Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 11:54

General

  • Target

    aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe

  • Size

    79KB

  • MD5

    d47cd63e85931c9c07f9f7a9526c5ef9

  • SHA1

    7b828535c235871a9cde0ddb8bac6be88b0a9baa

  • SHA256

    4f4d9cf53a05df7f2a0eb520737b83586ea875090d2eceb7fbdfe969b871fc9d

  • SHA512

    596dfbd1352b3a5fe0821d7e6024c3b28c18233bdd1a0af257f731463f9b27a7a9c56cb13e6913ce2352bd4ad9dc79d271d7707eb9b97a6ba5a914f896223825

  • SSDEEP

    768:4vw9816vhKQLroe4/wQpWMZ3XOQ69zbjlAAX5e9zg:wEGh0oeloWMZ3izbR9Xwzg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe
    "C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
      C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
        C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
          C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
            C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
              C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
                C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:348
                • C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
                  C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2328
                  • C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
                    C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1420
                    • C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe
                      C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2952
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F20DD~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2220
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{25F6C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1248
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{50B4F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1624
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D05A1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2792
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D57B6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1536
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1A23C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C6E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2600
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF5A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2380

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe

          Filesize

          79KB

          MD5

          c70fde1c1574978736f7498bf4fea0d1

          SHA1

          58dbf70743c74bed7b6e3c82b60a8c06f5163507

          SHA256

          ca49741fccd80f07106bbc992e5f6ece17ff6fbecee6c85567c2a746c39810aa

          SHA512

          f7e03d3addd59b32ff9b98b7521febb9e6c2b29f81a3738d1f44851c2c1b37f86e83afacee7437b266156fe51b0504328e59d68d31c5cf13c47f92850e2a3e6b

        • C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe

          Filesize

          79KB

          MD5

          fa93b4846d68528eabc40ad11f58cee8

          SHA1

          7e4e686e210ab2849212a6e7827311546c4ce895

          SHA256

          6311161dba08bdae6c4e9231d437dce5a3432e94a95538f8e06493a7405ebf22

          SHA512

          934c68b1a62538b9c850b136da11f2125d89d288caae5f2e5ea6c8df3f5ff1d374c87562369174b5dc5bec070a94d317e71b15e65f3fe77071c77b251b44177a

        • C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe

          Filesize

          79KB

          MD5

          fde9e7a0a210fbe613555f8b1448b716

          SHA1

          c288d302b33da89b7ce1e238171f760d0de335fa

          SHA256

          afdf8a41bc6bebf0102c884c698c3c3b26a3cf04f658d340a64d1068a78e5a1f

          SHA512

          e91bbff83f09ea2b75a3f9d4e11be50cd75a9582efbaa8da81e232e466101e09c66891a2056f95b89bd02fb61aab3e813ccff4b2c0153796c91d9a607784ee5f

        • C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe

          Filesize

          79KB

          MD5

          6f7d4d91ba67164cf496ecf3368ae678

          SHA1

          aca6b11174cae0091ac61104c854f25c107a2a56

          SHA256

          f1670ba78275459d7019c960d32f57250b729328c18255c55c357814769074d4

          SHA512

          e72b5517ae8f8feca8a461a5f67a817b0020b540bb4d86993c603f3fe9d96e963062bc63aabc648ca497aa2cc16043404dae45c936b8760e4ad06917ab3d94a5

        • C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe

          Filesize

          79KB

          MD5

          db4a64a7c61f7e9063dd8fbc2da44f7e

          SHA1

          94cb313c00a8b1f79acf30581b29c7fdcb309a21

          SHA256

          9b5306440ae97a56b9c9d0d59270a3c87576729a8fe111df9632e2b24a2d5e37

          SHA512

          be477969350816be00790c6bc62ff9fd091827535f31ee04434fbc9809664e03d377d379a1e72e78d41da0e5b14b309bc36d302c438c593c3efb8c83ee878c10

        • C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe

          Filesize

          79KB

          MD5

          703fc283c0621abd0871e4982a008d74

          SHA1

          37b1f85192978210f861b3adc025b34c4bde67c8

          SHA256

          205b8753fc35516b4e938f26004c7da2646abe5c0a0453ed82a3c00ff4616371

          SHA512

          2c533002c1efb43f86b93eab2d7a65931a58acadad208cd6c4abcb45fbdfec450c8bd3bf218790f7211e1ee485a554f8df9173ac65ff859346a1232808622339

        • C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe

          Filesize

          79KB

          MD5

          3db51fa482f8aad0d0a7a2c494ab9587

          SHA1

          cfb1772f5afb9d9e1f900f0d8c7961c5da659a6c

          SHA256

          65365886a6c8e125d6cc4a8d80ed0743082cb3e5422ec9898c322b684e5ff765

          SHA512

          f07f397979b25bd35c232fd765a0d8bd8136f1a0ee25a34eb643b9e3bebace71d520f86dd7af198b0b75f74a064a87f92417282e10b035815af6b826ebe63a2a

        • C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe

          Filesize

          79KB

          MD5

          726d85c74b266b18630dd35343aa7a32

          SHA1

          22bbcad612ad51c26a36114d8429320c03bd906d

          SHA256

          e159f1d4dd980bb303d21156ead2b048bacb187e1cc4b38401a297c1303c3a3e

          SHA512

          30311ee7a16d56a1b03e1894c6a91253d80ac749def5e867e0d3c8404825a5f2922d0a420c406917a432a7b0b26355f5cc5cab08df15c111065a76d64106d716

        • C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe

          Filesize

          79KB

          MD5

          e31768f51fd04c824a945366687049fe

          SHA1

          a8005e1484ac949f12956d0fd75133163c9f69bf

          SHA256

          a70918d39c65595947ea7aea10e11dae73f5b28cbbbba5972cd0a45d3e994d5d

          SHA512

          a4811657e888a89399d4a57fe7176c1161f98785bd1565b3438f551a9742a947b6044da1f0c51ab00947bf7443788d679d0ac76c60bcd4db3982d32085169ba3