size

    79KB

  • MD5

    ead7f6b3af34c9b6b78d70efa1715510

  • SHA1

    2de3d4c7780e12b22e4bdd7c16c86ce08f90b7ce

  • SHA256

    949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1

  • SHA512

    de2e8044995dc723dd5b3bb61939dec4ae4cf96cf22c60398b7bd469d63853edb4e9b39fdfc8405ad4c077f5446cb9983bf9675b7d0f4282a23c59725bec602b

  • SSDEEP

    768:4vw9816vhKQLroH4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oHloWMZ3izbR9Xwzz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe
    "C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
      C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
        C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
          C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
            C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
              C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1664
              • C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
                C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
                  C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2312
                  • C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
                    C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1704
                    • C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe
                      C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2996
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EEA4~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3032
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B9C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1656
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9C7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1008
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{21AF8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1072
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{10CB7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2724
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD0B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA3A6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FACB~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\949C0C~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe

    Filesize

    79KB

    MD5

    5f09ff398ad308209f808fc3088185f9

    SHA1

    18ae5c3144524e96131bb2b28fe228c1bbf9c861

    SHA256

    386319227847c8a4fb83e4c0984ba24c25e517bdba6eead6ee6b2b69ba765115

    SHA512

    8158651bdbc8b5464a893f8205c03ced20ab8fd19b363d5ba6e682e37732d2bf86d8fcd769e97c49b17fe503347bb28d2946ce9e2dbb2c1764967c1c820830ce

  • C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe

    Filesize

    79KB

    MD5

    7d167ca937c83399e9f24227df842575

    SHA1

    0cfc6f33ca8f66fa150a5ad6621d8fde12849401

    SHA256

    a73bae9187db8225ff9e7a18a4c59931337e25ef19d6a7693b3fd52c03a9ac74

    SHA512

    b3d2744e3a8541f3d96e2c8a958db2c5e546c20f460092340b81b08397cc196d35172ce2a3a2f52c2ff0e355c9829117703c6f8c81f42a20d4ac3c1874433a0d

  • C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe

    Filesize

    79KB

    MD5

    24e732ab254fc3634d1a695fc9cf11ab

    SHA1

    776bd040448147d6ae89119c8717edad109411ec

    SHA256

    e653f43139313e3f3ea7f4dcef4c63806de7240442daea83de8e1e2109ad6494

    SHA512

    ecc63b1dbb43c68781c421622660de9d3b1b7b4b04b5b0113623bf58ede5c772e5aaff57686005ed0ba6229c196a97b7a5126544f721e3e3ec22d4b096523931

  • C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe

    Filesize

    79KB

    MD5

    de46c2c11a2c92eaf9ed8ca84afdfc1c

    SHA1

    3d7d753e71ef62d639ef215743939770978097f1

    SHA256

    266b544f327c1e2714e996c214799d5350b07e3aa376f0ec12cab04c4c19d072

    SHA512

    611e27d3cc61de5c900476714535932e6f1a61f6920013e36d8498abc74e1749a4ff5c87723dc6676c2b4d491cfd80e17faa5ec138dc3ad30a82d1b09d8c70f7

  • C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe

    Filesize

    79KB

    MD5

    12e1a9723c415c7c111be638b4e6a3d6

    SHA1

    8863bcc4f9de0584d54d1e68455c1489df3562f8

    SHA256

    e8466d3d2f1ea260846f2bfe0a2f2f8958aa0d44e3972bd5765c01051ae711b1

    SHA512

    df27cab1a1527948e63c727a6aced7fed0716aa32621ec8e3907f8b29cdeaf7e65f88c3674867016164b312cc55f453942db5918b2571590825e221fa3200a02

  • C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe

    Filesize

    79KB

    MD5

    971947b5d89e3dd32e0c5ed60560108f

    SHA1

    91186c7d8e3faf69d8e978c9fb4a7c6bdda5f458

    SHA256

    4f6ec7ed3a0133d43699c59a226aba8c1e170437835d59bc7a5b38c80afa4714

    SHA512

    6cc2e558983a00045b3550ed6c81db5542198b5038881eeb395ca491497d07dd31a9265335463af540a57037f39d3eaab0af780893ef77a1a4a076a8c28fd4fb

  • C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe

    Filesize

    79KB

    MD5

    d59d5eb22c4f5b400da03f17fc80e527

    SHA1

    32f55855cf56ee69c26188994d06c083d2ee39fa

    SHA256

    699c3263487a106f9fe20cff83cec8db782639a59b787fc220c54d8724b39a52

    SHA512

    5b23136257d406c53e0af71f4fba08a9dd5a5a438f857f9e14e5b996a8a5c9a6ac2b8fa6d1d162484d818067f24daa3839b5b767bd7bd1f06b157fc0ee57495a

  • C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe

    Filesize

    79KB

    MD5

    b5fd07dc68f84219ccec7849720a3c45

    SHA1

    8df5ad377f66a674fa8718f2c130fc9506c8e886

    SHA256

    24fe6d92484658adb07c435f7934f7d7e1dfe44f135fd0fc2917920870413ba0

    SHA512

    19f93013ba56d6d14df23c660d54e1f378b09146addd7d44d0b2117a9a0c787dbcff1f43a24270f09069d909e4044bc51daf8c91a331b8cf6409c7271477eaed

  • C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe

    Filesize

    79KB

    MD5

    25ff870c03f10fa00cbcfd0cae85b34e

    SHA1

    f5d408dacc708b0bf93fc1e66fa96082c758dd8b

    SHA256

    32a25b86ed8983da1484787893ea3fcd95b2996de48fdbb92d9b68acc5c151cb

    SHA512

    3d5ff02f69b2cc58c3dc42066ae715619510773a4fa2ec10c47720600aebaebc739be171bbd25723a9418dde3639092bda95aec533ec4c3d4e07909e67eae2c5