Overview

overview

8

Static

static

3

e730e972cc...ae.exe

windows7-x64

8

e730e972cc...ae.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe

  • Size

    90KB

  • MD5

    9c566323ba542ce27f53b09d52705558

  • SHA1

    19635f373584e11f8a0504808e60ca0922e89adc

  • SHA256

    e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae

  • SHA512

    c6cafbc4abe5f7a0d0a325baf536bf64b28847bdfacc46d8a404b316a577497ce62e64e90208fecc27ffd15fab3a21f1fdcb54d85853cb2bc4377601f056ebf4

  • SSDEEP

    768:Qvw9816vhKQLroE4/wQRNrfrunMxVFA3b7gl/:YEGh0oEl2unMxVS3HgR

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
    "C:\Users\Admin\AppData\Local\Temp\e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\{E25813A4-8D15-4f1f-B2B6-9C5894574D2B}.exe
      C:\Windows\{E25813A4-8D15-4f1f-B2B6-9C5894574D2B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\{C873BCDC-36D8-4f40-A4D7-4ACFC143F414}.exe
        C:\Windows\{C873BCDC-36D8-4f40-A4D7-4ACFC143F414}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4172
        • C:\Windows\{FEFB994D-2FF8-4b78-B1F9-BE2BCF5E165D}.exe
          C:\Windows\{FEFB994D-2FF8-4b78-B1F9-BE2BCF5E165D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4048
          • C:\Windows\{B4EF6531-C0F0-4e9c-BBE0-A783F8D6C2F7}.exe
            C:\Windows\{B4EF6531-C0F0-4e9c-BBE0-A783F8D6C2F7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:624
            • C:\Windows\{BF75E865-E21E-4ea2-B84A-E88D53E59DAF}.exe
              C:\Windows\{BF75E865-E21E-4ea2-B84A-E88D53E59DAF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1240
              • C:\Windows\{CE7A8979-6AB1-4dbc-95ED-3C448A894B57}.exe
                C:\Windows\{CE7A8979-6AB1-4dbc-95ED-3C448A894B57}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4304
                • C:\Windows\{6DDD5480-A354-4595-88FB-FA16F9FDDA0E}.exe
                  C:\Windows\{6DDD5480-A354-4595-88FB-FA16F9FDDA0E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3860
                  • C:\Windows\{2394DAEF-D1ED-42f2-B8DD-1497BCAB1AB8}.exe
                    C:\Windows\{2394DAEF-D1ED-42f2-B8DD-1497BCAB1AB8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4284
                    • C:\Windows\{60325E9B-CAD2-4307-92D5-C50B1F96EEE8}.exe
                      C:\Windows\{60325E9B-CAD2-4307-92D5-C50B1F96EEE8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4624
                      • C:\Windows\{EE96E27A-C828-4418-AEC0-511C0FACBAD8}.exe
                        C:\Windows\{EE96E27A-C828-4418-AEC0-511C0FACBAD8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1220
                        • C:\Windows\{0F303856-DA6F-4bd5-BBF7-006167FF74DF}.exe
                          C:\Windows\{0F303856-DA6F-4bd5-BBF7-006167FF74DF}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3588
                          • C:\Windows\{2ED85575-0C00-45ae-8480-7A267452C735}.exe
                            C:\Windows\{2ED85575-0C00-45ae-8480-7A267452C735}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4212
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0F303~1.EXE > nul
                            13⤵
                              PID:4416
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EE96E~1.EXE > nul
                            12⤵
                              PID:224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{60325~1.EXE > nul
                            11⤵
                              PID:4932
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2394D~1.EXE > nul
                            10⤵
                              PID:3444
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDD5~1.EXE > nul
                            9⤵
                              PID:4808
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE7A8~1.EXE > nul
                            8⤵
                              PID:3928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BF75E~1.EXE > nul
                            7⤵
                              PID:4404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B4EF6~1.EXE > nul
                            6⤵
                              PID:2860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FEFB9~1.EXE > nul
                            5⤵
                              PID:2364
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C873B~1.EXE > nul
                            4⤵
                              PID:3420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E2581~1.EXE > nul
                            3⤵
                              PID:4112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E730E9~1.EXE > nul
                            2⤵
                              PID:3240

