Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:36

General

  • Target

    58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe

  • Size

    90KB

  • MD5

    677d2d36546f238093399bcdc080f6b0

  • SHA1

    6bba809f3c34f262c020c416ba903f79fbaa9cab

  • SHA256

    58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166

  • SHA512

    43a1effb75951553afdccd90cebb1fe561bf63544fe3df6e10fe15fe32dd8f7b7c2817165c7b26b4c7acf1e44c442d0558f4ed571d6b9c5083e684295b712fd1

  • SSDEEP

    768:Qvw9816vhKQLroZ4/wQRNrfrunMxVFA3b7glws:YEGh0oZl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe
    "C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
      C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
        C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
          C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
            C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
              C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3044
              • C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
                C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2776
                • C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
                  C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1056
                  • C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
                    C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1760
                    • C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe
                      C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2536
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D73B2~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2268
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4D9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2436
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{479CA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:316
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{97D3B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2944
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{68DB6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3052
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3AB36~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6A0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68FF4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58CE96~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1A6A086F-D2C6-4b6f-B23B-3C47246B1EDC}.exe

    Filesize

    90KB

    MD5

    ea4421b7e557331c7f47a3867d6dbf41

    SHA1

    8a688ae41da45feb723d45524317b5c393087cc6

    SHA256

    c13aa22489955be77cde0504a2a4e1a805f3ee0bdd3bc97e4bdb65376abaedab

    SHA512

    b385238db3972db5eee9cfd7666d2c0c1aaae1aa063fb5351c7d65a1eca3ed0d5b2b23a1c159ed1dde7c5d32cf19f5d34fc2d7a2b221f8c525253ff5f8c5d64f

  • C:\Windows\{3AB369FE-4C0A-49dc-A3E3-2FF00D4B34C5}.exe

    Filesize

    90KB

    MD5

    5104df314ee2bf5ae0db87f05f88fbf5

    SHA1

    626d04a9bded7a2d4131a779db4c4dd359e51f42

    SHA256

    bda3d9e25d377b5ae0feb960e75b56f4acb6fd326ac396d69fec38d58c7db7d9

    SHA512

    cb3cc35b7bcb18c42afa542db6b6f32047292d4a65060bc6163a56d2468d046ccaf86eb60d5547652788f4fa5c7a4ccf9d82d6fb633406d32e24c2ca475d2473

  • C:\Windows\{3C4D9B70-8AE8-4f0e-AEFF-B1F1E4CB9943}.exe

    Filesize

    90KB

    MD5

    bdb11a447f5d7cfa9913a965c55a7865

    SHA1

    ba7b94f1f2449836fc5a7f453e3136a445fd9c9b

    SHA256

    5b5bbe326462f2ba479bb14122d0121a65e61a6d049d7ba5c639dff49dd81f6b

    SHA512

    64670af350db5bdde01a847b0c9c6f62b7a743059dee6bbcc8ad3c77091ab59c4369393e11d312121c103e195741b6c1bbc6a50776967926d8468a2af1a41b64

  • C:\Windows\{479CA86F-8B12-43d1-A7B4-BFB53A48BC00}.exe

    Filesize

    90KB

    MD5

    bc2d3d87759c4984b2cb318dcfb3e804

    SHA1

    767878d7f4db3d70a7fee97c55f162cc2b2e8dd7

    SHA256

    2ab152e6c387e62ab6b0615cacde6d0b61262d20686929444f79f21906f3e958

    SHA512

    bd671920c79c17996ddf458ac70198d1da0de1332e566d61cacdef540eb38cb2a92dd97555037f441d6fb4633ead535820afc17029a4de835b6fd599b00708a1

  • C:\Windows\{68DB6BF4-9837-4d56-9B9A-A5860860D0BB}.exe

    Filesize

    90KB

    MD5

    542d1944e0abb99b21e9bf63ccef6d00

    SHA1

    5260cb3933cbd7b99c13b6c9172e0f805ddc0fb7

    SHA256

    be590311eb59cdeebd76f2fee4cfef2a2b12aa92e2384d09108080f041550aa0

    SHA512

    ddcac149a0c85ace3c2ec49fcdbeae7d434cc7c912229d2708567254251bb0371f1c88e5ae3a7fe716d7fcb11bc32957806e72d09ed7779c6448902af371eea6

  • C:\Windows\{68FF437E-50B5-4897-8273-98522A27F886}.exe

    Filesize

    90KB

    MD5

    a5ca289426c13305c734cac848d9aab9

    SHA1

    5f4d12941dcf19e0883628303fc1145f7bb5e65f

    SHA256

    576ec2f7af5e340fa59ce38e9edb3db7b23ebb17da95e0c3e6710aef050e195a

    SHA512

    996663a449fdae6a5488810e873f8286e549fece0278562643010062fe86bdf8fde326366dba6ccdac801ca4474285a05c69d5e053579f31268770fafac7cd2a

  • C:\Windows\{97D3BF4B-E464-481c-A4B2-00FB86E49A5F}.exe

    Filesize

    90KB

    MD5

    952b4bcb1dd18bca9c8cf8729e3491cf

    SHA1

    2984949dc5e90ca2c79a9f99f91e87b7728a4228

    SHA256

    1e480bd32b167fc079034e155128d3e20e2f96c1a53a52086084c1be25e05c82

    SHA512

    fa79b216914bbc5d8a627acf42d79357610238b328bfca12e7c0de3b8b2378f02a17876f0bb3ea8165d21bb6a441c2c55e81a0afc4fe48e5b204ded585599077

  • C:\Windows\{D70C1F17-9054-467a-ACAC-1BC143080616}.exe

    Filesize

    90KB

    MD5

    bf929c379b7b0d49a3a7e20542b156f7

    SHA1

    a3480de0e5fe9441ca86ff1706c490db5a4d9a57

    SHA256

    2c62b0d951ab33c2797c8d2831d5e0399699ba450e1308a888b340711782176c

    SHA512

    b10b4d74a0629867db4302fe23fa6dcbd83732ed7c8f0eda785e79236737104d062d6561efc19250176b4d548c56c5696a5ddc5c516b19ef9bb9036dcfb2db35

  • C:\Windows\{D73B2C0B-F66E-47c3-82B4-2E653DF222B9}.exe

    Filesize

    90KB

    MD5

    ffa828e81f54908ea108e189b1550f9f

    SHA1

    293362ba8f8c09985eccbab883c3cb7cb39173c0

    SHA256

    1afc0affcf0022352645f66a4bb44f423a4402dfdc198e5d1dce35714e64b0d6

    SHA512

    79e4fc52ec5fe24f0cf62d6d736c49d708041f61c1025d435c177918d70b4a6f6c659f74c78a922d97b5064bf54c7f9eb4e502f74cba44b50d9aa3b3b91847a2