Overview

overview

8

Static

static

3

60c2ddfb5e...8d.exe

windows7-x64

8

60c2ddfb5e...8d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe

  • Size

    91KB

  • MD5

    7269ab455c7b9a4a1057231f3d52de29

  • SHA1

    99d3e9df99c784b1586b47d7cf9a25f3e29406ce

  • SHA256

    60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d

  • SHA512

    3304807af44bd1583e16fb4169620edd068ef0f054a90a902b2c6f37fddc53ba17dfbe56c46f153a2be8530127980bcc9f669998fdc89bc5387a0c70a2762282

  • SSDEEP

    768:5vw9816uhKiroU4/wQNNrfrunMxVFA3b7H:lEGkmoUlCunMxVS3HH

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
    "C:\Users\Admin\AppData\Local\Temp\60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\{902AF67A-8FBB-4c62-86F3-A8D7E7C0B0FB}.exe
      C:\Windows\{902AF67A-8FBB-4c62-86F3-A8D7E7C0B0FB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\{A85FAB86-968D-41cf-AAEF-8775861F4C33}.exe
        C:\Windows\{A85FAB86-968D-41cf-AAEF-8775861F4C33}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\{8ECE86F9-CD7E-48a4-8FF9-E3A659B0A20C}.exe
          C:\Windows\{8ECE86F9-CD7E-48a4-8FF9-E3A659B0A20C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\{D37487F5-B7CD-41e0-B8B4-5B454033C0F8}.exe
            C:\Windows\{D37487F5-B7CD-41e0-B8B4-5B454033C0F8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:308
            • C:\Windows\{5C68FDAB-BC1B-420f-9462-4499EC514B7A}.exe
              C:\Windows\{5C68FDAB-BC1B-420f-9462-4499EC514B7A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:272
              • C:\Windows\{F6D1F918-02EC-4272-AA4E-7B6C3481605B}.exe
                C:\Windows\{F6D1F918-02EC-4272-AA4E-7B6C3481605B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Windows\{8B5CDD7F-D793-48d0-8A56-5F8CD8BB8679}.exe
                  C:\Windows\{8B5CDD7F-D793-48d0-8A56-5F8CD8BB8679}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2148
                  • C:\Windows\{D6ED15BF-AD52-495a-9C25-9FECCE06A38D}.exe
                    C:\Windows\{D6ED15BF-AD52-495a-9C25-9FECCE06A38D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:532
                    • C:\Windows\{7FFCA2A6-1AA7-40da-B70E-6AB2500613EB}.exe
                      C:\Windows\{7FFCA2A6-1AA7-40da-B70E-6AB2500613EB}.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1548
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6ED1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:680
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8B5CD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1564
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D1F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1876
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5C68F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D3748~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2920
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8ECE8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A85FA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{902AF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\60C2DD~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{5C68FDAB-BC1B-420f-9462-4499EC514B7A}.exe
    Filesize

    91KB

    MD5

    ceb3f081e33652d039a0bd69116f5e63

    SHA1

    456cdcf2da74cd8720bdac386aa5a4375aad0b7f

    SHA256

    4a624216e4ce1acf48577324e66e45b7d330543132e3e0f4178d03b3a0323045

    SHA512

    12efa2b76fe4ba4d6347f7d5a9cf1c835d4efcd9840b8280324e5afadf4e4c2ac1f9b97c2476a9991405d7a2921c5ecc56722de3374cb0e4d5ad154ec10bdc04

    Download Submit

  • C:\Windows\{7FFCA2A6-1AA7-40da-B70E-6AB2500613EB}.exe
    Filesize

    91KB

    MD5

    564dad0d317cac748069600b7e0a6e44

    SHA1

    0b379522a2d8ddfacc43a6a549d2fde3f96c9338

    SHA256

    6acff8d451cb28a81fbfb7402d34685352bc90c596ec5cba7e7a7ba270e63c06

    SHA512

    ba854c0b10fcfdaeb6abe578628ffe42e27dfff70d62ceeb91ccfbc70f6781a652f43343b8ff8e087801fabb213f850816d8f4e3a6e824f9140e05ee8db90dec

    Download Submit

  • C:\Windows\{8B5CDD7F-D793-48d0-8A56-5F8CD8BB8679}.exe
    Filesize

    91KB

    MD5

    6b4d6c7beb2e0a954b549f18f5325166

    SHA1

    bfdf043fa54b897f1c29be3a8b705dd29f56c572

    SHA256

    6411e773bb7184f57bf33d80abd1c07ed68919de737a04832bad0250512b4642

    SHA512

    be99705f351f2a7ee549b25e5350d321fb18e319e622ea0f1f001072a1cfb8c946b945bff683676411595fbe3d3f86f032c6b84c9427ae8db11d09eb021a71f6

