Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 20:36

General

  • Target

    949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe

  • Size

    79KB

  • MD5

    ead7f6b3af34c9b6b78d70efa1715510

  • SHA1

    2de3d4c7780e12b22e4bdd7c16c86ce08f90b7ce

  • SHA256

    949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1

  • SHA512

    de2e8044995dc723dd5b3bb61939dec4ae4cf96cf22c60398b7bd469d63853edb4e9b39fdfc8405ad4c077f5446cb9983bf9675b7d0f4282a23c59725bec602b

  • SSDEEP

    768:4vw9816vhKQLroH4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oHloWMZ3izbR9Xwzz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe
    "C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe
      C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe
        C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe
          C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe
            C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe
              C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3600
              • C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe
                C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4476
                • C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe
                  C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4824
                  • C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe
                    C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2352
                    • C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe
                      C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1204
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD84~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2224
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E100~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0FC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4772
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B2120~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0C7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:740
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{28FF1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD8A~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B94AF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\949C0C~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe

    Filesize

    79KB

    MD5

    0bb411d3e5241dbca8f7b297eeca16a3

    SHA1

    a52c2b4d22c1558176d793d9e56e6a3f0c28898c

    SHA256

    be5050700820d093a0de33bbc75c5c541e7c80d5f4a03715666a306c060eb3e5

    SHA512

    e738aeac9dbf205d26cb0b4ab7713516ad8e2a09c13ee24700548dccf133c87e8dae6c7030985242c9d4cc0d91b3362871e16f8ab424d9bab8593fac58a1c115

  • C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe

    Filesize

    79KB

    MD5

    9477b09b62eb9d1b6a5353e82eafc7fd

    SHA1

    dca510b70731a3f6a1ade2bc2bb076fa15dfcbfb

    SHA256

    a4026704f4cf12b63a9970cc34cf335a35f33df9f49d278f7db3c8d12acddfa2

    SHA512

    908bf4accff99c3b67d641409be3e2b5bbbd1aad55678bc123ecbc5f9765d654bbaeee19edfbbce98ce8ccb54a917b451c9c117a339931d0e61cbf447b647450

  • C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe

    Filesize

    79KB

    MD5

    1e6cbc85f9bd2d1335142b913c58c465

    SHA1

    23f6b6e073cd196a7abd674ade196d256e1eb524

    SHA256

    90bdc1ecea2636d25391894026b23dc44727c9c9aa830ade7a846fc96ead5b31

    SHA512

    37972329c0966e1222096de3521f7a274decb3c4b62f25e5692e24dae2b65dc8537cb35490ca839666475a196f8f90202262a65cbef10f1ecca26043e4195ac6

  • C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe

    Filesize

    79KB

    MD5

    952dd487f01bda3df769ae7d5ffd4792

    SHA1

    ff2739aa23c6ddc5e38b15aab2f1d2fa3a42e373

    SHA256

    8841b4270f5abba709637d89ec9136316668ed371165919f4573ff03f269e537

    SHA512

    74cf66ef3501065f57bcb650de0e827e150de4832d241d0af19c0c4ec9fc6bebec7c6f8d3796c2bf9bf6de55b1045a039e872bc84d43f7cf28d86e00c71b0b71

  • C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe

    Filesize

    79KB

    MD5

    b714c4ce3a163b18b19b647c50fcb12e

    SHA1

    7dae29dd7e5a95864a0903772ce79920e6c79ed6

    SHA256

    b898399cd1a54f1fad4c5327fff4d0801204fa4c6f6135860e9b3a354b3d24e7

    SHA512

    3b01ebddb544b3dd1575fb88332993535f060b37a3bfc663b68cf712c405ae30202cd43e2a522935bb034119ab5488857bb87b323a0ebe9754bb0f5262370741

  • C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe

    Filesize

    79KB

    MD5

    fe10013d4198e03f219656f1ca05060e

    SHA1

    db7f0444388a5e9ab8802c4571208b3fcc884533

    SHA256

    5c12700260c798fb43a5837766dc5fca369ab89d367c64cdef66f51e69990e4a

    SHA512

    5ace0b5b5fbeaded844d7f62ccaf3211f7390451a6401e2c2ed1f623b7d8a585ad750b053112e0231f51f0fe1bb65ef45131f8dec360ad5c57c18ba20d7c9f1a

  • C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe

    Filesize

    79KB

    MD5

    2ca8579146685025bfed6d917ecc06ab

    SHA1

    cb914cdca1bdd91df3636ed9338a8016f311eb7d

    SHA256

    5d4de2945c9d3779161df622d0b62cac93ec3b125aa1cf7934d12c4482b1d9b2

    SHA512

    7901d7b20265887cd1a772090b473717da408187f92b72ff552780f2cc9d65bc0b35fcf5900db73e17811bb1c954cb2f422faf9d1c0c50e87dc8998cf0cde94d

  • C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe

    Filesize

    79KB

    MD5

    5293a1b3b4e88a955c2215b0e3d9268a

    SHA1

    37c4fc012ff8d84bd535aea2dcf6b0178d3534c3

    SHA256

    566326b4f311ac037b3696f6529aa48accaa0dbfd4e50bd6bd6389af05a99d85

    SHA512

    fffce508961aec0b125260ad7348c8e828695751c93537a2e0116c9ff7e9dcb8bb62d561776f8c8496e74c2441c105064cdd8c63960f8ff8d94e0dd65fdb4b6d

  • C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe

    Filesize

    79KB

    MD5

    2ea1999d16dba4c1acbc007ac726d1eb

    SHA1

    df4beb8af8974610dfce6ad69f1c4195332bda5f

    SHA256

    0a41b28d089bf9ae1036cb33cd48e815d584fbd457c9278b1c838639d73269fb

    SHA512

    9a6b8f6e0b43a3a3da6b4e0aee027e5c32e7eefe2d44c464fde33bbfa3dd925db50fee228bd7a43e9e2196a36cb5a4ed414c6e37ad19d29a1594fe1ff022320f