Overview

overview

8

Static

static

3

ea0a7bf19b...e3.exe

windows7-x64

8

ea0a7bf19b...e3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea0a7bf19b8aecbcff2ad2e5e2836873021a73e5b70787a43e71a274448a4be3.exe

  • Size

    90KB

  • MD5

    03742fc4a1e6f482d5f0c64f0682bc1d

  • SHA1

    0c21798ccdce29bebef683a64be196186caeb14c

  • SHA256

    ea0a7bf19b8aecbcff2ad2e5e2836873021a73e5b70787a43e71a274448a4be3

  • SHA512

    8b7039d917707c40fd3e3f4f073886788df1af7a40434012b5e9dfeaabdf2ddb70df1557c2c5f563d96c49f8f45b3dbcd6c570e8436f2e8641ef8fa279562b66

  • SSDEEP

    768:Qvw9816vhKQLroS4/wQRNrfrunMxVFA3b7glwD:YEGh0oSl2unMxVS3Hg8

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea0a7bf19b8aecbcff2ad2e5e2836873021a73e5b70787a43e71a274448a4be3.exe
    "C:\Users\Admin\AppData\Local\Temp\ea0a7bf19b8aecbcff2ad2e5e2836873021a73e5b70787a43e71a274448a4be3.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\{92FBF5A8-B39C-4f50-8F83-8A5C98DC3C0E}.exe
      C:\Windows\{92FBF5A8-B39C-4f50-8F83-8A5C98DC3C0E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\{BDF329F9-7BD2-4d3d-A03F-7A10CED970A8}.exe
        C:\Windows\{BDF329F9-7BD2-4d3d-A03F-7A10CED970A8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\{9F34C95E-0E33-4aac-B072-20BA1EF192B8}.exe
          C:\Windows\{9F34C95E-0E33-4aac-B072-20BA1EF192B8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Windows\{49955295-9068-4343-B397-0663942DC2D2}.exe
            C:\Windows\{49955295-9068-4343-B397-0663942DC2D2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Windows\{8F699837-4BDC-4404-BAD3-6B23A6535250}.exe
              C:\Windows\{8F699837-4BDC-4404-BAD3-6B23A6535250}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Windows\{1A50AFCA-B304-4ca4-A27C-30D80354DFD1}.exe
                C:\Windows\{1A50AFCA-B304-4ca4-A27C-30D80354DFD1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3636
                • C:\Windows\{CFAF1A36-3C4B-4bae-B230-E4BB1F2C5B3C}.exe
                  C:\Windows\{CFAF1A36-3C4B-4bae-B230-E4BB1F2C5B3C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2764
                  • C:\Windows\{893AFBCE-AC07-4f7a-B79E-DF114766AAAC}.exe
                    C:\Windows\{893AFBCE-AC07-4f7a-B79E-DF114766AAAC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4332
                    • C:\Windows\{8D835F58-E370-47ed-8F45-17510102F1C9}.exe
                      C:\Windows\{8D835F58-E370-47ed-8F45-17510102F1C9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4520
                      • C:\Windows\{63A7F918-9E87-47d8-87C0-F49BCB3D2A29}.exe
                        C:\Windows\{63A7F918-9E87-47d8-87C0-F49BCB3D2A29}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1532
                        • C:\Windows\{2E928475-48E4-4c07-B1F0-7000975E9677}.exe
                          C:\Windows\{2E928475-48E4-4c07-B1F0-7000975E9677}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4776
                          • C:\Windows\{A63997A2-2CBF-45a1-81E1-61002F631C38}.exe
                            C:\Windows\{A63997A2-2CBF-45a1-81E1-61002F631C38}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2E928~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{63A7F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4744
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D835~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4512
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{893AF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4380
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAF1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4296
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1A50A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4436
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8F699~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4472
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{49955~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9F34C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BDF32~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92FBF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EA0A7B~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1A50AFCA-B304-4ca4-A27C-30D80354DFD1}.exe
    Filesize

