6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
Size

216KB
MD5

9b835157c613465eceee4ff9778c2bcf
SHA1

2112bc35a0ed21df4ba8ed935e5a3a6b31140e5d
SHA256

6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363
SHA512

8c7d67afcf69ff16c290c8ac153cb68ce1b3f063a2baf7ffa514035b212adb50ca7e846582c19186bb8effc6d037eeb6a6bea2c8c7e241cc244976870ff3c9ee
SSDEEP

3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F62FCC9-F445-4009-A90F-8B393313C1F2}	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}\stubpath = "C:\\Windows\\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe"	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}\stubpath = "C:\\Windows\\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe"	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}\stubpath = "C:\\Windows\\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe"	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE03218A-F431-42e0-8054-DE7AF6EC4220}\stubpath = "C:\\Windows\\{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe"	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}\stubpath = "C:\\Windows\\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe"	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F62FCC9-F445-4009-A90F-8B393313C1F2}\stubpath = "C:\\Windows\\{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe"	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}\stubpath = "C:\\Windows\\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe"	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}\stubpath = "C:\\Windows\\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe"	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE03218A-F431-42e0-8054-DE7AF6EC4220}	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}\stubpath = "C:\\Windows\\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe"	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}\stubpath = "C:\\Windows\\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe"	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}\stubpath = "C:\\Windows\\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe"	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
2588	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
2516	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
2132	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe
868	{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
File created	C:\Windows\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
File created	C:\Windows\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
File created	C:\Windows\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
File created	C:\Windows\{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
File created	C:\Windows\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
File created	C:\Windows\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
File created	C:\Windows\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
File created	C:\Windows\{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
File created	C:\Windows\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
File created	C:\Windows\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
Token: SeIncBasePriorityPrivilege	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
Token: SeIncBasePriorityPrivilege	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
Token: SeIncBasePriorityPrivilege	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
Token: SeIncBasePriorityPrivilege	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
Token: SeIncBasePriorityPrivilege	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
Token: SeIncBasePriorityPrivilege	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
Token: SeIncBasePriorityPrivilege	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
Token: SeIncBasePriorityPrivilege	2588	{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
Token: SeIncBasePriorityPrivilege	2516	{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
Token: SeIncBasePriorityPrivilege	2132	{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2368	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	31
PID 2564 wrote to memory of 2368	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	31
PID 2564 wrote to memory of 2368	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	31
PID 2564 wrote to memory of 2368	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	31
PID 2564 wrote to memory of 2920	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	32
PID 2564 wrote to memory of 2920	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	32
PID 2564 wrote to memory of 2920	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	32
PID 2564 wrote to memory of 2920	2564	6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe	32
PID 2368 wrote to memory of 2820	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	33
PID 2368 wrote to memory of 2820	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	33
PID 2368 wrote to memory of 2820	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	33
PID 2368 wrote to memory of 2820	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	33
PID 2368 wrote to memory of 2848	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	34
PID 2368 wrote to memory of 2848	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	34
PID 2368 wrote to memory of 2848	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	34
PID 2368 wrote to memory of 2848	2368	{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe	34
PID 2820 wrote to memory of 2052	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	35
PID 2820 wrote to memory of 2052	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	35
PID 2820 wrote to memory of 2052	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	35
PID 2820 wrote to memory of 2052	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	35
PID 2820 wrote to memory of 2176	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	36
PID 2820 wrote to memory of 2176	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	36
PID 2820 wrote to memory of 2176	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	36
PID 2820 wrote to memory of 2176	2820	{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe	36
PID 2052 wrote to memory of 2672	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	37
PID 2052 wrote to memory of 2672	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	37
PID 2052 wrote to memory of 2672	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	37
PID 2052 wrote to memory of 2672	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	37
PID 2052 wrote to memory of 2624	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	38
PID 2052 wrote to memory of 2624	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	38
PID 2052 wrote to memory of 2624	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	38
PID 2052 wrote to memory of 2624	2052	{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe	38
PID 2672 wrote to memory of 1224	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	39
PID 2672 wrote to memory of 1224	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	39
PID 2672 wrote to memory of 1224	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	39
PID 2672 wrote to memory of 1224	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	39
PID 2672 wrote to memory of 2308	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	40
PID 2672 wrote to memory of 2308	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	40
PID 2672 wrote to memory of 2308	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	40
PID 2672 wrote to memory of 2308	2672	{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe	40
PID 1224 wrote to memory of 3004	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	41
PID 1224 wrote to memory of 3004	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	41
PID 1224 wrote to memory of 3004	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	41
PID 1224 wrote to memory of 3004	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	41
PID 1224 wrote to memory of 2940	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	42
PID 1224 wrote to memory of 2940	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	42
PID 1224 wrote to memory of 2940	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	42
PID 1224 wrote to memory of 2940	1224	{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe	42
PID 3004 wrote to memory of 2020	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	43
PID 3004 wrote to memory of 2020	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	43
PID 3004 wrote to memory of 2020	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	43
PID 3004 wrote to memory of 2020	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	43
PID 3004 wrote to memory of 2808	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	44
PID 3004 wrote to memory of 2808	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	44
PID 3004 wrote to memory of 2808	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	44
PID 3004 wrote to memory of 2808	3004	{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe	44
PID 2020 wrote to memory of 2588	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	45
PID 2020 wrote to memory of 2588	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	45
PID 2020 wrote to memory of 2588	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	45
PID 2020 wrote to memory of 2588	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	45
PID 2020 wrote to memory of 620	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	46
PID 2020 wrote to memory of 620	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	46
PID 2020 wrote to memory of 620	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	46
PID 2020 wrote to memory of 620	2020	{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe	46

