Overview

overview

8

Static

static

3

e9f53677e9...96.exe

windows7-x64

8

e9f53677e9...96.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9f53677e9ccc5dbf25957b64a6655f96454eb6c72f20d680e4e07857d48a496.exe

  • Size

    91KB

  • MD5

    7c6930485cc997a45c0386f06506d6b8

  • SHA1

    6a48ff03e3b5ab46e52f7bc81eb5535f9f66fd9f

  • SHA256

    e9f53677e9ccc5dbf25957b64a6655f96454eb6c72f20d680e4e07857d48a496

  • SHA512

    f8245cc3c8ce0239c193cc4b0174820b00ed22f5af2d4af74e778f9a351387beb3f9cd72f7af666e6657231bffae07ce0702eb5d52e83d53ad6098885d1cf49e

  • SSDEEP

    768:5vw9816uhKiroL4/wQNNrfrunMxVFA3b7t:lEGkmoLlCunMxVS3Ht

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9f53677e9ccc5dbf25957b64a6655f96454eb6c72f20d680e4e07857d48a496.exe
    "C:\Users\Admin\AppData\Local\Temp\e9f53677e9ccc5dbf25957b64a6655f96454eb6c72f20d680e4e07857d48a496.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\{6F76C666-870B-4c0f-B09F-0AC1BAF6CA48}.exe
      C:\Windows\{6F76C666-870B-4c0f-B09F-0AC1BAF6CA48}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\{0450FF96-70C5-4eee-8B8A-54057C0217C3}.exe
        C:\Windows\{0450FF96-70C5-4eee-8B8A-54057C0217C3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\{28B7879C-A450-4b44-B4CD-95AF49BD6B3A}.exe
          C:\Windows\{28B7879C-A450-4b44-B4CD-95AF49BD6B3A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\{2956D4C0-29E0-42e8-87A8-3E22E2FD82FA}.exe
            C:\Windows\{2956D4C0-29E0-42e8-87A8-3E22E2FD82FA}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1436
            • C:\Windows\{670F9D85-6D15-453e-B7FD-93BFB96FC7B9}.exe
              C:\Windows\{670F9D85-6D15-453e-B7FD-93BFB96FC7B9}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4828
              • C:\Windows\{63006FB1-24E3-4393-BE64-588F3C1760D7}.exe
                C:\Windows\{63006FB1-24E3-4393-BE64-588F3C1760D7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4036
                • C:\Windows\{A8C3A8FF-A4A5-4320-B400-4A08E962DC9C}.exe
                  C:\Windows\{A8C3A8FF-A4A5-4320-B400-4A08E962DC9C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3920
                  • C:\Windows\{338EB736-6085-4e5d-9136-B04540F8EE19}.exe
                    C:\Windows\{338EB736-6085-4e5d-9136-B04540F8EE19}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4432
                    • C:\Windows\{8FB3EE6F-0CC1-46e7-BF51-2BD29ECEB2C9}.exe
                      C:\Windows\{8FB3EE6F-0CC1-46e7-BF51-2BD29ECEB2C9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4156
                      • C:\Windows\{8B17D2DF-43FB-4ae3-80AC-FFDE428FAC5E}.exe
                        C:\Windows\{8B17D2DF-43FB-4ae3-80AC-FFDE428FAC5E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4820
                        • C:\Windows\{26829659-3731-4800-A550-71408EEA6688}.exe
                          C:\Windows\{26829659-3731-4800-A550-71408EEA6688}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3564
                          • C:\Windows\{C070FF10-85B8-4767-A416-33FA0A8D42BC}.exe
                            C:\Windows\{C070FF10-85B8-4767-A416-33FA0A8D42BC}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2232
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{26829~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3288
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8B17D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3228
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB3E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3528
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{338EB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2944
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8C3A~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4524
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{63006~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4400
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{670F9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2856
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2956D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2960
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{28B78~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0450F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F76C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E9F536~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0450FF96-70C5-4eee-8B8A-54057C0217C3}.exe
    Filesize

