Overview

overview

8

Static

static

3

bb626b35d5...04.exe

windows7-x64

8

bb626b35d5...04.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb626b35d5feb2b2d547b62c95c38d9acb757e57eb5da3d2f7b190b77e3ca104.exe

  • Size

    87KB

  • MD5

    10d57fbd518d6fc3da7ceec4229ce4bb

  • SHA1

    15ccb82e0f02a4b15057d10c70a0d6288ee5cef7

  • SHA256

    bb626b35d5feb2b2d547b62c95c38d9acb757e57eb5da3d2f7b190b77e3ca104

  • SHA512

    85b1a69e4fc7aaa2cc7ad30904b9e1e70c53f0b3d722e3828a2e7004b13c2d4416679e0169d39a571ad3666879733af67d7ad4b61f13db79c916bf3edaf4fa69

  • SSDEEP

    384:5bLwOs8AHsc4sM6whKirog4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOF:5vw9816uhKirog4/wQNNrfrunMxVFR

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb626b35d5feb2b2d547b62c95c38d9acb757e57eb5da3d2f7b190b77e3ca104.exe
    "C:\Users\Admin\AppData\Local\Temp\bb626b35d5feb2b2d547b62c95c38d9acb757e57eb5da3d2f7b190b77e3ca104.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\{8C2FC82A-0A67-417d-8D7F-B6AC48C49BDC}.exe
      C:\Windows\{8C2FC82A-0A67-417d-8D7F-B6AC48C49BDC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\{74CE04B7-3EE8-485f-AE8F-65644A4D12D0}.exe
        C:\Windows\{74CE04B7-3EE8-485f-AE8F-65644A4D12D0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\{9DA14AC7-DA3A-4130-A93A-F03064AEA2EE}.exe
          C:\Windows\{9DA14AC7-DA3A-4130-A93A-F03064AEA2EE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4564
          • C:\Windows\{4F81D0DB-64A6-479b-B752-4526A6A11170}.exe
            C:\Windows\{4F81D0DB-64A6-479b-B752-4526A6A11170}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\{EEE30C8C-A858-4b6e-9254-22BC539219F3}.exe
              C:\Windows\{EEE30C8C-A858-4b6e-9254-22BC539219F3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4844
              • C:\Windows\{0DA9845C-FE40-4a7c-95DC-E15697043CBC}.exe
                C:\Windows\{0DA9845C-FE40-4a7c-95DC-E15697043CBC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3200
                • C:\Windows\{F3BF1DA6-6794-488c-AD46-6374B685BB27}.exe
                  C:\Windows\{F3BF1DA6-6794-488c-AD46-6374B685BB27}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3564
                  • C:\Windows\{0A6A8965-210D-4c25-98E5-D1DD3F930FCD}.exe
                    C:\Windows\{0A6A8965-210D-4c25-98E5-D1DD3F930FCD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4400
                    • C:\Windows\{9235C77B-C389-4c32-B26B-8308FE0DE6AA}.exe
                      C:\Windows\{9235C77B-C389-4c32-B26B-8308FE0DE6AA}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2736
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A6A8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4584
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3BF1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2424
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA98~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3436
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE30~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3496
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4F81D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA14~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{74CE0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C2FC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BB626B~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A6A8965-210D-4c25-98E5-D1DD3F930FCD}.exe
    Filesize

    87KB

    MD5

    a4f3a4b08038f1564b8c061f2b774226

    SHA1

    7426fe7d2eede8aec6a5cf94eeaf1f74754004f0

    SHA256

    ab4d7e7174be179adca03e8d81e9c278c9517481e34dd2acc53532a6e31f7019

    SHA512

    5e34a1dc965e50c34518e755e3065841326745e7e972087973b311b5f12a2d9eea91873888a20f8d8a24a82bff4f6d0eab67a31be78b0c8c0cbc75b0367f3402

    Download Submit

  • C:\Windows\{0DA9845C-FE40-4a7c-95DC-E15697043CBC}.exe
    Filesize

    87KB

    MD5

    e98750b997cba5b5fcce6ef009648617

    SHA1

    ad3bf9333e66054d5ac16216de9e9d1ef193e074

    SHA256

    cdf355d2723040689e74ed3996ae6d8ef258f87ef8999a069c248f1d5f411637

    SHA512

    9ff197b64a705688d612ab996bd3afd8fdf73e303064b4d12d863d88975863b0f715ada7d024890d025e345d6f3256fc628cd7b9a6955303c9e41163c36f61c2

