Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 12:02

General

  • Target

    449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe

  • Size

    90KB

  • MD5

    c7c1619de6fffe00344fd1cf305bf90f

  • SHA1

    71dba18f0795099f0ce43f77f38e1c22aff18b8b

  • SHA256

    1132de8a4f69e915a2a8a55ff1468a0676c89581b5513847febb35fc4c6ee730

  • SHA512

    27de386433284d465977c6a0e449a900a96d08ed532a2978c652b2ddf841e55f99c75ed46d99d2c99b3e5170fe331072d15f7d5a6da2f0641febace1edaaafba

  • SSDEEP

    768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl4:YEGh0oHl2unMxVS3HgG

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe
    "C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
      C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
        C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
          C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
            C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
              C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2468
              • C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
                C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1740
                • C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
                  C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1240
                  • C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
                    C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1456
                    • C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe
                      C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2432
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FDA8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2652
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{24671~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1612
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{49989~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2028
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9FBDB~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2100
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B40E0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2600
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7C517~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{402FA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F40B7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\449984~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2640

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{24671832-D1E0-4206-83E5-4C41DCECA58B}.exe

          Filesize

          90KB

          MD5

          c7e3be925eaea78d499d6f0c78a0bfa7

          SHA1

          b1c98dbd6eadf956ebf23b8a7aa9f4a9bc58cade

          SHA256

          fc43ed26187a0c4aafc4187846da4dc06de7a7e3eb3221bd17aa60731b398d58

          SHA512

          0d6ec1e83f8f7fd9feee40deab8e3750d7cc96d62cbed6bde59223280b92f00424648a8e56612d52b45ef9ae7159904fd816c76eedc253c527d54d095f735937

        • C:\Windows\{402FA2F3-38D5-467a-B038-56CED5E17AA1}.exe

          Filesize

          90KB

          MD5

          3db363094444b957ae2390ba77714294

          SHA1

          c32845c37edace4cd5c23909848079ea68338f4d

          SHA256

          687303dad969280b55e5b15e612fa858f3a21cb996e07b1fdedb27d967010d0e

          SHA512

          e1728536edf31b41fad9212f7b39a818d7cac1b21e83f68f68d2b10a8a7bca32a689251b8e98e164b1bb7a71516b3bf8ae2dc3c1d934c52ccb31b40db1d931f8

        • C:\Windows\{49989BCB-BCFB-46ce-B02D-333FE534EB2F}.exe

          Filesize

          90KB

          MD5

          237987f5477df6817a726c558d4d9808

          SHA1

          6a934def7d5cd1222b0c7038f7c751177b12a67c

          SHA256

          2c2a15bdddedc71658f33c8b1dd11473e9b037050c03a079e9d0fbb90815df0d

          SHA512

          e63be8cb5da68e76b3a883a498bb8714246c0b5493950c2d302f385ef10d6709c12908563ee2424b27ad9d5d6c900a67acd46e030a941cf22ae84168af3f7525

        • C:\Windows\{5FDA8D5E-4749-4be3-901E-0004F863014B}.exe

          Filesize

          90KB

          MD5

          8f28bb3f6bc96da8e9f2089522ded173

          SHA1

          c27cb85ac4c3bb6f31ae64ed2202596920fa9a49

          SHA256

          5261c7e066a6d2f68633568eaaea14bc89dfa7ba5bebee213f354a414374cda4

          SHA512

          e374841b0e4a6cb345598f331fdaef07091dfd9caeaf4f8aa412385e5f2ea2a9e12ce3b8d6a027050f10184b4aa1ed7c21eb286b72ccbdd03a2846686ae7b620

        • C:\Windows\{7C517047-EB52-445a-9C89-89E52197860B}.exe

          Filesize

          90KB

          MD5

          2f8f22c0a36302d9019f9d38bd783f3a

          SHA1

          b207e0a4ae4bad92209d1aae26e3dc785828ecf7

          SHA256

          5da96a342a1eca174981e5cd2aa900b62a242d5fda6fde6b964a2917ee5865e6

          SHA512

          af167ccf911c08e6d650703cf0f9b2ffc33319630205ef5825edb2c3d485b459f331b297a9c04aae615ac651c707e69ad32d20626e490069fd8dae9a59280c83

        • C:\Windows\{9FBDBA36-C45C-4519-8B9F-0C2C9DC437E6}.exe

          Filesize

          90KB

          MD5

          22b53b7f2d215f4200c7aa3aff71ad94

          SHA1

          7a7e9c437145513830f7a60ca9ca111bd54ee67d

          SHA256

          8154260b68544873a1d2d4c99f7e39a1b85355cf4a3ad239caa6d2ebc11f8720

          SHA512

          db1fe928f82dde536b200f83679c32c579d9dd7b034e34311733c2328ceabbb6b159b36b7b512c49f99620a96ee4827dced674b25432d0bcb8bd5a0dea01c71a

        • C:\Windows\{B40E004E-F3DE-4183-8583-6FCF4AE1CA58}.exe

          Filesize

          90KB

          MD5

          84544ca5dd6c1fa334f39723f15de3aa

          SHA1

          5fba63b4006f5812d159ca2f3e5ea88ce1a4ae2d

          SHA256

          e4b08b13d6dfb0b544563cc7cf274562643874acbc9314af4eb8b2d669633cd6

          SHA512

          0cd7954126ee3bbdbc0fbfb3a31c3b2ba2ed8acd9ab9b66b83602cc6bafbfa9bff74440da209a7cc3213902c1fcfb0d0107602c9a07747dff2a76c5f60726eed

        • C:\Windows\{CC47532B-3180-46f2-ADA8-BDD03C5A31FA}.exe

          Filesize

          90KB

          MD5

          8374d91e3f5f4b892e017cb28b9e5a4a

          SHA1

          dde483dfedd8e336b7b2c4be5552c856499ea853

          SHA256

          76c1dff7035090819f07f4da886bfaa49963c0a128be876586f11b5139c01c97

          SHA512

          4abec7988e32dd7e5e0a097b09f41dbcf8d7caf343304300921006912dfa4c69ce33ad70136a8ffd5662cd03f977dd1583c4f1ec6352fe8ea10cfb7fdc45d70e

        • C:\Windows\{F40B7CBD-8DD1-4d9a-A441-0A9082614373}.exe

          Filesize

          90KB

          MD5

          4515dc7e1bdd4460afb039b2b4eeee8b

          SHA1

          95f8f27f4c5b2955e47b57daa949a403f00a86a6

          SHA256

          27b3417e19593a6ba0b53ed54b2cda9e961714093f8a609d08c8cbec4ad8c171

          SHA512

          7eea16061b5cd5a49d9f58af23efaa87951295b863e5848d46c1bf712650f13ca6442a4db8dc0a79e31c3af9abcd0625648e82b21d067d154fee545ca48973e7