    91KB

    MD5

    e7b6f17e980f78ecf7d1127a959ef536

    SHA1

    9d2570ee069bd40804c7b30dc563e3afb2873f70

    SHA256

    bac96fc116aa6a416be979f92a75c0da8a7e627a16967284dc94df66b5974feb

    SHA512

    311b806927c0caaaa0a17f169617bbd3ea0dbd950dfd05648a726ceccda6ad3ffde97c6643e1be92964a0a5c78eba35cfda374a419e1286a068138aa5a0de9b7

    Download Submit

  • C:\Windows\{26829659-3731-4800-A550-71408EEA6688}.exe
    Filesize

    91KB

    MD5

    608c1281a8dba367042cb2517531bf5f

    SHA1

    0c7a66963d4e02cd455cfe8ff73bee42ca05f49d

    SHA256

    7f6a1fac1f596b3269d37688e3ca5b9ea2b8863fc3cd7eddde41e38eb519e08c

    SHA512

    e40d2076793302ad47f56497ad1f6f3b0bd8c1f6d27901f50a092bb6bcee7eb0a46eb99a2b488243319e2b00b3bce3f40870d0dfefce1266c4ffc1582cf85148

    Download Submit

  • C:\Windows\{28B7879C-A450-4b44-B4CD-95AF49BD6B3A}.exe
    Filesize

    91KB

    MD5

    677a826f509d5af5d2828ea89182e733

    SHA1

    b1dbde39cc04713bda9198e5c90366bcb3ce34c8

    SHA256

    8b85e1451ebe8253ea2e6e35d7f28c6e2096c55e0cbb23ec0744fd2080fb438b

    SHA512

    9a50b320f0ef7001b4d9e9c7d1a1d1cab74efb5883abdb67231cf9c4722eea6203342da850aca066215070a326ceed83b6ae447b990f3fecd03f86b777338f8a

    Download Submit

  • C:\Windows\{2956D4C0-29E0-42e8-87A8-3E22E2FD82FA}.exe
    Filesize

    91KB

    MD5

    78d1941469cb9f65e061491be72b62f5

    SHA1

    9b34cc0a1b0443107f9468e4aa1edda1a4e43d00

    SHA256

    0e55744df28570b50d16858bee44f443749ee8efe386cf28a0fbb3ad56100041

    SHA512

    9264b754132930d7d04c0fec770897bc41b54fde0096d1324350dbde983007fbffc87b3f49e73fc025089804241e777466f9099cc321f03fb7df848ebe0faa11

    Download Submit

  • C:\Windows\{338EB736-6085-4e5d-9136-B04540F8EE19}.exe
    Filesize

    91KB

    MD5

    db506cc93b533099d6c7bac0397df84d

    SHA1

    6f53ec330a9d868580f3a1e10de41fa250a46237

    SHA256

    dbefedf6d49e5f56d30824e181f964b4ccb9f560d2a3fcabcdc2f29bc753c947

    SHA512

    6eaf89cab4b722033859e69f6acddc2c73a9eda7bac73749fab216c1a438dd8f1de6186d8d87907a7abc61d6f2e3d93d42d438000cb4e828a379e76ae6e711f6

    Download Submit

  • C:\Windows\{63006FB1-24E3-4393-BE64-588F3C1760D7}.exe
    Filesize

    91KB

    MD5

    1f6ceaa6c25e8cc018bc2d6a4c638caf

    SHA1

    537ab040eb6169fc1b11e23a825d523375655ecd

    SHA256

    057a48a35a0ec9f1938159a79bfbc433281cb5a450eba6c76eedf5ee7533d9ab

    SHA512

    4fbdf95507a18f5c2144699b5d9fb674c66cfcd1de846523cc640b8b5096cc430a1b6b3b6fc780cd93823bebb6e1c2cd2d361157fe548d46a9e9783a2e1c8cda

    Download Submit

  • C:\Windows\{670F9D85-6D15-453e-B7FD-93BFB96FC7B9}.exe
    Filesize

    91KB

    MD5

    25eb70ea074d5a5d62345ed8d47c8833

    SHA1

    5c1f327a6089bcaa0e9f5d763be069982f1c9c08

    SHA256

    ff23687d5ddc41fee968f99b78cb156e73efd617831efb17c97efb41f3e53073

    SHA512

    5acb51d09f9aebabd73492fa7d5ef2b2bd914bc97ee87935a8df2a12a870614ca9cd896c95594611cc25a106593a228ed34f91183b53c38d4bd5c28829938eaf

