7ec91c3cb7cf58f6bc6be3fff45ea1efa9aa575b89d65ed416ece0a2635fbfa1

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 01:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34711251d977950efaa2c371b8484020N.exe
Size

90KB
MD5

34711251d977950efaa2c371b8484020
SHA1

b33dbe2fddc7c45538afbabaa56c9d92d69ae05b
SHA256

7ec91c3cb7cf58f6bc6be3fff45ea1efa9aa575b89d65ed416ece0a2635fbfa1
SHA512

eb6a443b1d3609825edf346d45b42bfeb4ef70faffa60fa331248432cecc72bb9cbb2ccf6c1547594a72f5f80af860e7e96710c1533c64ea96b1a8c99acca436
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glw:YEGh0ovl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}\stubpath = "C:\\Windows\\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe"	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}\stubpath = "C:\\Windows\\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe"	{05382A08-917D-434d-8900-085C99687F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F98860-0E08-46a1-8E86-55E219F52D37}	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE57317-56A3-4473-9C94-942C23C2BC4D}	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F98860-0E08-46a1-8E86-55E219F52D37}\stubpath = "C:\\Windows\\{23F98860-0E08-46a1-8E86-55E219F52D37}.exe"	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{769AD103-B897-4f1e-9069-7EFB6418BC46}	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{769AD103-B897-4f1e-9069-7EFB6418BC46}\stubpath = "C:\\Windows\\{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe"	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05382A08-917D-434d-8900-085C99687F84}	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05382A08-917D-434d-8900-085C99687F84}\stubpath = "C:\\Windows\\{05382A08-917D-434d-8900-085C99687F84}.exe"	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}\stubpath = "C:\\Windows\\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe"	34711251d977950efaa2c371b8484020N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}	{05382A08-917D-434d-8900-085C99687F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC5E73-0610-446c-8F62-DB497DB33EDE}	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}	34711251d977950efaa2c371b8484020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE57317-56A3-4473-9C94-942C23C2BC4D}\stubpath = "C:\\Windows\\{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe"	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02EC5E73-0610-446c-8F62-DB497DB33EDE}\stubpath = "C:\\Windows\\{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe"	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}\stubpath = "C:\\Windows\\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe"	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
1040	{05382A08-917D-434d-8900-085C99687F84}.exe
2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
1448	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
2080	{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	34711251d977950efaa2c371b8484020N.exe
File created	C:\Windows\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
File created	C:\Windows\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	{05382A08-917D-434d-8900-085C99687F84}.exe
File created	C:\Windows\{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
File created	C:\Windows\{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
File created	C:\Windows\{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
File created	C:\Windows\{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
File created	C:\Windows\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
File created	C:\Windows\{05382A08-917D-434d-8900-085C99687F84}.exe	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34711251d977950efaa2c371b8484020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05382A08-917D-434d-8900-085C99687F84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2584	34711251d977950efaa2c371b8484020N.exe
Token: SeIncBasePriorityPrivilege	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
Token: SeIncBasePriorityPrivilege	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
Token: SeIncBasePriorityPrivilege	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
Token: SeIncBasePriorityPrivilege	1040	{05382A08-917D-434d-8900-085C99687F84}.exe
Token: SeIncBasePriorityPrivilege	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
Token: SeIncBasePriorityPrivilege	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
Token: SeIncBasePriorityPrivilege	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
Token: SeIncBasePriorityPrivilege	1448	{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2856	2584	34711251d977950efaa2c371b8484020N.exe	30
PID 2584 wrote to memory of 2856	2584	34711251d977950efaa2c371b8484020N.exe	30
PID 2584 wrote to memory of 2856	2584	34711251d977950efaa2c371b8484020N.exe	30
PID 2584 wrote to memory of 2856	2584	34711251d977950efaa2c371b8484020N.exe	30
PID 2584 wrote to memory of 2404	2584	34711251d977950efaa2c371b8484020N.exe	31
PID 2584 wrote to memory of 2404	2584	34711251d977950efaa2c371b8484020N.exe	31
PID 2584 wrote to memory of 2404	2584	34711251d977950efaa2c371b8484020N.exe	31
PID 2584 wrote to memory of 2404	2584	34711251d977950efaa2c371b8484020N.exe	31
PID 2856 wrote to memory of 2848	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	33
PID 2856 wrote to memory of 2848	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	33
PID 2856 wrote to memory of 2848	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	33
PID 2856 wrote to memory of 2848	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	33
PID 2856 wrote to memory of 2772	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	34
PID 2856 wrote to memory of 2772	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	34
PID 2856 wrote to memory of 2772	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	34
PID 2856 wrote to memory of 2772	2856	{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe	34
PID 2848 wrote to memory of 2780	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	35
PID 2848 wrote to memory of 2780	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	35
PID 2848 wrote to memory of 2780	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	35
PID 2848 wrote to memory of 2780	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	35
PID 2848 wrote to memory of 2896	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	36
PID 2848 wrote to memory of 2896	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	36
PID 2848 wrote to memory of 2896	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	36
PID 2848 wrote to memory of 2896	2848	{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe	36
PID 2780 wrote to memory of 1040	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	37
PID 2780 wrote to memory of 1040	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	37
PID 2780 wrote to memory of 1040	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	37
PID 2780 wrote to memory of 1040	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	37
PID 2780 wrote to memory of 2640	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	38
PID 2780 wrote to memory of 2640	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	38
PID 2780 wrote to memory of 2640	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	38
PID 2780 wrote to memory of 2640	2780	{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe	38
PID 1040 wrote to memory of 2116	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	39
PID 1040 wrote to memory of 2116	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	39
PID 1040 wrote to memory of 2116	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	39
PID 1040 wrote to memory of 2116	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	39
PID 1040 wrote to memory of 920	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	40
PID 1040 wrote to memory of 920	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	40
PID 1040 wrote to memory of 920	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	40
PID 1040 wrote to memory of 920	1040	{05382A08-917D-434d-8900-085C99687F84}.exe	40
PID 2116 wrote to memory of 2964	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	41
PID 2116 wrote to memory of 2964	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	41
PID 2116 wrote to memory of 2964	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	41
PID 2116 wrote to memory of 2964	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	41
PID 2116 wrote to memory of 1616	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	42
PID 2116 wrote to memory of 1616	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	42
PID 2116 wrote to memory of 1616	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	42
PID 2116 wrote to memory of 1616	2116	{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe	42
PID 2964 wrote to memory of 1540	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	43
PID 2964 wrote to memory of 1540	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	43
PID 2964 wrote to memory of 1540	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	43
PID 2964 wrote to memory of 1540	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	43
PID 2964 wrote to memory of 2872	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	44
PID 2964 wrote to memory of 2872	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	44
PID 2964 wrote to memory of 2872	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	44
PID 2964 wrote to memory of 2872	2964	{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe	44
PID 1540 wrote to memory of 1448	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	45
PID 1540 wrote to memory of 1448	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	45
PID 1540 wrote to memory of 1448	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	45
PID 1540 wrote to memory of 1448	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	45
PID 1540 wrote to memory of 772	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	46
PID 1540 wrote to memory of 772	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	46
PID 1540 wrote to memory of 772	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	46
PID 1540 wrote to memory of 772	1540	{23F98860-0E08-46a1-8E86-55E219F52D37}.exe	46

