Overview

overview

8

Static

static

1

317fddd53b...4a.exe

windows7-x64

8

317fddd53b...4a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe

  • Size

    79KB

  • MD5

    9c83ecead24ac45cc0bc23f31be146b7

  • SHA1

    7459ba28d5f1d36f8e7cee27a3c884e2d7a8857a

  • SHA256

    317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a

  • SHA512

    f14454dafb37d97a2ae39817c413d7944e84bddc39436b779e3d701d465cf09df01addc25490514e9aa3410b046bd38b12dee337b6e2c1df5a5b06cf11c602da

  • SSDEEP

    768:4vw9816vhKQLro64/wQpWMZ3XOQ69zbjlAAX5e9zp:wEGh0o6loWMZ3izbR9Xwzp

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
    "C:\Users\Admin\AppData\Local\Temp\317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\{3BDD6E4F-80CE-4f04-BF76-0DB53E954D32}.exe
      C:\Windows\{3BDD6E4F-80CE-4f04-BF76-0DB53E954D32}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\{758B2C49-72E8-4d89-A599-8DE8E8D54B1F}.exe
        C:\Windows\{758B2C49-72E8-4d89-A599-8DE8E8D54B1F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\{4416260F-6840-4e7e-A49F-F6B93C2A35CC}.exe
          C:\Windows\{4416260F-6840-4e7e-A49F-F6B93C2A35CC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:396
          • C:\Windows\{A35DFFD5-3F89-41b3-B8C0-5247D21574E5}.exe
            C:\Windows\{A35DFFD5-3F89-41b3-B8C0-5247D21574E5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1124
            • C:\Windows\{8EE34517-7424-4b28-9705-219CBA76696B}.exe
              C:\Windows\{8EE34517-7424-4b28-9705-219CBA76696B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\{EDEB67BE-68D7-480c-8235-AA5A914DF907}.exe
                C:\Windows\{EDEB67BE-68D7-480c-8235-AA5A914DF907}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5016
                • C:\Windows\{B84AA242-626B-4756-B325-B175E3EC934E}.exe
                  C:\Windows\{B84AA242-626B-4756-B325-B175E3EC934E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:336
                  • C:\Windows\{8932B0A9-D482-401c-8265-6CEF1AB7F3C9}.exe
                    C:\Windows\{8932B0A9-D482-401c-8265-6CEF1AB7F3C9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1504
                    • C:\Windows\{B48339F7-4ED6-4933-80CA-C5D00A5A9790}.exe
                      C:\Windows\{B48339F7-4ED6-4933-80CA-C5D00A5A9790}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4352
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8932B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4388
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B84AA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2500
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EDEB6~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4708
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8EE34~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4540
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A35DF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4500
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{44162~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{758B2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BDD6~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\317FDD~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{3BDD6E4F-80CE-4f04-BF76-0DB53E954D32}.exe
    Filesize

    79KB

    MD5

    e442c5b7c1c15c11456adf8792888d01

    SHA1

    c456fac26531df59c73a660bedf178a276ba009d

    SHA256

    18e911d41c44185c997f52ddb373b682bae066dd9e3b5e8403b7acfb9928ec71

    SHA512

    89809d6f4ee47a361acdf597524397540b50de9579596cfd70c20fcd12d8fa6522ab6b97541abb436f5b0101895c3ea422fa4ad9e7235058ce9ef1ba003c632d

    Download Submit

  • C:\Windows\{4416260F-6840-4e7e-A49F-F6B93C2A35CC}.exe
    Filesize

    79KB

    MD5

    4170dd102f8014fe9361c43b39a770d8

    SHA1

    8103bde11230a16823202f546723b97686de3aee

    SHA256

    067ddaec94d88782d33e06289b3904e967b6dd7caa456379268c74ee243c9599

    SHA512

    fa4790657efe018909b19280c49866c600a2e230d3711ce761fef1ebb96fd63d8870e5bf7d5abf18b336ee80b7d80b30a750826f7ea632a181e49a7c35800aa6

