Overview

overview

8

Static

static

3

d8c5e4dd5d...dc.exe

windows7-x64

8

d8c5e4dd5d...dc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe

  • Size

    64KB

  • MD5

    73a0bad04b0af52e433ef384de21ddd7

  • SHA1

    3e96465da02d594a0851ad47f04013eb4956f49f

  • SHA256

    d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc

  • SHA512

    5b37b9251a537fb1876217117a2fe995db7beaa9bee4c648758885cbcc830a5fc0e7aee96d794ed35aa6c9cf80f7b2d189aa0db651a878333e6f0dae9d7ee07e

  • SSDEEP

    192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwXY04/CFxyNhoy5t1:ObLwOs8AHsc4QMfwhKQLrop4/CFsrd1

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
    "C:\Users\Admin\AppData\Local\Temp\d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\{64D6E383-ACDB-4aab-BBF1-2C3256DC40B2}.exe
      C:\Windows\{64D6E383-ACDB-4aab-BBF1-2C3256DC40B2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\{88A7B90F-A27B-4fb6-B7D3-49BCC914E0C5}.exe
        C:\Windows\{88A7B90F-A27B-4fb6-B7D3-49BCC914E0C5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\{C79C6579-3E7B-4684-B14C-28EB99BAF008}.exe
          C:\Windows\{C79C6579-3E7B-4684-B14C-28EB99BAF008}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Windows\{5C543BD6-096F-4763-9875-B9E57998084D}.exe
            C:\Windows\{5C543BD6-096F-4763-9875-B9E57998084D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Windows\{6C6AC1D3-273E-4dcd-8E05-3909A5C22727}.exe
              C:\Windows\{6C6AC1D3-273E-4dcd-8E05-3909A5C22727}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\{2D2D1E96-5BFD-490d-BDC4-10A54FC49C3D}.exe
                C:\Windows\{2D2D1E96-5BFD-490d-BDC4-10A54FC49C3D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1916
                • C:\Windows\{740D5CE7-5574-48a9-8413-8DC3DC872A0C}.exe
                  C:\Windows\{740D5CE7-5574-48a9-8413-8DC3DC872A0C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:288
                  • C:\Windows\{F568169D-47A2-40ef-9011-5171101D5731}.exe
                    C:\Windows\{F568169D-47A2-40ef-9011-5171101D5731}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2196
                    • C:\Windows\{E8764C74-1B36-428f-9C4D-BC729C945918}.exe
                      C:\Windows\{E8764C74-1B36-428f-9C4D-BC729C945918}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2228
                      • C:\Windows\{AC340DE0-B4E5-494b-A360-371BF8958C1D}.exe
                        C:\Windows\{AC340DE0-B4E5-494b-A360-371BF8958C1D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1260
                        • C:\Windows\{66724789-DE3C-4b72-B8BE-C48BD1FE3F8A}.exe
                          C:\Windows\{66724789-DE3C-4b72-B8BE-C48BD1FE3F8A}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1152
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC340~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1312
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8764~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2244
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5681~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1628
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{740D5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2D2D1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1396
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6AC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2548
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5C543~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C79C6~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{88A7B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64D6E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D8C5E4~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2D2D1E96-5BFD-490d-BDC4-10A54FC49C3D}.exe
    Filesize

    64KB

    MD5

    2d160d5c5442c07d388494c450da7a1e

    SHA1

    8e8844b1fd40a171cda70e85aafe122d7c09e180

    SHA256

    cbde35225e75c89aba43b6df9963f54e9adbfce4362a6bf23ea21e4309f072c0

    SHA512

    5f2d162d69bcc3433fd84b1a89c1ef2438acfcb607d4d283d82ddfac2b42a660ee7a39395447011372d87afdd86a9df0ae4ae90262c329169564106652cb4d24

    Download Submit

  • C:\Windows\{5C543BD6-096F-4763-9875-B9E57998084D}.exe
    Filesize

    64KB

    MD5

    597a30dd0f903f0990c33fd62a6fe4b1

    SHA1

    37f430c082bff204adb9d6ee2f14d154b6387bb2

    SHA256

    53ee8a542cbe405f03bc26965587c2e21e70ef4c9a259f7423f8f469d7ce94e3

    SHA512

    180481a933b294ca75112ef5deab25e2c866df09139fc2145937545938827a5d3789bc1a7927f8a8a6934b3546f58d9205fb2725dbe62a7349aa189a3bcc00a0

    Download Submit

  • C:\Windows\{64D6E383-ACDB-4aab-BBF1-2C3256DC40B2}.exe
    Filesize

    64KB

    MD5

    a51c5d09c6b40a68708745aa52f04054

    SHA1

    94762c846bc58f8ba5b0a1caeee9a7c41367d761

    SHA256

    73e386a2fa466f65b2a7ef56710e8709dc1402d6e594a2d5b21e6eea4b524d55

    SHA512

    a7417926acba0cf679895fb0b258eb9ba3ffb4525b0796aa70d1fcde93f300a31bffe96a512b091e1fcbf4c803799f8a87e454c735b5b2cb215313aef2dfe81c

    Download Submit

  • C:\Windows\{66724789-DE3C-4b72-B8BE-C48BD1FE3F8A}.exe
    Filesize

    64KB

    MD5

    8f406fccd5279a6f88bc9b0ab3c02b7b

    SHA1

    334d2c9d5c018a8bf54c5f917cfc2ae1995570f2

    SHA256

    6a2f1c248c6bbbe8c828af22fe725c172657e80b81e0fab923170eb8ba7644f7

    SHA512

    f1f238cf57c1bcce8c89968a9bcdcb0c620b05d63fb09cb9acc9e7ef40c1df605598aa9e19a51ea5140d64b2ea28a43fc6866d2f005c26f76c129c12a60daba4