C:\Users\Admin\AppData\Local\Temp\6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe
"C:\Users\Admin\AppData\Local\Temp\6a31c00a5ff67fc65ca27694ad3cbf4b31cc4a6dfd8257a47c4e6c362eef6363.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
  C:\Windows\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
    C:\Windows\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
      C:\Windows\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
        
        C:\Windows\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
        
        C:\Windows\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
        
        C:\Windows\{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
        
        C:\Windows\{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
        
        C:\Windows\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
        
        C:\Windows\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe
        
        C:\Windows\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe
        
        C:\Windows\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B07E2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F785~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34401~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE032~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F62F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB498~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7102~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BCA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFA3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{77D0C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A31C0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00E3B68F-EA29-4dd1-92FC-4380F467C1AB}.exe

Filesize
216KB

MD5
d7942f486756edf9d497975290a348b4

SHA1
ebf1f89d734a6555c4125415b381e6d3406a34eb

SHA256
ab936bb56cf3f44267ce4ba12fee3117d1057c185c445e41ccb333af8f503498

SHA512
30e71154f988b9addc80d96733f8d1923e6c4c13bd4bf00d2e94d72ae91d0859c6adec266ce11fc2d6f1bb2579bacc6d2aa691bdd3594ccae241e4788513317b

Download Submit
C:\Windows\{3440195B-F9E4-4e46-BB2B-08FC85F77D43}.exe

Filesize
216KB

MD5
4c17ed8055473544c504eba6a1cc9988

SHA1
cc8e779f315c87c697fa4a5a669c4d70adb59e1b

SHA256
52d05a44bc414db3e0de51c677ba2e1eea07e7d3f4d04528fe6ab93d8ce5c523

SHA512
fa8883164957db5cc76fecd7f908775f951e649c0a60b829e0bad909f4afa9190e3588fa10d58999c230309798a9a319e881cb44d37f1429b36409cf3a20c9ec

Download Submit
C:\Windows\{6F62FCC9-F445-4009-A90F-8B393313C1F2}.exe

Filesize
216KB

MD5
ea86c9670b8ef91d784f6eb1d7268541

SHA1
ff4446cd07c16564c30295b155414ed1be56dcc3

SHA256
4a4b518eb7e7e07afdce998f580d0837bccdd780e35dab6d9ccb938f1f02e85c

SHA512
8b51ee88932276f4a97eba7db4ad30930e1fcc34025807cd388cbb925fd9edc23539015b626404517e7341b1bfd1fcc9b40db98bb7f52a85fae7bfa975a285e8

Download Submit
C:\Windows\{77D0C42E-F72F-44fb-9C80-47C579F10B8A}.exe

Filesize
216KB

MD5
de0ca332fa90ea3bb99d030c26a10bbf

SHA1
575e04a26467079c5e6f09946b77257b86ce799d

SHA256
b1eb933ea5387352f568df32962dce47b89d5014068f0bc522f46b1b699bdf31

SHA512
a87a30d1dea89fa40bf176732b4fbf3ed9cf7fd7627b7fefb035a4723977b7ea0227739ce3594d5f099134b3604475e2fcf717eebe757863ed6f62a24d94cb37