    Download Submit

  • C:\Windows\{758B2C49-72E8-4d89-A599-8DE8E8D54B1F}.exe
    Filesize

    79KB

    MD5

    7db528112d0ee6bf9b9d3c3ab6d309ee

    SHA1

    cff84d2caab7e901ac9154fea8067da29a533d55

    SHA256

    31eb7c91bfba732211d800e4ba2dc08b988db8c86da77e61ab07fa6017adc81c

    SHA512

    dd3148fb494d11232bdded1d487d6083b798581c2d85fa4060d077a9d81736b5b5f329dc7e10cde9b1b7c848917179f5ee17a418d792e9ca249f62549b61c175

    Download Submit

  • C:\Windows\{8932B0A9-D482-401c-8265-6CEF1AB7F3C9}.exe
    Filesize

    79KB

    MD5

    0f8d053d133a31e29d1d31aaec9e4813

    SHA1

    161b1ff6566f3ce5471cb85a2c0fe2759b35b6ea

    SHA256

    a3f99774db237395099879f30d95bb90587f374f7b41d06fa109229023adc777

    SHA512

    e9f96bbf79925b043761004942e871ab623e4ba5b625d72a2913e00363d2b14108ac9e0dcc521dd7b530753a66db1e272693e6b93e3157783c7bf19d98a024a4

    Download Submit

  • C:\Windows\{8EE34517-7424-4b28-9705-219CBA76696B}.exe
    Filesize

    79KB

    MD5

    1f250cae8a25fc2fc28f7d6ed1df3169

    SHA1

    8d5932cefc405fc3ca43a697d3c7c210b9f54a79

    SHA256

    1d105dd471d7fbdb3320581c238aa8f616799d499642d843ae9082cc940227ff

    SHA512

    bb4d936cff0137498ac8d93a3c51fd62a3087ba1a513df62590ce56c49189c543b04044ffed4d2a7207b590242b9454a9dfb51a31883c835f1e8069b2716957c

    Download Submit

  • C:\Windows\{A35DFFD5-3F89-41b3-B8C0-5247D21574E5}.exe
    Filesize

    79KB

    MD5

    9f70f91a962be23a4a12e4314611181b

    SHA1

    bb9e392cb43b1404cb2a6c80bec03106bc39d2ee

    SHA256

    cdf57db5adf3aa9aca70e2e9bc007ad49d264d3e09018304d090a2b34222abc7

    SHA512

    45fcd8c38501cd563487d266647608ff4359e25709e141033835774900279b731cc449b10335959eaa26cfe219c2d634aa020b05ed8ab8657ec70b7d894fb197

    Download Submit

  • C:\Windows\{B48339F7-4ED6-4933-80CA-C5D00A5A9790}.exe
    Filesize

    79KB

    MD5

    98cafc1bb4322c9908f665551f337119

    SHA1

    61bcf34026d15425c1d06cef94e311762852c01a

    SHA256

    797ced7b8f5b852fa2877e272b231ca2e8b7f3bef894c00a47112ef34b075270

    SHA512

    bbadcc0cd7cd3e41d53ce2df393fbba644f239979f80f94807900c018e39e0c4fee5881fd7a6273b93e386d901e583ba9899959aff697e1176aeaa5bc4084989

    Download Submit

  • C:\Windows\{B84AA242-626B-4756-B325-B175E3EC934E}.exe
    Filesize

    79KB

    MD5

    18855c5987564ffc3018b25ce48f5706

    SHA1

    92e1241d298986a7f5c678c518fe4ac1064d3371

    SHA256

    ed4955eacc2ddf732d3dfea4a93c85a47cd7510558bb7dbac190b9ed7588807a

    SHA512

    be7a5dd6b6384a9f89288d7217b4a70061355099afeb2f1fbd4841598774fa39739f045bb3ad278829930417014b104af5e8f2d0a311993f84457d88025f3c95

    Download Submit

  • C:\Windows\{EDEB67BE-68D7-480c-8235-AA5A914DF907}.exe
    Filesize

    79KB

    MD5

    43a70e65c181c8655efcc7178134ab0a

    SHA1

    b9a6df8b03b0e3670bd7619b41f8ad1a6c2a1de2

    SHA256

    834600b6cb43e7de7799312f999185b71cef6a2c853a636f7886bdf249b4e246

    SHA512

    6dcd46ffd4db1482d69000efbc6219d7312c354da1c6ed951f3efd82a23085f116c20bfd081762c3798127240832a6f658e11ca2dffdb75fef082e84bc983c78

    Download Submit