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0F303856-DA6F-4bd5-BBF7-006167FF74DF}.exe
                            Filesize

                            90KB

                            MD5

                            95439b4fa42afbce875d5b7e35b1b1c8

                            SHA1

                            6c0a0f9786476b612baef0a7b915c4d09faa3a63

                            SHA256

                            7d82cb84ba1f96ab9d678e051fddee47858cd9cf41aad420a3bace7d59c3c783

                            SHA512

                            50afc9f82ab1eeca6bcfe1369ad069f4f514d315a65b79f65b1e930d9b2b2a160f3eaeb6e6c97f55f2ce715760e346e867883df40e07f5942cf7e2b44927f35d

                            Download Submit
                          • C:\Windows\{2394DAEF-D1ED-42f2-B8DD-1497BCAB1AB8}.exe
                            Filesize

                            90KB

                            MD5

                            dd104addefbd6af9311d9823ff442edd

                            SHA1

                            f9f10837d64b1a7b20eef52f3c953183ee1bf4f6

                            SHA256

                            bd511eb6ea4512e72496a821f52b69601c4dfdc088dfcaded4c311126a9b743f

                            SHA512

                            be27a0ac657a097911fcad5c2fb20f47fdd0f3723f171426e4359ded06659d2fc721692782534e84148af9caf0d0c53b4d08f8c0c390abdce54a664405f94ae5

                            Download Submit
                          • C:\Windows\{2ED85575-0C00-45ae-8480-7A267452C735}.exe
                            Filesize

                            90KB

                            MD5

                            4419004bd29f88919162993e3549d866

                            SHA1

                            bb79e361f01649d8fda038d5ff47eecce42743ce

                            SHA256

                            3e7131d7639d20326a017c1507352f4d9f46e505ba1fa3211b7397ba3131b83f

                            SHA512

                            bf127da1e0cfcd9728f4b836a57ad4567d9755e12bcdf295dc84494c72ad22eff7aaae491e0ad484b06f8009318fbc8048708406b0a2833f8a8e67ece9311c5b

                            Download Submit
                          • C:\Windows\{60325E9B-CAD2-4307-92D5-C50B1F96EEE8}.exe
                            Filesize

                            90KB

                            MD5

                            9d6d7c679296d75edb240eaae8162460

                            SHA1

                            aef0ea8022b3fc496da302ca390ae8af9bbc10ba

                            SHA256

                            7a5144b3eada716cd482d486c3deb632b2942744a7637914c750593370a9318e

                            SHA512

                            3dc7c0c4ebb232de17d31a358f4c02ffbfa1321afbafbc3e669cdf80f4d9b568feb9b3cb593a7b8daba8e6564e6701ea5280ce2ef63d137e1e5bd2b79fe031cb

                            Download Submit
                          • C:\Windows\{6DDD5480-A354-4595-88FB-FA16F9FDDA0E}.exe
                            Filesize

                            90KB

                            MD5

                            7e2244cd2214eff24d4d6b708c68bdf7

                            SHA1

                            ec8b833c15d600a8b9fae209e7f9d51bcb417ffa

                            SHA256

                            f9a71ef551d4b9b0ba59e9730d99b6526584bdb4a2a0cc3747e9b6deb609094e

                            SHA512

                            06c829325bd4eac602583c925b3ca9816f6f53692f644794b3601164971d921741f8ad958872ac0cf46d22ae0e107b72845a9854fd1be0bdc4df4d639a7fdad1

                            Download Submit
                          • C:\Windows\{B4EF6531-C0F0-4e9c-BBE0-A783F8D6C2F7}.exe
                            Filesize

                            90KB

                            MD5

                            2a13dda86735159b53542896f1962f78

                            SHA1

                            7886f7f64be75fec25fef7959855c9ed5626f50b

                            SHA256

                            33e2402ad8d06d93c22c0c00992e10601ca7c15074b8c7a08ac703d9ceb72e93

                            SHA512

                            ac7855bbfec5bdc75d5a3b7b9c59d64408e4aa3024806e207c72776ec6b3ea6c42c1fdc6154ec146e411cbc5401b4730b3b511e203ed18a18a47f8a553134761

