Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:36

General

  • Target

    58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe

  • Size

    90KB

  • MD5

    677d2d36546f238093399bcdc080f6b0

  • SHA1

    6bba809f3c34f262c020c416ba903f79fbaa9cab

  • SHA256

    58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166

  • SHA512

    43a1effb75951553afdccd90cebb1fe561bf63544fe3df6e10fe15fe32dd8f7b7c2817165c7b26b4c7acf1e44c442d0558f4ed571d6b9c5083e684295b712fd1

  • SSDEEP

    768:Qvw9816vhKQLroZ4/wQRNrfrunMxVFA3b7glws:YEGh0oZl2unMxVS3Hgz

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe
    "C:\Users\Admin\AppData\Local\Temp\58ce961c3d4c101bd266a03ce12f8a8aa8c5c340429fefa75f5d21a087c6e166N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe
      C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe
        C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe
          C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3236
          • C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe
            C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2428
            • C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe
              C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3564
              • C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe
                C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3956
                • C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe
                  C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2380
                  • C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe
                    C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:216
                    • C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe
                      C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3248
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF47E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4676
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F113B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1812
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E63A2~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3380
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{074A6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4640
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{51E32~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4884
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5050B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6666B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4752
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41D6B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1136
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\58CE96~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{074A61F9-1C82-4fa5-BFE8-429CF5B198D1}.exe

    Filesize

    90KB

    MD5

    ecfc77bc615cd1bd8ebaee8583528850

    SHA1

    04b6154c5d2d145ab67ed99bad27dd225cc1c6dc

    SHA256

    3b4f11c9fe5347d6527c60f12dac0b2544ab8aa5516f520995241590a56a7dab

    SHA512

    9d0fc299aa9d3d91b3a7c435baeec8f8ccbff0e8561ff213fc23427100c9aa456d7dac1635486cdd29142e8d03105fe90bf372bb45bbb2fb0f060e2431143871

  • C:\Windows\{41D6BB83-D50F-4f78-ADCD-DE26D0ED2200}.exe

    Filesize

    90KB

    MD5

    fc5e8f194a08556c177afe0fed17fbba

    SHA1

    ca97a86db28080ae8759ad8811132a16e86139cb

    SHA256

    37482b488ba21593916f0bb28878f459759c9e065f1dda76ee538ad3d13eeaeb

    SHA512

    265c872407b9b4ff81fb4f52a404a90530b837c8129713c1c8b7482d155ccf8076af85d75c511c3f8b5da0c87ef22432c2dae354ff47644d46caa65b8ee82a49

  • C:\Windows\{5050B60F-B3EA-4987-98F9-09F9B0E88C41}.exe

    Filesize

    90KB

    MD5

    4dc460c9a112ae7e119f9af7186b9de0

    SHA1

    116acb48fae9a28275ffd5c2efd51165143a9b84

    SHA256

    43bc571da240e1385772ea21c818db34f595504a31945d6e85ca4767ffad2f5a

    SHA512

    9372676ff226fbbb05c9530aa05a0cc32d15bba0f756cb7e6f06869aa16ad97c15120e96f0c7b1f371bb73c52d4c6286d69324b2cad6a36ae8518ad1e2ba61a7

  • C:\Windows\{51E321B0-2B7F-422d-937E-C8DA6F1D70DD}.exe

    Filesize

    90KB

    MD5

    d5d374618cff017cf12c136449cb7744

    SHA1

    aa4e2c23e31bae0c4ca0edc42dbcf975e31ad4f9

    SHA256

    f60fbac0556395d48a5b90b1dd9604870734581ae84892619e1b592dba3c8ee9

    SHA512

    cc2f996fff07a490919adc6ffb73798d82588456792b82c90c324fc18ae0dd5cbc193bb5b308f51380a0c61a155e45042ec557f621be46c961d2f253a1cf7b43

  • C:\Windows\{6666B8D5-181F-408a-BEBF-E46106FF03B0}.exe

    Filesize

    90KB

    MD5

    ddb22822a644282957f4599f3084a1e4

    SHA1

    6995b430fc8d527e96d7b148f35b8697dc3bebb3

    SHA256

    f3ce49b87fb969a4448509000939c1c0eda6c6fd670bb81707498c926f934ced

    SHA512

    156610aa6beb10bfc06493dca53da04f42d61d1a46a9ac4c54949020a32af7f99f54d021ba8d5bf5ac6738ae501fe4ea26482c70f67fbc1aecdb515764a84e28

  • C:\Windows\{AF47E449-A2A2-45d6-BB5C-2047ACF0B2FC}.exe

    Filesize

    90KB

    MD5

    9bb151aba84f5b8899920303a855d87f

    SHA1

    cf3953626a26b815e8e77d6e341c377601f70ddd

    SHA256

    ff74f7ff167c432a78adb60178a550bf094cae4d372da616355eb71ed2f3ef53

    SHA512

    90d028ba648d7def7fc2974de70769e81190819779cd2ea0685db306ca4922516528455bc58829bddbe63684d8939c3add384a1063c4d8297dec64c66c9ceb26

  • C:\Windows\{DA4B0266-296F-4d2f-8C95-0BC21F9CF6A8}.exe

    Filesize

    90KB

    MD5

    73ee2f06850da62fe1fa5ea6ad84ee71

    SHA1

    a50e328300ebc8f0bdbde4c56ccb000e43c38982

    SHA256

    285c30450b30f84334d0491471f56046c943eee0c51e89bbd0dfe91de1def2ec

    SHA512

    a42125df61ee4008859a11a205073319f8c4e24607b335d4041f62db7deea26681c9e7dae3723a74630360c4e46b84872814476c8198263c86f24718012d183f

  • C:\Windows\{E63A2BF4-5E9B-4b19-8BEF-6F0B76B9D7AC}.exe

    Filesize

    90KB

    MD5

    b624266b99719dee26b97efb007ee9e7

    SHA1

    d5a9bd08d2586b10790a48589f717aaedf9cc5ca

    SHA256

    32ade0f82819e14bac1ddd367c49fb3925878e9f5fb22170c8573f0f1d82c397

    SHA512

    0d1666eb43822e8a876c55b1314fbbb0b9123b8190c353e1f07fabecce2cb7d44673282dc7d0fd32ea4b9801dc20090d9f99da60272f5a774501a7f13d6bad52

  • C:\Windows\{F113B9E7-55B0-4560-8197-ED52F0088DE1}.exe

    Filesize

    90KB

    MD5

    377b382d4a5905f016ef3045ff7acf3b

    SHA1

    b94b793b7b5a5935878fc910024689beff1a8097

    SHA256

    8d9b1d388a6cf8ad45285f971b5958c8375867b84589eaf6a56c8928d5150f17

    SHA512

    9bab301ee0c892df5a73f078c3cc9f8c39943e93d58d49f9843614b06bf015c9282da132888d67f2850eece439a7c4ccf634cd98de242b4e93e60a78c9120fba