    Download Submit

  • C:\Windows\{4F81D0DB-64A6-479b-B752-4526A6A11170}.exe
    Filesize

    87KB

    MD5

    c68c9010f4170aec417274bbab4511b5

    SHA1

    ee204f55862f51e5a6ef11e3b979e7678b30c263

    SHA256

    9f0d5d16f72ba43cbe47127d673b53ca4ba173d29c0346bc589e74f14a6e0685

    SHA512

    f054f584ac8bed26f691975bb7350016995d72bc1b0e87e107a464ba59362e13a5a1239afdc8a869d947c67fb6cf79b86f4a3d70134d3c3c16d8a91e80ce6ec1

    Download Submit

  • C:\Windows\{74CE04B7-3EE8-485f-AE8F-65644A4D12D0}.exe
    Filesize

    87KB

    MD5

    d681484178ac0fef89d3dbfacbcc5a38

    SHA1

    4f5d1843fa7a271321bc05287691728ccef18bc9

    SHA256

    74bc09c684c6888536954c5881f4e5c1bca3a7acdd33f01be7579640c72b708c

    SHA512

    75df2c137ce1ec512b20d0be166e975f5f90f259a59571c1658e9b64b3dfa8c7fa9686bc4009bd7e377ca875a91f920e251190a41a70e023d45e2e90d4c5be02

    Download Submit

  • C:\Windows\{8C2FC82A-0A67-417d-8D7F-B6AC48C49BDC}.exe
    Filesize

    87KB

    MD5

    1119e6a88cac98684738d855debcf3f4

    SHA1

    2775e149e0bdbe318f35e7dd670c52bf92b41599

    SHA256

    26c9af65a21adb2fa45bdb1fc5c489b013bd73246d824b9fd4b1d9c9cf9bdffc

    SHA512

    d842ddc82f8006031b08c2e5bc9a6ffbf14481c8046a32fab6f628ff7ed5c90cd264f6fee2eb407521bacad9e4458e185b57519aea615b6acbdda8efbd077df9

    Download Submit

  • C:\Windows\{9235C77B-C389-4c32-B26B-8308FE0DE6AA}.exe
    Filesize

    87KB

    MD5

    4aba4db5d294c8a81fac363a8e5379a4

    SHA1

    bc242d4e0387515e486fd8cddbd5fc53f7443b53

    SHA256

    67905353ac1f992262475e398f52373ea278cbc45ba8880b26e5607329acb133

    SHA512

    52b14b98830d12aaa46f3b0413bd9cfbeb039ad80ebb384c1555e504d268248bd405d3262c1ef593b2d750caf582e99a06c33a6744754042ed079a1e4aef49f7

    Download Submit

  • C:\Windows\{9DA14AC7-DA3A-4130-A93A-F03064AEA2EE}.exe
    Filesize

    87KB

    MD5

    c0e1db80956ba676bef6d23c7e220b16

    SHA1

    d4d36af57da7641a4533464cde14d0289f3490d7

    SHA256

    8eb75229c7741f7d371270071653231d045206de5222bda0ba222b6ab14f6496

    SHA512

    a2e056bfcd7065e5bf1c5805540f6ad464803e83ad7041c6856f752861062970b133b6d91fa40336a0646b184606afcf96c794149f367387122ec9c3a6ef3a41

    Download Submit

  • C:\Windows\{EEE30C8C-A858-4b6e-9254-22BC539219F3}.exe
    Filesize

    87KB

    MD5

    a803735b33f08380870b2f999f7340dd

    SHA1

    b63aabe5b83fc5030f81ae7a3976a406bf1b4a89

    SHA256

    a14cca76f699967acac0f57e1c5692e4d36b6e2f96a2f170f5bfa99aa9cb53b4

    SHA512

    a8449316a16507a5f9f6fabb02ea6d7a15fed8575bf93403444a8db1ebea0e00745ceb624dc290eabe8e6a2b2a929a228da0ab88c3a982e5ec921c3f5e8b45d8

    Download Submit

  • C:\Windows\{F3BF1DA6-6794-488c-AD46-6374B685BB27}.exe
    Filesize

    87KB

    MD5

    02edc076ab6b8e53b870175b83db94d8

    SHA1

    701bc730842e5003252e3ddeb3323766854cfaf9

    SHA256

    94b7745bba34e3132af1ee6cb0bd7fdfc9f085858aaade5027321ad556bac12b

    SHA512

    ecf684dc7533bbd2c63995a98779b53d78ed0eb4c8cc53af2569597fb380ef95be090e8d682ddb498584ad5556532c6b4285ff5f564b56588b7392a55f65166c

    Download Submit

  • memory/384-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/384-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/384-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2188-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2188-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2500-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2500-24-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2736-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3200-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3200-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3564-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3564-46-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4296-16-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4296-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4400-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4400-52-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4564-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4564-22-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4844-35-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4844-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download