Overview

overview

8

Static

static

3

c2c4a34d13...a9.exe

windows7-x64

8

c2c4a34d13...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe

  • Size

    90KB

  • MD5

    ce4b012ab72e23e9b69455b5bc1e4e3b

  • SHA1

    63b007c9da69ebdf3adc27d7a2508b43a13c7b7c

  • SHA256

    c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9

  • SHA512

    1d687133de6d565a824242af61bf1350630bea65dd99ad9307d88f011fe11af59027ddc51985420ceb4cbef38c2d7ca32a4e85e85a824c491a59b636fd6aab31

  • SSDEEP

    768:Qvw9816vhKQLroV4/wQRNrfrunMxVFA3b7glws:YEGh0oVl2unMxVS3Hgz

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
    "C:\Users\Admin\AppData\Local\Temp\c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\{3274EF5A-EC25-4410-9B02-9D63E46841A3}.exe
      C:\Windows\{3274EF5A-EC25-4410-9B02-9D63E46841A3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\{6E846DA6-DF99-47ba-B827-9E4811491D9C}.exe
        C:\Windows\{6E846DA6-DF99-47ba-B827-9E4811491D9C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\{3C3DFCA4-D7B3-4445-998A-B3B3854F7DEA}.exe
          C:\Windows\{3C3DFCA4-D7B3-4445-998A-B3B3854F7DEA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Windows\{D0EA6FCD-721C-45dd-9C64-1D84383D8889}.exe
            C:\Windows\{D0EA6FCD-721C-45dd-9C64-1D84383D8889}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1820
            • C:\Windows\{7AE8B9AD-F882-4f21-8FBF-231FE41F9425}.exe
              C:\Windows\{7AE8B9AD-F882-4f21-8FBF-231FE41F9425}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4684
              • C:\Windows\{7A3C338C-C88C-4f2b-B3D0-906BEAEED3E7}.exe
                C:\Windows\{7A3C338C-C88C-4f2b-B3D0-906BEAEED3E7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3520
                • C:\Windows\{DE971B83-383F-49d6-9C30-6A93084BC641}.exe
                  C:\Windows\{DE971B83-383F-49d6-9C30-6A93084BC641}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4952
                  • C:\Windows\{21746589-5562-4a47-9C33-FB060E3C20AA}.exe
                    C:\Windows\{21746589-5562-4a47-9C33-FB060E3C20AA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5108
                    • C:\Windows\{DC11C554-A555-468b-BA4E-49CC4FC3A415}.exe
                      C:\Windows\{DC11C554-A555-468b-BA4E-49CC4FC3A415}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3296
                      • C:\Windows\{53DCBBFC-4B62-4b7c-ACF1-D47FEEB130B2}.exe
                        C:\Windows\{53DCBBFC-4B62-4b7c-ACF1-D47FEEB130B2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:756
                        • C:\Windows\{84A1D7D4-0388-4b78-9375-E2BCC15A8F61}.exe
                          C:\Windows\{84A1D7D4-0388-4b78-9375-E2BCC15A8F61}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4964
                          • C:\Windows\{5CBCC3B1-A1C8-4c41-B22C-468AC8137290}.exe
                            C:\Windows\{5CBCC3B1-A1C8-4c41-B22C-468AC8137290}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{84A1D~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{53DCB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:412
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC11C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2208
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{21746~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4828
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE971~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2212
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3C3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3708
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE8B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3524
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D0EA6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2692
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C3DF~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2952
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E846~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3274E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2456
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C2C4A3~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{21746589-5562-4a47-9C33-FB060E3C20AA}.exe
    Filesize

    90KB

    MD5

    963959b6e02265787e5fc97e3052bc51

    SHA1

    9dadd161ff2cdcbc5589988c6a1097fa8abebd36

    SHA256

    028c99d27210cc723fd97cbce3fa298b979eab3ff75a90633d961070d765aee4

    SHA512

    ff2e6c2b4d74fc50475fb76e0307975558a16a05c0c0a80aa5970d9176b283d5dcc3663a0e11a477540ad261d419fb15cefa31c3585b2f8e3b924a69b2c3129d

    Download Submit

  • C:\Windows\{3274EF5A-EC25-4410-9B02-9D63E46841A3}.exe
    Filesize

    90KB

    MD5

    ca7baba7958db6a3b821e213a7ada391

    SHA1

    20412dd5ed68c6ebe6b6a2bb71c62983456c98ec

    SHA256

    c41dcfd9d618fdba16fda03bcc7daeb442928b66953e910c4139b20ccd69f030

    SHA512

    e0a25c506c2b99de8531d117bf6262aa69f55ec05110997c1b004396169906cab1b0a9c8c6fad79409aebdad7d11948f267354fb8a2192ba724f566071918d62

    Download Submit

  • C:\Windows\{3C3DFCA4-D7B3-4445-998A-B3B3854F7DEA}.exe
    Filesize

    90KB

    MD5

    da49bb782b3c48cdbddf4e28f82610b5

    SHA1

    e328b89d63bfc9fe236c163f2fff9b9d99bf286d

    SHA256

    3794cc9a041dc603dd856068f6e7ac89a17fb9dcd7278cc916d13d7988748479

    SHA512

    93d2e3bf23985f0faa243396196b95390a606b405e07725162469b13ea426eeb2952ccfa122ead8d9e1f1c4f9f9edd70ff7c07faac0e8a918851b0a6fbb97f62

