Analysis

  • max time kernel
    118s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:46

General

  • Target

    c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe

  • Size

    90KB

  • MD5

    21673f1e9b5deec9dc6bfe84927e53a0

  • SHA1

    76361257921ba001dc4d6a4c6a93fdf5b8e70ef1

  • SHA256

    c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919

  • SHA512

    6971229362378fad2cfbea02d42f4c442de686d3c103f20d70f32bcbc4b6ddeb13c937277633b2550467bfe2b1e002be5fc0f6b25f0c54505770d63e8c81da4e

  • SSDEEP

    768:Qvw9816vhKQLro04/wQRNrfrunMxVFA3b7glw:YEGh0o0l2unMxVS3Hg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
    "C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
      C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
        C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
          C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3144
          • C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
            C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3208
            • C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
              C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
                C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2984
                • C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
                  C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1264
                  • C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
                    C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3532
                    • C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
                      C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1440
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F93~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2764
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD80~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2388
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A57~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3392
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{865B8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1204
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{33DD3~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:100
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1D277~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{48D87~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{324B0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe

          Filesize

          90KB

          MD5

          a29c367a41b4fabf3f84a25c70794ebe

          SHA1

          565de9fc273ed659d06b7f6d17599277307aac3d

          SHA256

          5c600c555bf8f455825bc85990c920a71e8a1a8ca6606ee71e8c7792e685586d

          SHA512

          d7e1669c4d38ceae7b36058a74c3404c98d6f0c95b30e32cb84b7382f2b9ef8b0861600d3bec3d5c96fd00b510a7d7071645f8149e6047df6b36208ceb1b5da6

        • C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe

          Filesize

          90KB

          MD5

          67a38068697c4b73b41487d5b5cfc039

          SHA1

          4220a4c17c6513904ef295626d4b2f12231092ba

          SHA256

          e2da00b5b6a2202aabd925c2e8a17dc54d5c5a5ce94c9699cdfd1a15aca32e4f

          SHA512

          0dd20d9c90e6439cdb2f289d083eea443372ccabdca05c679427256664654cdfab3f0845a27478fadfd440b73ad40c13e45226500684a917d5df6db05edf5d0e

        • C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe

          Filesize

          90KB

          MD5

          d3f258e76b471b2bc916430d8bca7767

          SHA1

          5875066301e50eda91c909603adaa0af3feb8f63

          SHA256

          2486aac16eeae2d8873aafd70759b9444129da6a95130081a7cca0cfce5daf6c

          SHA512

          8acbddf9ca368088a76adf2712559f38e0da3f5dfdb4c280d225868c21cc39aafd9841cbce3639870ef04142f84a1c4cd887dddc60a37a3359c64eb3ef205028

        • C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe

          Filesize

          90KB

          MD5

          667b8e3f9f6c038e298a5bfefbd8af53

          SHA1

          7d5c1c017150413b1eb0ec2a4fd7be8844cdf136

          SHA256

          0ba68916f9fff81b0e9ca14f22b46dc1d8984e2d75dd8b82d652cefc36db1393

          SHA512

          6c34147c0a2a6be22a71252e47e278187e80b831bdc4fb53a0382442f3482e91becc6be52ce0cedd1d766c08beb6315b596329dff24cf8b46cdd80bb27d37899

        • C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe

          Filesize

          90KB

          MD5

          d25b1dc1c20ef599974c3b1b00ba0943

          SHA1

          226cdc015c718145d7283a73825e8a7263c44d33

          SHA256

          5a0cad8af25528a5f57e641023f65ba51321cf9e42489427f7adbb18a8b0dce5

          SHA512

          8318cc37fdb5f88efc988814f93ce80157f69f5b50ef7023fdcffcd197dc9e5721be1421e73defc2ae934d532e0e4e4fd6cf39e44bc3e2f15958602dbb78dcec

        • C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe

          Filesize

          90KB

          MD5

          91605a3aaff0117aed162c45b46f4e67

          SHA1

          238804d6077cceb2cb87723184b81777007d1b7f

          SHA256

          d790f038b420b7940796074a02b00daa4dc42286b174abb4a8c437fee1df9a49

          SHA512

          14e295ca7bdeac41c5890d9b983ae6e88daabbb9994e789ac63f21c4eb002dbfcd7239f3fdbf32b626171951c3326beaa023f98678798ff4d80bfca286b4025c

        • C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe

          Filesize

          90KB

          MD5

          e7be5fcab508e901792b7702cc17ca34

          SHA1

          a12514f150427fa95b3cb4bafed56b38da8aca9f

          SHA256

          9a81f08e9375e9c6719287496ed7f6c488afe1963bcbc9c80f1a875359b729c0

          SHA512

          4416b9f25e64f9b53b14ef549a2e0cd55f954de07748b4aa71b20c487b9576493132b85ff3fa4cf8af5a51a8f4110f87f8fcb7649cef96523a86954df96f0e2d

        • C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe

          Filesize

          90KB

          MD5

          6f2be1ec9bb323df600f6be3aee4ef51

          SHA1

          1532885eab1f9cb9c11010c9fe06ffe0114ffcdb

          SHA256

          b8144fab3bfa136321096270617846fab0a3ed68bf1dd38252ef068545efd8bc

          SHA512

          e3f80a1ef013d69f8ec2d1a36f90f3cc918ca720d7c4b1653309f7709bf4cb077cda8f17dec90b9558c30f51402321d057c729a8734f0596bdb4b58aa20d7e27

        • C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe

          Filesize

          90KB

          MD5

          03c49e9812d7cf15b2ba6dbff80e399f

          SHA1

          54ad0781a9f8cf04ff7dd51ea7f047bfa9add8de

          SHA256

          c18d4847ea488aa96f91f36935a12eb67b403b8bace19d04a4bc33b342be26f9

          SHA512

          0be40a4e6ef5f6049928cbd6d42b07a121d222408ef3facdfdd61e54baa6020ec3d3a0fc5cbb0bc2a522bea48d007380e82f93662fdfbf52e3b5d931f0e27ab6