Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 12:02

General

  • Target

    449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe

  • Size

    90KB

  • MD5

    c7c1619de6fffe00344fd1cf305bf90f

  • SHA1

    71dba18f0795099f0ce43f77f38e1c22aff18b8b

  • SHA256

    1132de8a4f69e915a2a8a55ff1468a0676c89581b5513847febb35fc4c6ee730

  • SHA512

    27de386433284d465977c6a0e449a900a96d08ed532a2978c652b2ddf841e55f99c75ed46d99d2c99b3e5170fe331072d15f7d5a6da2f0641febace1edaaafba

  • SSDEEP

    768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl4:YEGh0oHl2unMxVS3HgG

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe
    "C:\Users\Admin\AppData\Local\Temp\449984a440b3d8805843069d61000506c62e9e9c8c73eacb27f1fa55de29a9ddN.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe
      C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe
        C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe
          C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe
            C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3396
            • C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe
              C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4552
              • C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe
                C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1564
                • C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe
                  C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4336
                  • C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe
                    C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3356
                    • C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe
                      C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:932
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C70AF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1756
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{12943~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4952
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{37DB3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4344
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{72AFF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1664
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{59424~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4788
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{071AA~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{13828~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B86~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\449984~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:924

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{071AA0F7-92F8-408f-A434-4C8379165464}.exe

          Filesize

          90KB

          MD5

          3b9a0ddf6e52116798361f3f17a2b84f

          SHA1

          f76de4c90352564a85ff735fa79a014d8acb9464

          SHA256

          070ecbfff2908c5108094b271fa70dd4e4c9ceebde1bda948d4b2155b1e4a11e

          SHA512

          a283438bad5e4282f429f3f6e22df42d453b1a6c1b5f6c7ae558a19d59ebdb418be7e358a8726e00ad920314c3492ddd3773d725a1dff8c1fd496860b57b9057

        • C:\Windows\{1294328C-014D-4fb8-B963-FDD6FD6F2745}.exe

          Filesize

          90KB

          MD5

          4258c4247e788d30168f8161f462d05c

          SHA1

          a51ffa0ae0387ac560b7e60572714ac9b7c59f88

          SHA256

          7214640cbf4e7b88f310d55adbb43e1f6d5be46ebb587f42cc2c21487e4c2f9a

          SHA512

          d932e0328c23d532fbcddca592c0003263cc4420106ebf8dd19f793e9c82ff51c80490c5d7d3f8c696a36091632f9da3ecb437951c8daf6117a6323ea8e7ad3d

        • C:\Windows\{13828EEA-C735-48e7-AD41-CCCC23DB16DA}.exe

          Filesize

          90KB

          MD5

          6c4d2a1961bb95f51ac3a15195144cf5

          SHA1

          9e75bdb35a18edc304254c380ca333038c45c20d

          SHA256

          52a4542fc2c45a1deb69bbc482c386492aa5eb4e15ab2bfee56d6eadb1a7b5b9

          SHA512

          25bc44380cec29e2f272291e80068587318785f369060138eb85969b802e4dd9f6e1c213899c888cb629be757d1b8cdd53862451b9e23cb813bf0060104a46de

        • C:\Windows\{37DB36FA-815B-4160-A971-68236282999A}.exe

          Filesize

          90KB

          MD5

          f0fab57bd0623d70d996097ca5e83a7b

          SHA1

          de2234f724f24c4338b38d26b2cf0ac15f52e9e4

          SHA256

          7166d1b08d4d86eb38c7d5a0fd3f54e3ea7da95aeef8462232215b976d218424

          SHA512

          27ec875299e42ba5ed268b9cdc087298e3d75a895826929d074837e0e691010faa6773b90403a817c09de57a275ac9fbcf1585fa848a6dbe8166236c595c69d3

        • C:\Windows\{55B86B44-663D-4439-A03E-D62DC9D15BD4}.exe

          Filesize

          90KB

          MD5

          b990dfc0ededfd963017dc82aa0948ef

          SHA1

          a16c3befbbe496711823fadac519712a05d03282

          SHA256

          ebb1d56b7fc9637f869b21ff918bcf76b6d29922bccd5263667f714e9424888e

          SHA512

          d48679636658d2d179a79550f05475b430f4c9332d4f28dc8bf75904f255982f8807d72fdda85989e262d87b08a40b787eef283fbd050ccd139a29c82595c903

        • C:\Windows\{594244E7-C045-46a4-8C3A-15CB14D025BF}.exe

          Filesize

          90KB

          MD5

          32045503fcd29c0685839929fb576314

          SHA1

          d04acf96bda21e329aebb96b3c7fba88e3a00a17

          SHA256

          a9ed8320010a58eb05217cd4e858a88b8054cb9c66749347f3fd878dd413f2e1

          SHA512

          37e47690200cb4a5c9a43741939f60d332fd06990fbb80ad50acfed14769d4d026e8fd16fc62459ff9547cfa7749526bb2e9e5ae365e2c5e3cd1f0b8838db835

        • C:\Windows\{72AFF128-1022-4ca6-B050-648EAECDDC2E}.exe

          Filesize

          90KB

          MD5

          4d4f18010b6da167220524bf5d717722

          SHA1

          8f2d36274671b2571212b7c08a94e830c8a9fde3

          SHA256

          d26b7254a2bf06f64fdf0f27b298af63b7a0e45c15cbe892bf620dfda84ab6a9

          SHA512

          cbf39ab5f87858a96220cef293b5fb6007c3e68a9615c6a97b795794f1088c38e354bd34438290959c0aa8014d79cb7b9941b6152c8eec93bdc264a16a8c9d1d

        • C:\Windows\{82E763B6-276D-4730-A2C4-757D466869FE}.exe

          Filesize

          90KB

          MD5

          1e4bb860f56bf494169e5ff77ed779b8

          SHA1

          9c0f9b62dd6b3e3a5e90fc9e136574dc947c0845

          SHA256

          ab9b4c3e70d2597188241d57ea0adbbcd8f556353a93a59e97c22311c9848a6a

          SHA512

          f6c703316a033dfa649b77638ea8e0b7e45a2e1a59a8ad189b3ef48ebb628f2aaeb0dc11581ef0f94c6e1bb43ae124a8d976bd964b9453c5fab8ebdecd250fd9

        • C:\Windows\{C70AF2B9-2705-4de3-9E50-02A1D2DCF3D3}.exe

          Filesize

          90KB

          MD5

          7b3a97f3026625a071771020163f9d0a

          SHA1

          ed459be7baa97201beba5630364608adbc80f9a5

          SHA256

          931e5bab0fe7b4490dc0a2f4fd2694e44cb0c3ecd6c7e98585ca0c296a58ed46

          SHA512

          3c325c8f89a11540ca414c1bac990f99f5fe9d4b4b10032d3cc6a5025243dbc6f4e58dc4c96680d52f1d3903efbb93522296d78b5272acb1c223a5d48c6b6adf