    Download Submit

  • C:\Windows\{8ECE86F9-CD7E-48a4-8FF9-E3A659B0A20C}.exe
    Filesize

    91KB

    MD5

    b859b5bef2952cdfe54c65a0f45b888c

    SHA1

    d8f45c47a88972bc60c366b471005c7fb6eeb7ee

    SHA256

    9bc970bc9b10c38f39ca03de3df6e951eb4c646065c3f3dbf1bdb16b2c8c91f2

    SHA512

    9e8d033d4eaf9094c55757ff7765d500e725712d849d0e466ae83e53ba07df93f4737370519bba46a48e26f94ef860dd65c2ac4f0f50e4f8004a1d08039e28fa

    Download Submit

  • C:\Windows\{902AF67A-8FBB-4c62-86F3-A8D7E7C0B0FB}.exe
    Filesize

    91KB

    MD5

    771ea350f0d210aa73c8ce5ea47add73

    SHA1

    16c9900d4c4212f3e93b2a9736a1678885f23ba8

    SHA256

    1a0903c331361fecb8e4173d1d9684ad57f0bde15fa956e010b6a20035bce9a1

    SHA512

    334be40f97a4c3a0163e69ece2e3df24f2de6f464ecace4b6ebe0e3edc19617c7a1f4790659ac317f2d724ff11c7d7975fa71cfdfe7ea4aff878b3b40b802cb8

    Download Submit

  • C:\Windows\{A85FAB86-968D-41cf-AAEF-8775861F4C33}.exe
    Filesize

    91KB

    MD5

    54ce53da4fbe956626395b8de36f834f

    SHA1

    400ebab58026b5fc44281fd2b1a325cdb549d511

    SHA256

    46ae8de1f2ca3650cc3e29edc8727cb251f8064545a74131476a8420fdada0a8

    SHA512

    c7a32e60f0a1e7c3636825cef8bdc78406c218c091b57efa4d6fec1ea8318bff0f379c0908c376216767baa8ead434bc9c050cb4a738194ec8d1016b5e7cac76

    Download Submit

  • C:\Windows\{D37487F5-B7CD-41e0-B8B4-5B454033C0F8}.exe
    Filesize

    91KB

    MD5

    a96229e6718de2044eff8f12c189dee2

    SHA1

    c961c816aa6310b5f434a6f389c0a4d972ccd019

    SHA256

    9f920dec332518a9ba63a1eea97806d6bd1f036f1bb8993de361e9e0af3c6771

    SHA512

    e16df68433e1846f323851e20e3639be635a342d4981ae2d6801079f69a7023f05cc313b35b11d54ae7c34c28e45e8f69c098f935041ad1849e6058a78839d46

    Download Submit

  • C:\Windows\{D6ED15BF-AD52-495a-9C25-9FECCE06A38D}.exe
    Filesize

    91KB

    MD5

    3e9b07b1ae02d66eb1f66c93b9387d19

    SHA1

    9d24488c43eac033376106c9f66f7fdf704f807a

    SHA256

    4b903db8ab6e8b7969d5d9ff408d0d6c8341b4e02336b97d3585dda8b45edf85

    SHA512

    6e921de4cedd19cc9e56b3d2977e8c2b564e04961ae692464b3e0f027e7a130b4326f5694e0aa38625f32af11e1b59b5f34d6eb3aa4455b540390066ec5a4306

    Download Submit

  • C:\Windows\{F6D1F918-02EC-4272-AA4E-7B6C3481605B}.exe
    Filesize

    91KB

    MD5

    d2d09aa55f7b2942b3c447e138cf7204

    SHA1

    666aa91db298866d2c3f30223bff239913be4e95

    SHA256

    2f2dbc9e6f3090abca4f9b6dfb8d456a941ca39992edff89aed862333aaba4c1

    SHA512

    05dbb3dca8b2aeba847be0bb5ba394e1bdc8a97b4e26cbac17d9666e8a8bc0aa9e79ce1818661a82ddb780e9f5a314175199387c0079ab9ce88b020fa7e4bb02

    Download Submit

  • memory/272-62-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/272-57-0x0000000000440000-0x0000000000451000-memory.dmp

    Filesize

    68KB

    Download

  • memory/272-53-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/308-50-0x0000000000390000-0x00000000003A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/308-51-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/308-49-0x0000000000390000-0x00000000003A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/532-92-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/532-91-0x0000000000500000-0x0000000000511000-memory.dmp

    Filesize

    68KB

    Download

  • memory/532-87-0x0000000000500000-0x0000000000511000-memory.dmp

    Filesize

    68KB

    Download

  • memory/532-82-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1548-94-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-10-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-9-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-4-0x00000000003A0000-0x00000000003B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2056-19-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2056-13-0x00000000003B0000-0x00000000003C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-74-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2148-83-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2824-29-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2824-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2824-28-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2824-27-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2872-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2872-41-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2872-40-0x00000000002B0000-0x00000000002C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2872-36-0x00000000002B0000-0x00000000002C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2872-32-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2924-70-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2924-73-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2924-63-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2924-71-0x00000000003E0000-0x00000000003F1000-memory.dmp

    Filesize

    68KB

    Download