    90KB

    MD5

    8feb3ddf8624d88a1e4d6f36cfeeac6b

    SHA1

    15f206c5cc787ef426b00217bab968921d9e835b

    SHA256

    5f0df8aceb1b1c8ea784e5d70035f8f4c0f660e0596eb5ddbb7b5c17613c3140

    SHA512

    378761b64ee21f1a5a73151c31b66957aa3743022df39ca7b965a94126c40088605200f98b859817c78a08599f27aa5cb10cad429cfe50596bfb78e94d0c9d17

    Download Submit

  • C:\Windows\{2E928475-48E4-4c07-B1F0-7000975E9677}.exe
    Filesize

    90KB

    MD5

    bf6ccb56a7d82b42cd5ae5d3a8880576

    SHA1

    5d2e3ed2c7589b24fe6dad98103d60500596479d

    SHA256

    61f0bb579b54d4e45896bf4e3dd78ca715cd2207f1c7fe6fa57e605b3b2a35e7

    SHA512

    3dbf920a7e834904246b4d03d95c36b616a3e3e379783ce0c23e4d27179fe96d9b96ec5a6db5c16a67a7a454f8edbf985c3116f0a90de364b69e78202b4c0368

    Download Submit

  • C:\Windows\{49955295-9068-4343-B397-0663942DC2D2}.exe
    Filesize

    90KB

    MD5

    e062f84f6dcf9702ec64db76398490c5

    SHA1

    edf6d53ec86cfbe97386533b54bacc5f766296a5

    SHA256

    97c573b59ba6d3a9944fb8a78b258857abb85508ded81e57c95c17aa5b2dc8d5

    SHA512

    a59aaf640d84587e2e9e3f194433e3b6424e7f8c39b7bf14e8aadc24075a5b94b3179a97a05f62d440441c6e861d4f87d2f80dd06d55834eef24ad7e2dcdaf23

    Download Submit

  • C:\Windows\{63A7F918-9E87-47d8-87C0-F49BCB3D2A29}.exe
    Filesize

    90KB

    MD5

    e7a6da080d4bafdd5c7dd06c479d08f4

    SHA1

    eb45a0b4b814d1356c41ad6d01f838c7c0525299

    SHA256

    a5894ea914f6d00152eba35450fdfa7d96e8ac8befda86a02583bf9db7a515b3

    SHA512

    c609e672932faff05d976ae50fb7cafc693b247fb276e75191c6af195eea6e602f704e7bc8fd8fa18a481e6bdc4de83ebb98f92945c1a7f84f48c00623e20f7d

    Download Submit

  • C:\Windows\{893AFBCE-AC07-4f7a-B79E-DF114766AAAC}.exe
    Filesize

    90KB

    MD5

    d5c4d1e199801d07ce7b9a27c2315ea8

    SHA1

    ccf97e10f5ccc4ec6708e29f47096ff350bdfcf5

    SHA256

    2445a588097b328c0a9323d70939ff4feb150a691323b8dfe8a9be9406b1bed4

    SHA512

    5c751cddfbdc7b854e75f82852525ed9a57dc9d5a729c84d1315cd7302e99b5840639152436b680ac0a0e27a6877297cf2c050c187df45b811226699b03b3ed4

    Download Submit

  • C:\Windows\{8D835F58-E370-47ed-8F45-17510102F1C9}.exe
    Filesize

    90KB

    MD5

    42e76680bc1bcc0a4cf3ccf2a133c948

    SHA1

    95df70954f876510ad050e831a7732f68a052172

    SHA256

    8d57da5e3d3b57dbb45c17c4a3dddac5f728723e97828e9e7b45dff7d5913aee

    SHA512

    69c6285159659a8b3644b095f49f4040c847a1bcb384a54e627a36334d404ba4879f7bfe06509452017c7ea8edb1520609cbd7f801f4730faa75174e2ad9a233