    Download Submit

  • C:\Windows\{53DCBBFC-4B62-4b7c-ACF1-D47FEEB130B2}.exe
    Filesize

    90KB

    MD5

    a3257a552ada08301a98f9c5865f90f8

    SHA1

    6721f4761fe8d019aaf00ce7379202a6175b5386

    SHA256

    7ccd36f52ed5a89c6aec5bd040c93ad21f12bba9fc87bacadff0a7b382e506a3

    SHA512

    6ec5b7c26b5ce9acf9913c635fe929a2935f0cb4da6a2ce19ffe5eab0a6d617965318a4ce3cda8e6bc963a04caf76d178a602f5b1b8925eb034223089d1435cc

    Download Submit

  • C:\Windows\{5CBCC3B1-A1C8-4c41-B22C-468AC8137290}.exe
    Filesize

    90KB

    MD5

    88150f026304b47b810bfcb9b8e80ad7

    SHA1

    654842b0edc071ff91df7bb46e6470fc4f8a98a8

    SHA256

    113cdb3d5b47ed1088a79106ba16cdb1580fe8461b4ffc3e365cdacf689a0756

    SHA512

    760dc9d322f1b868eae560dbb6cfade4fd45a42a8c954df67eb7f72ffbf94a2a365e9c30f84fbe3b2e50bc1fe3fdc8e4a6cd2061f20a0a83c66c81beef949df8

    Download Submit

  • C:\Windows\{6E846DA6-DF99-47ba-B827-9E4811491D9C}.exe
    Filesize

    90KB

    MD5

    37e0b12cf7edb8c06bd4b9c7e5de54b8

    SHA1

    9e338083bf207b9feb11089a76dbc1b89a649af1

    SHA256

    edab06b52d9f43de260a76cad651f9d42846ed8de2e3737703dbdbab62368c21

    SHA512

    37a359ad2c931d6f2135ce15b6063289a776d87469f0df4b702a1fa4963edd2009ba306393102bd8dbe2ad9b761c8932649fe051e007051d176c41cc1f3933e0

    Download Submit

  • C:\Windows\{7A3C338C-C88C-4f2b-B3D0-906BEAEED3E7}.exe
    Filesize

    90KB

    MD5

    c0136d963ce1407836501e58f0f06793

    SHA1

    eefd0ebd219e7f76cccc6af90d0da03e025b4ee5

    SHA256

    ec761016c53c4845120d082ca20d6e62c83ee01f05ef3905987c7db4f257dd19

    SHA512

    73a60432367265699b5a23ac6febe9121151fdd25311be288cbd8e90542250d7feb380908c31c5d8f4b22f4d5ca83e8ef97ebe2d17e2f0047a9a11114a86e912

    Download Submit

  • C:\Windows\{7AE8B9AD-F882-4f21-8FBF-231FE41F9425}.exe
    Filesize

    90KB

    MD5

    e2bef60d4e02a9858408e4b0b68f1fd2

    SHA1

    2aea603c426c1bc7bbab7a899d7377b5525e6e3e

    SHA256

    15bd69c1e56692e61313a51547ad96b5319f378b9ddbe239be690fb12d60e255

    SHA512

    cef937db3399c65ff0d48688084a56214c4b4dacd742dbdaa20068d35e10d02bf699ef4bd486e840391b85fabb063ccdd5621cac69f48c9874d879e1c6ed8e47

    Download Submit

  • C:\Windows\{84A1D7D4-0388-4b78-9375-E2BCC15A8F61}.exe
    Filesize

    90KB

    MD5

    c35cfb6af09fa65464bd5b7b8598be6a

    SHA1

    73578ab4e3cd13c8ec5fccb5830e799aa57e5e0a

    SHA256

    6f4c5790a48a071b84a2dc78715c1d124b2a79e629e433d40226f37d19063e8b

    SHA512

    89d3f74416ef9ae268451ce72231aa40740e331bf8bde373c0a0966c29c96aa8b1cc4ef3aa13e37793c358fe4e5f5d4e5eb51e01de96dbf8fa9ce6b51697035b

    Download Submit

  • C:\Windows\{D0EA6FCD-721C-45dd-9C64-1D84383D8889}.exe
    Filesize

    90KB

    MD5

    60717905544ea91edaab14da3c3a0384

    SHA1

    bb4482e5b8cd746106cb3ad81fb8ff30e5801cb9

    SHA256

    26c9ac18eaa29b08f0080188dbf7c0157e9360213e39a9c417ea939228aae9d9

    SHA512

    cfc859185ce137de3b79d96603f7ea8bdf1465059498fdbc5ea70ec65e146e22acbdb913990978f448d58ef0e2e23677360a40db884c950accfd720c4aba520c

    Download Submit

  • C:\Windows\{DC11C554-A555-468b-BA4E-49CC4FC3A415}.exe
    Filesize

    90KB

    MD5

    04657a7fda6c980d1b67487217d08ed6

    SHA1

    f58770c009c8961ee18f41dbb3d6621a286d44f7

    SHA256

    17af73b67dae8f85d0c646175093d657bf59ab5e79a54f311193d38914465b9a

    SHA512

    5a5e68125ec71d399ec586586181801d85e97e30f1bd06d1126337b11f5a29212ba6f625aacaf2f7eb0bd4882b7c36ce9c9db615e5680080f7fc2428c827b417

    Download Submit

  • C:\Windows\{DE971B83-383F-49d6-9C30-6A93084BC641}.exe
    Filesize

    90KB

    MD5

    09e73f1dd021124fec3ab49f4fa532cb

    SHA1

    3efa617b12b7d2f12107c5fc31e85aeb562f130c

    SHA256

    39003191bd4642efba9f69318e4b9dfb289c703f152a04ca71f35a8bf2a778bc

    SHA512

    4d29a48756910075a206ec1e53dbb918ad080fbf5328741f9fcbaa9037cfbb13183d330af1d30990cad4199e63be25beadc7e832608d6553e260ea245e1670c2

    Download Submit