    Download Submit

  • C:\Windows\{6F76C666-870B-4c0f-B09F-0AC1BAF6CA48}.exe
    Filesize

    91KB

    MD5

    6d003dfed43a89616fc2ab8f3b7bc6ce

    SHA1

    1d2cafb0f607d34d89258ed9c4e38d7f00bdbcd4

    SHA256

    8db88aab5c69b1026b38abe5528ffdb0a2292075275f4bc3dd3bb87fd510682a

    SHA512

    9c2b52489f86097ceb1171f7c63c52d97e95155ea6442283e752b47d07962e0f44fd16865a65864e8239a0bba3bd76db0d7fdc99f29562cdf9cd3c8c507834cc

    Download Submit

  • C:\Windows\{8B17D2DF-43FB-4ae3-80AC-FFDE428FAC5E}.exe
    Filesize

    91KB

    MD5

    5f7cdd9561fd96cc3da6a97e2b55935d

    SHA1

    4b18b28a338bc2398947315bed5593760db35fb5

    SHA256

    1d85b603b53b26036c0a36f0755e66568f357b40fee3e9c36eef382993f5e1c1

    SHA512

    0802491202e4e1ebe233f8d79c18ef5330e189ddee2d4f09eeb8b566ced3d42c658e35e7081ec180cbaad3cf70384fba94373bfddde1c021fe238ee799cb269f

    Download Submit

  • C:\Windows\{8FB3EE6F-0CC1-46e7-BF51-2BD29ECEB2C9}.exe
    Filesize

    91KB

    MD5

    6af73862a18e7658ef509905ed5b1cf9

    SHA1

    f9014fdeb70f490870fce22c9d156afcc7dec266

    SHA256

    807bee29bf1e814da54d9082b7e2ab0f5a548c874bade9e6cfe20e3f09e49660

    SHA512

    b3467cba6993206328ff2b41a37de842c68b9479d4c9b742aad8a83fc26626fb4570216c7403b4f3d44a71efff81465cd265616ca08d360d2daf121e3eca901b

    Download Submit

  • C:\Windows\{A8C3A8FF-A4A5-4320-B400-4A08E962DC9C}.exe
    Filesize

    91KB

    MD5

    a66a78503bbd99ce7da2c89bf5e37b81

    SHA1

    e76fc18a621d58f46df9b767a3f0606a28f144c7

    SHA256

    b1b2223e2b86ccdcf2d883c897303b9cb3b029cfd07d4422be577d8136ac698f

    SHA512

    c0fc9e7a2e741c63a75f8f00b03d7ecb943671dc687659e91252c484e3adc7169ec3d48fea2a3f4d74674f34d21da6a61a4db4366dab4af6323b55c9b4881be5

    Download Submit

  • C:\Windows\{C070FF10-85B8-4767-A416-33FA0A8D42BC}.exe
    Filesize

    91KB

    MD5

    ca767ba54dbca0e152d8c01540ff39e3

    SHA1

    b17dff56e2cf9de6938d6d1bf2d7719d4e09a63d

    SHA256

    07cbb50c8eadc6375936eb076845e23efefcd409efbb6222581bcd84d8aca178

    SHA512

    abed43c23216d5c3b43a5146b40e523a4e7a154969f2c5d946024c2e5bc02a5c314cb80f36488fafbee6af6b19fc2f73ff512230f8e8c8e477e3564ec96ee3cc

    Download Submit

  • memory/1164-14-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1164-18-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1428-20-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1428-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1436-30-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2232-73-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3564-72-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3564-66-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3920-43-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3920-48-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3944-8-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3944-13-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3944-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4036-37-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4036-42-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4156-55-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4156-59-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4204-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4204-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4204-1-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4432-49-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4432-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4820-65-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4820-61-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4828-35-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4828-31-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download