    Download Submit

  • C:\Windows\{8F699837-4BDC-4404-BAD3-6B23A6535250}.exe
    Filesize

    90KB

    MD5

    22f274b1915848b627a74b7e895af33f

    SHA1

    dd878efae92d2d248324e4f69d2ab358a72bcb3e

    SHA256

    2525b651fca5a3aa094aae179d321f2b4123287798f9c574c98368b48110b8b3

    SHA512

    9be246eeb1a1cd764c1e4da4f17affb44d8b89d91d33ed95decf6acdde1eb78215b531d4c3f209a1d6a9ee786313a11cd7019cf8e58e68c48f284c863e724880

    Download Submit

  • C:\Windows\{92FBF5A8-B39C-4f50-8F83-8A5C98DC3C0E}.exe
    Filesize

    90KB

    MD5

    3d7b68c2d5880f7e97b0958ffaa99e9e

    SHA1

    664dab7085b1dc124114abe33bb4266979072f0c

    SHA256

    af5de948a3b6dd0fef7221ec84ef8858620c6099ad8d4fab7181f993874aa1ef

    SHA512

    8caf6da534dff88c0f4d19ae13280521085ba4404fda18946f4e19aa77ee4485e939a9efc776779f09ce3498519a72ce820edff6abe27d3169e6c270195be9df

    Download Submit

  • C:\Windows\{9F34C95E-0E33-4aac-B072-20BA1EF192B8}.exe
    Filesize

    90KB

    MD5

    f9f8c7e2a978735050af8db0df686cb3

    SHA1

    3d98d81b17b2f1649623bc6ee3c87b7885140f3b

    SHA256

    9835cae7ee65b3214d43032751c73f3e14286fbb51b4757a2e7e3416d55f0ead

    SHA512

    bb780d8e6df5f9d1c3995ede68dc720232f3c622362fa80e51c9babffd48a00ad2b74216cc970212707be9d881b4a99fe84c4ed57793f92b27bbf717206c3839

    Download Submit

  • C:\Windows\{A63997A2-2CBF-45a1-81E1-61002F631C38}.exe
    Filesize

    90KB

    MD5

    16a8eff698b881efff7b4c44a2dae32e

    SHA1

    55592a0d76a6853120d37c20968870d80f5d60c3

    SHA256

    d3ab81c6878ba9a43c07d1047acdc1dfe9e6c5cab4cecfe14cd5ca38277725b6

    SHA512

    5efd1f9e9edcae419b1c250eff18a640bf3385f71646658c4df664122d61e9dde1ed6317fd5618541f9c0886d5291ab531c7637c84a650a636ad2a9d6356aa12

    Download Submit

  • C:\Windows\{BDF329F9-7BD2-4d3d-A03F-7A10CED970A8}.exe
    Filesize

    90KB

    MD5

    d2dcc6eccf3556d0df178d8a17a96939

    SHA1

    2e7e2515403636f0d81ca614790ba7ab579047e6

    SHA256

    60c06208775341e91d75ddbe79abb387c18a30483553306d43bc9a3bab19da8e

    SHA512

    3a2cb70f07780834c778793e476f1e7aee25299f8745a71091447a8b67ea8508878942cc1347da88706f930850017ffcfbb00ad0d5015efd9dd7bc9001ba6c97

    Download Submit

  • C:\Windows\{CFAF1A36-3C4B-4bae-B230-E4BB1F2C5B3C}.exe
    Filesize

    90KB

    MD5

    104c2d528c8086ffa2d3693b741be0e5

    SHA1

    4112d814843d77d11d9947bb07aa554ad8577eb8

    SHA256

    1ce5c1d9dfb4c952e72b8f1480af6d6bf0fe9e3cda51d5794761139725b88d6c

    SHA512

    6ded6acff155d99ccf0fbb572bf8ab127ae169db5a46bbeb0566d5a23d5f363b1c5f74a8c98beee3af604b4285c3117ed95c5131798e7a660f7cc360be6c1ea5

    Download Submit