Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 12:46

General

  • Target

    c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe

  • Size

    90KB

  • MD5

    21673f1e9b5deec9dc6bfe84927e53a0

  • SHA1

    76361257921ba001dc4d6a4c6a93fdf5b8e70ef1

  • SHA256

    c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919

  • SHA512

    6971229362378fad2cfbea02d42f4c442de686d3c103f20d70f32bcbc4b6ddeb13c937277633b2550467bfe2b1e002be5fc0f6b25f0c54505770d63e8c81da4e

  • SSDEEP

    768:Qvw9816vhKQLro04/wQRNrfrunMxVFA3b7glw:YEGh0o0l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
    "C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
      C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
        C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
          C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
            C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
              C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
                C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2332
                • C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
                  C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2900
                  • C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
                    C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1376
                    • C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe
                      C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2544
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDF9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1516
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{700B6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1028
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{23A1D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2692
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E3799~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1632
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{149E1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2924
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BF781~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E081B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0AA~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe

          Filesize

          90KB

          MD5

          f34a2b3cac20beb378c84e219ccbe62f

          SHA1

          e6beebbb8820db153c8b858054220e804d6485aa

          SHA256

          5768092a01eeaeb9e415afc6bbb1a64895298ee0bfa14ca0d777f6f0f38b91f3

          SHA512

          2cee75964509e720bd5c32581ed9481075086be702e5ff5b6ed8f5d6e3399cb8e51b80659594e4d85bae583577ba24e3e7bad2d7b694ed46a071c5f4e56070fa

        • C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe

          Filesize

          90KB

          MD5

          ea7f26a16a89bed39f55133417fe25c8

          SHA1

          4e3dcc2bdc5a15029caf2f4710911a6d62c3a142

          SHA256

          8ffe4850eb35c6d68e91f5ecc3f9848157e31f5f9b073717c1640db502ade522

          SHA512

          b041b04b79889107c4d83c6d895e7f48423d0742c8ef4e2061af006005d628e85fe7d3f6a6383b0d23002523515601a1f69f7bf1bc8a95cacef4a63420f5648e

        • C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe

          Filesize

          90KB

          MD5

          9439ee010d269158817094e843241f88

          SHA1

          90cf7e4c53bd54a33b7071b56eefbd18acf4b1b8

          SHA256

          d84377a7aad749daa58382fdc4139ecd1487545e6bbf9f3c8874330c1c7caf98

          SHA512

          2f17253f8bc491c98bbf4889eee28eb05e0cfe5065bca069b3ce07d65c266e010e27106e5ee0ca76b1f22acb76c1eb9836de4ee3515c7ef1159554b2b09871de

        • C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe

          Filesize

          90KB

          MD5

          9273d6b8925dd53864277a9cb87a3afb

          SHA1

          cfa703d903d996447d5fe99e19a3a228847f98ff

          SHA256

          ed9a77585e2dff90f37d9294389d251dd930e5f78227ee40800832c88f0c266a

          SHA512

          930643b46acfde7c5b33f409b05a7719a2a2fa85b65780b503c9c011a250b265f278c16cef0939ea3c9dbc48be1c8bb31e5658a8468d953fef75743f821e65c6

        • C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe

          Filesize

          90KB

          MD5

          eb312c3f9a6679438261de4bee7dc5c5

          SHA1

          69f3a4ae62444fb8fb7297069a980479b44c795a

          SHA256

          f3d074be2414c307741890cfa6310b2a8ac0b5402af5f26d0132c5529422dbe5

          SHA512

          17acaa6613084c056615497fea67f32f055e3d1a298e5ddb3b2966a5603ad40f6023e66a99a34ae35a52fa0f46456936274885016014c7e401aa97fd8adfc8c3

        • C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe

          Filesize

          90KB

          MD5

          8dcef8c69edd68c19e459ab0e324d2b7

          SHA1

          423007b8c2cd1258495aa425b4db7e2619857d91

          SHA256

          9e84ee157a742fe6ca0f21e8286800cdd87e4d586407a96d086cef2b0283493c

          SHA512

          42105c4d6672917921c0ec087300f53f95bbe11f29ed2768b14316569ba7203fc90eb503b828b7d9edb5e4ea0eaa187b98f0f4d85cddead9b5b19bc4a43e2b95

        • C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe

          Filesize

          90KB

          MD5

          fb4c3fb272af4399167b0542b15aea00

          SHA1

          cf606fd06530299e3037b15b6ef15496276f7790

          SHA256

          b591959f1b64818c76ac819b1dda0817e7b773cc6885fe34f090e9ddff56d0a7

          SHA512

          fc667fc5fe8664cff812b969c5bbc4649601ae8afab789946d8d3cb4120fdac18422da04e8f72a7707238e3b52ec4b7999c4d3071795109666bb8b3b9f0f507b

        • C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe

          Filesize

          90KB

          MD5

          9594c9e4c71192bc927ed414c3c44ba1

          SHA1

          d3b4b5742d9e01e9b9631b33c6a5c37b8fdf2573

          SHA256

          6d47d9ace0ba678be82b71667ecc98de2d1965cce672cf72dc34ec980c20c1e9

          SHA512

          0c39f1a86d44dd4c8e373231e74a80c4fb383f929959df26c603798bedeea0eae9bc29ae647218b4fd7e200709bba562011d0c3b7a74d789cc3e9886a14c7996

        • C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe

          Filesize

          90KB

          MD5

          bb2b7d0f2c8cde70d2465d84bfa3ae2c

          SHA1

          35bf71bbf4cf4c91d34c9e758806391a89238761

          SHA256

          1cfbbaac1e8e84e17f4449c0a2341fc44ecf3005e63d7b4fcd77b9cf2ba4a642

          SHA512

          e6fa44193f05281281581edffe344f07e26176098b2230ca4c9c520c91bb193b8bb6dbf6280b19edca8326d67cc07c49932af61fda4c42e2902486cf6a5d04d2