Download Submit
C:\Windows\{81BCAAC6-3120-4aad-A3E7-ADCDFB51A69F}.exe

Filesize
216KB

MD5
4e05abcbcc2a9119c669f69725f6f80a

SHA1
28a44e9efa673e30225cf5d81b3f639ca02d66db

SHA256
552ce2455ed01071b6f4ffbb562527fa90cf57c6f7aa3ca95c5dcfbe5fcf7458

SHA512
d1ee3c258586dc68696ec5ceaf7bb57fd6dfb6ccc07c05532ad8d95f178bcc8538c79eed3a085e750a7b46adecf0341f6e4eab8d30b5b3887f20c172ff598200

Download Submit
C:\Windows\{8CFA3377-CD42-4c29-A66F-44CC10555CFD}.exe

Filesize
216KB

MD5
0288d286c2b137529a563dcdb5d2992b

SHA1
56763ee6748eb0a9fbdc1383777788e2ee40d906

SHA256
0ac7974292c0878ac3a2a15c26669e612a3c729f95857d27312aa8abaebb1ec5

SHA512
34a6edc5e292544334a526cc00b6aa93844942a47471f58fbd30666aed4dec082b8a80fcb57da9c224540aae3254e54c2bb91a0546a9521f52783979205bba86

Download Submit
C:\Windows\{9F785CAF-4A90-4e66-AA9D-5260A3DB6CA0}.exe

Filesize
216KB

MD5
b10479e8e94c4e6883400597c72cdd4f

SHA1
1780626d7d25c0d55273c396d6fba9a6c516fce3

SHA256
ed458120fdfea0c511d699d5adc281cb36b97bf9243e1a65d2b3a44e2b924e4b

SHA512
a79926d61df9e48e74bb1caed14467706fa216fe46d27e1a69657f6d877de9843f9dd049ac4c5d1bc9effd44fd8f1fe0bbe26d976c806f0d12d3cb65b5954d03

Download Submit
C:\Windows\{A7102A5C-3DC3-4f71-875C-FA2A2DA6DAA2}.exe

Filesize
216KB

MD5
1cb5a67da3f8ae0ee66555e9b3338b5a

SHA1
ae89ad50c747902d287d0db47142e7098835d9b2

SHA256
ccf0df3cbe5cd3c22b271c2ee1f47e9d672134f80ff10dcad0675e2c2d2f311a

SHA512
27745a2d4c408954ec695659769c9af86e1040f201d75c0e56fba4d688d94f01b2af7435d85b51c662bc7904f463ea127c8ae5d17d74486c92933cfc4103ea6c

Download Submit
C:\Windows\{AB498F7A-DD96-4725-9E2B-8DFB99E0C1CB}.exe

Filesize
216KB

MD5
31633bf86c5817b3c12a53777861037d

SHA1
b102f0cd7a8cd9db95735b8e88dde4ab1e488c5a

SHA256
3df29a4b45d40ef843f456793818670760d2188d68f665b3dfb9239834875a16

SHA512
29741adc31c97a432a6917ec3d7fa21cb04a0dbfaa7ab2e003a0ab587817150a95bca88133dcce9bbf54903cd20a5ccf6e3af6f9f0efb731e67e9267ff14dc63

Download Submit
C:\Windows\{B07E23D0-A069-4b6a-AA0E-467DD5ABD3CC}.exe

Filesize
216KB

MD5
863bafced2df93e05fa96ed9119e5240

SHA1
b819ed07261e6fd73ba2470f64ac81c7ae2b6bfa

SHA256
1fbc0e41b02da49d57d51e876fb3796cea56d72eb7eec28a13f0ffef7ff3b112

SHA512
13051f4cab3e08767b7c6165676d0e4d24be00b55cb789d08a1d95fc10bfa20b8a28bf29fb21e2bc04999e3131f16918500c1daa4d746882d2aa045b3d03fdfc

Download Submit
C:\Windows\{FE03218A-F431-42e0-8054-DE7AF6EC4220}.exe

Filesize
216KB

MD5
6f3891c74b4877160582e138cdfe3bfc

SHA1
4ef8110eab3922f60a35e1cb69b0ff7a4c9b64d4

SHA256
280192ca508ae45aec68e741a1d2a87af68fd55731f1cbc27933178b71ce8da6

SHA512
a139e9eed3cd9b416befccd1cf38c042682e143ad4582239b2fd428020b7da837babfe052b74c577ea8225f231a01ad1782a75b9d4f7efb27217fa61cabda25c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads