Analysis

  • max time kernel
    118s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 11:54

General

  • Target

    aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe

  • Size

    79KB

  • MD5

    d47cd63e85931c9c07f9f7a9526c5ef9

  • SHA1

    7b828535c235871a9cde0ddb8bac6be88b0a9baa

  • SHA256

    4f4d9cf53a05df7f2a0eb520737b83586ea875090d2eceb7fbdfe969b871fc9d

  • SHA512

    596dfbd1352b3a5fe0821d7e6024c3b28c18233bdd1a0af257f731463f9b27a7a9c56cb13e6913ce2352bd4ad9dc79d271d7707eb9b97a6ba5a914f896223825

  • SSDEEP

    768:4vw9816vhKQLroe4/wQpWMZ3XOQ69zbjlAAX5e9zg:wEGh0oeloWMZ3izbR9Xwzg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe
    "C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
      C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
        C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
          C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
            C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
              C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4964
              • C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
                C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4540
                • C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
                  C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4708
                  • C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
                    C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1740
                    • C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
                      C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4352
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5791~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4388
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{55DA0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1280
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CE017~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2556
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{94DE3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1988
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5F259~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1992
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{372A0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2933~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BD7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe

          Filesize

          79KB

          MD5

          d5e7cb505ba7fcbc752d5f2e6cc78f22

          SHA1

          c38d4781f96cde21ab894f7ecd1b310e413e9758

          SHA256

          aa34d3441ddc7349f77fc74aa844274c53f33c6b015af38771c1dadc0d6ee353

          SHA512

          d1c0feafb960ad07728f4f9bc4de39e4f36e9207d8d75fb752b5bd3d42ed5f0b98b6b764d6fdcc012885ac640d918547d057f41a17c7e993d703447c513c989b

        • C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe

          Filesize

          79KB

          MD5

          76dee18ee8c1ab72aba5b1b7a004af39

          SHA1

          09e283681cfd0aa723388392de1fcd797807d546

          SHA256

          a9db0beae15dbce4658a32f84f1cffd37df41ed827ae33f5b79d770dfc59ea5e

          SHA512

          298e71a68d8202bfc96e75f53f84090bc0171509d106bc3e72f1156d2876c522a31a84a3e86b0ca1ad9f4f0af588334676d402133749c0d19acb9a99a9929e8c

        • C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe

          Filesize

          79KB

          MD5

          ee1d5cea364ffbc83826b74d3d06bb6e

          SHA1

          184b86ccb255c53fca750801305c5e78080c0a79

          SHA256

          79f83d3ff7f0f5b586c33d3343984b7e9fc46f83aca9617f42aa729f80f37c93

          SHA512

          f35b0adedddf8c48d81bece19910bc0df2aaf31312b7c2f007eea95f30672bdddda48c20cbcd67f9ffeb070f854863171898c5915af3e73487e232c24183f8ab

        • C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe

          Filesize

          79KB

          MD5

          9490138ad2a553ef80d158fbd52666f8

          SHA1

          a03bc435a0d5eedccbff2c58e34be517d49a7983

          SHA256

          ada6c711ebcbc8355675c7924ea2b820ffa381a5a69d92cb7cf49718d9efc61f

          SHA512

          8b453277c1f05ffc2ac51a5030d44d7549d9ceb68a8adf1db2a5e8ca1e8eb4ee534b0e05d36ea1dba97e7e9794ef1b234d392bfcc259b340bbf86e34ffe4f7bd

        • C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe

          Filesize

          79KB

          MD5

          a48f6646f28f7fe90a287b31d99f0dd1

          SHA1

          3aaec62ffda845926f2b6e778bb22237d690cdaf

          SHA256

          a1c80b4f9fb2bfbb605779b4315b74379a5006489a71fc561744f1ffa4dde6f6

          SHA512

          4f8d3efe9d581e11dd1e964fc9caa839a60e1c0ddd99243d1fc25e97ad7629e67a71bb603d14642e369ee00edc148f2bb89f2e45592d516bd1c4393d5765f43b

        • C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe

          Filesize

          79KB

          MD5

          3d7511af92463a8cb355d8e0a0864fb9

          SHA1

          4ccaabb0e68a83393e06d1cbebc91a53b55c016d

          SHA256

          3656ff46d413138e1052557670359b3b2dff46b26bf6e85878290a877d84455b

          SHA512

          32d0e1c640c9ca7f92558eda8a1bd9053f325c69fd7b57ee8932e86e230ae83bc261f357da29ab649cbbefc6b1ac3dc3d4230fb2b01f58375676596f868af4a9

        • C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe

          Filesize

          79KB

          MD5

          f37be09772eb46097ca0c20db4d74b14

          SHA1

          35dcf80e926af1c4b530840e6ca56ca53db0e8d7

          SHA256

          988546a59c051561eba171f92c93d0b9d1bc3250abe93e0b277743a1b0058687

          SHA512

          4acc6a03e38d959876844d002e51becaa4973f1937b3c1ba4e90ad6c33bc5f51fda2c04398484b21544e6b7c4af302c6eb3575bfda5a181606cb5ccf20e5a096

        • C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe

          Filesize

          79KB

          MD5

          2012f338e453a762823bcc1d12d9fc0c

          SHA1

          a3ecf3ee47857698e0b6637b03ee7a10e7b63680

          SHA256

          c4d5eea4f1622e71d542f837b5361de820abc2d7569dc884ef0129bf0e7170e8

          SHA512

          fee19596aee9360e60dc48175365b488cd1bcc5bf2e593b377ad3a9fce9dcf7dd7551efe6d3e00195978ba6deef61d84bd75bf9af2aa261acc27784041cb9fc7

        • C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe

          Filesize

          79KB

          MD5

          a053a79a20a5fd39641139f2ee1e6510

          SHA1

          70f8c2581bd821dbe8d7efa4f1e1b00a7dc801c9

          SHA256

          51ef7431faa1b2fb060b4d490649fa7704682c13711147c01e27d860a47b710a

          SHA512

          d2e6d9b3eaf8728cbf468dc3c0a7990dc9be11358646e02e07dc3ef5cb40f6d92a0e1ccdba1f21b78e1b0e0f9ac7483254434caed7eb73c530e7270c8ff7ab08