    Download Submit

  • C:\Windows\{6C6AC1D3-273E-4dcd-8E05-3909A5C22727}.exe
    Filesize

    64KB

    MD5

    00a822c7be866f6920b28f5ec5e64e64

    SHA1

    0da8c066102012b0fccbcb6b9ff48d6ee3f5deb4

    SHA256

    7bfc23db48bd0cf08e1f9989d2baea0db3955ffda1fb31c7e6ba5d186472c854

    SHA512

    1f64fa338aa0dd20e85d350008df5e0802ecdadf7d7505e063981ff96f9d20de51f00b0814f10e92a87fb9031427f1255ae32888267b6098bfa7ef3fc789b99b

    Download Submit

  • C:\Windows\{740D5CE7-5574-48a9-8413-8DC3DC872A0C}.exe
    Filesize

    64KB

    MD5

    e5de45365c568bcd7c7b8bd1530df97e

    SHA1

    49f94a63b006ac768bca81d01e39887e36524432

    SHA256

    1002cc09af07f5d46238941a57bf74641aae4d5aaa2daef897ad0e9861f1a2eb

    SHA512

    99daf881f57d26ec986a370fd6626635d469c202aefa6218a34a6cc0215d689d676493f2816a3a2bb28a3c86eb9fe32ada7e7f11e473e60a7d5850a4008b872e

    Download Submit

  • C:\Windows\{88A7B90F-A27B-4fb6-B7D3-49BCC914E0C5}.exe
    Filesize

    64KB

    MD5

    d2da004041d477b4db8a3bcaebf1e161

    SHA1

    3bcf4b220ce520ee8d2d66b442b90ca0880306b0

    SHA256

    feb46c50317e8f6547f337e900a512845776ead36020046d342ca5b848222842

    SHA512

    512ae3fb9167ece820517d6355d83df59e73abcdaf0b5a576230d6ddfd0d7e58d9d072b2c5126af7e9fe07231f420cd9852bec485ac6ead92d1c1234339771e5

    Download Submit

  • C:\Windows\{AC340DE0-B4E5-494b-A360-371BF8958C1D}.exe
    Filesize

    64KB

    MD5

    a6012b1aba23cc9c17007ee828cb0b62

    SHA1

    20578e916dce9f67fbeb65f1ba714514bb765ade

    SHA256

    dd77fe8ac9afe8ffdb5185050b7ce2d888c711ead471aaf36e764dd1c60e7486

    SHA512

    c5a2a22f3a678cea334e769f2d528f4afa175dfd0660daebff892ce15ce91854296e9fc32dc23d29d009401b00dc8f4a97d788965338c0436ca4e9ff281f802d

    Download Submit

  • C:\Windows\{C79C6579-3E7B-4684-B14C-28EB99BAF008}.exe
    Filesize

    64KB

    MD5

    fe5b18207c78704b47f5f688379d53d0

    SHA1

    4f65dbffca58698e3dbe5e74d102e5f8c08e0c76

    SHA256

    2d2a5866956d236f0127c07d243e308abc4c49114fa4faa43288c07872f5f74a

    SHA512

    3e8993b988f438124c9e16769d28574552c490337f5c3349bf731675d807d3e3c245aaeffc1a2ea38a3b4f17925f9a2e1763ada6d6f2a4ae16b149bbdb047e58

    Download Submit

  • C:\Windows\{E8764C74-1B36-428f-9C4D-BC729C945918}.exe
    Filesize

    64KB

    MD5

    b4b3afea33dd8f7e2bf86a2806d861eb

    SHA1

    bfb5dbbf745561ba78409e645ea7b730a0357894

    SHA256

    cd9fa2a88643a5c0586bd1ad9723b953e817f905c9271ca0c2f1ceb4c156ed75

    SHA512

    e5e451756600a4f6ebe9bfefc82974adcf5178c58566b7e338907d04b7632c7bf7accaf5df404fbbc9585ef87ba406124e4ca08539ba5f14b51793b5948236b4

    Download Submit

  • C:\Windows\{F568169D-47A2-40ef-9011-5171101D5731}.exe
    Filesize

    64KB

    MD5

    381ff1f0cad0847b066024b019aa8ba1

    SHA1

    7cfa1a73fbe73f35faea176bc5511d9f6b0264a1

    SHA256

    d3e8e75752d78bd11e54527d666e20ab4a2dcec2585cfe72d35229c8d6a42436

    SHA512

    4857f20d0f7745599d91e30f8dd1e4d2f08e1ac33cbf4621cff7ff141460ffcc42b37e9582aebcc7bff3eca0c899a7255116306dc76b749cc0d4f9ed7a5640d2

    Download Submit

  • memory/288-69-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/288-72-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/288-78-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1260-106-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1260-101-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-59-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-58-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-68-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-62-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2096-9-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2096-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2096-3-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2096-1-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2120-57-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2196-87-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2196-82-0x0000000000280000-0x0000000000290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-97-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-88-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-92-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-14-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2576-17-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-23-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-29-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-19-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2824-49-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2824-44-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2824-40-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-39-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-33-0x0000000000370000-0x0000000000380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-30-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download