                            Download Submit
                          • C:\Windows\{BF75E865-E21E-4ea2-B84A-E88D53E59DAF}.exe
                            Filesize

                            90KB

                            MD5

                            67bfe56edb253488686277785240dcf9

                            SHA1

                            26e68d21bf2e31faf1a682102e85106a90789492

                            SHA256

                            ead800aebe1b7199a48f4ea2b2612bc3775218517ba6b5728fe0ce9f57970d00

                            SHA512

                            2cb7f2cd27cbfafc4345e62f04273cd5f39fdf50c748c73550a0f5104130dc7e68028b007befaadb4887fadc23cc77559fad076f11b6eabfae4cd312d303e5c4

                            Download Submit
                          • C:\Windows\{C873BCDC-36D8-4f40-A4D7-4ACFC143F414}.exe
                            Filesize

                            90KB

                            MD5

                            ff4eea89ab4cca992aff17955e698849

                            SHA1

                            7c71ab75168312fd41553dbfa577a5533a3794a1

                            SHA256

                            cf808fb2bf6992c1358d5e4384780169b43f4a245e91e2b8e2d2b3e9ee0427bb

                            SHA512

                            c79d6b0b43652a5ce004f0efb66a5c6b7e299f336998a5f61cfd2485d4bbe781ff66edee4e478e5c819593b642845c5517044d946e251d163cd25f82deedc134

                            Download Submit
                          • C:\Windows\{CE7A8979-6AB1-4dbc-95ED-3C448A894B57}.exe
                            Filesize

                            90KB

                            MD5

                            251602a427e79e76a3e80c596664affd

                            SHA1

                            c3301da14b517418592da0f99e414464773ca56c

                            SHA256

                            c21a00002aab14a22950a65c3c41fa22dd9f15ce549b8f0e282b8a7b1a2fb3f9

                            SHA512

                            8c462f60b254c18d03124ba3a8c571b5d697534916976c181010e243a6e7f75c7f5b8985330aefaee514bfe117af3dcdc970748c98d8bef88a31f49b77965e2c

                            Download Submit
                          • C:\Windows\{E25813A4-8D15-4f1f-B2B6-9C5894574D2B}.exe
                            Filesize

                            90KB

                            MD5

                            4ba83d082b1f046d1a5507992715a850

                            SHA1

                            f58358bfae628e74cf8c9084f39009bf5e75ee4c

                            SHA256

                            f3ff6904ecd36dd41369cdfe96023d8b4a54b8d564e72d6e44bdf07dda58e0c5

                            SHA512

                            9f1e23fd423102756a40b7e642741f7578f820718ae7eb5dd20f22003311739cd5b72b8e2938b0579f104865e3ca1a27de5d0108a8c121f7f413d7a55bac4c52

                            Download Submit
                          • C:\Windows\{EE96E27A-C828-4418-AEC0-511C0FACBAD8}.exe
                            Filesize

                            90KB

                            MD5

                            f81b8e02983c50a13bd20a0bd2045c12

                            SHA1

                            e907b90f3da7d9c42eea48ec5cbd28c40c5b2e17

                            SHA256

                            97b64941af78afe0ccb4e488c7ea330a1fb1f4d55ff1a44ec9096a8a24235401

                            SHA512

                            0112f4363c60956bc5688d0c71149a57c2246c21eea7a7f054a247e77d52b5e2311f9c89c1b83cd18e2bc07407ad2e6b2c7ce56ac2ada0e9357652258f40b043

                            Download Submit
                          • C:\Windows\{FEFB994D-2FF8-4b78-B1F9-BE2BCF5E165D}.exe
                            Filesize

                            90KB

                            MD5

                            3a560c5ba4307ef780ca6c1be0b7fcdd

                            SHA1

                            3ff063e8e0452405b00e9a7e16537eee34b5e8e7

                            SHA256

                            6be7e9fb81da9059965acbab09c7dbdb32524e91ce46dfcc1d24c6b5031c3f16

                            SHA512

                            e9be51aebbcbbd00e01d3444290435cb82c0539288b09fd41c19c2e3164d77b2f432af4ec51d76dfeb023945f526e5083bf0980297f451c851bb2bdb56230472

                            Download Submit