C:\Users\Admin\AppData\Local\Temp\34711251d977950efaa2c371b8484020N.exe
"C:\Users\Admin\AppData\Local\Temp\34711251d977950efaa2c371b8484020N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
  C:\Windows\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
    C:\Windows\{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
      C:\Windows\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\{05382A08-917D-434d-8900-085C99687F84}.exe
        
        C:\Windows\{05382A08-917D-434d-8900-085C99687F84}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
        
        C:\Windows\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
        
        C:\Windows\{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
        
        C:\Windows\{23F98860-0E08-46a1-8E86-55E219F52D37}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
        
        C:\Windows\{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe
        
        C:\Windows\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02EC5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23F98~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE57~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D59F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05382~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3AE1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{769AD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{191DA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\347112~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02EC5E73-0610-446c-8F62-DB497DB33EDE}.exe

Filesize
90KB

MD5
f771a552c3220be8297e5d94c7f86e54

SHA1
a15dd4ae472e31a32978b8ef0392cc95a38c95f7

SHA256
5fa5deffb862d53dd2ad3b35268e937c30882502c19728ba2924267a8d24e60e

SHA512
97dcea00969e7d203b9a355541867d3fecdc33c86f192e987b035cf85eb502e5d27eb291d746194ed8cd6ef0c55e54e0ee5a0aa9f15c4bf6f2584f62e794fdeb

Download Submit
C:\Windows\{05382A08-917D-434d-8900-085C99687F84}.exe

Filesize
90KB

MD5
83056e4501ffb6bd9c1d128f1a7ddbd8

SHA1
0607254fedd1b38cfaacc823da233e9017b5b87b

SHA256
24c25afcee6b7dba545024f3d3860537fe91434f6613e99d27abc5cc70ea510f

SHA512
3fa4d78e50689588be052675d9078969bcf8b44af5689dd63c7b74380bbffdda13f2bf0613bdab414bdbc95f71ceb680d04853b1272cc393f83923224ecb8e72

Download Submit
C:\Windows\{191DABB6-30A2-421c-9A6F-CE25FCE46C50}.exe

Filesize
90KB

MD5
8abd1b2e7aa49f1459d03d59e3ba2d15

SHA1
d016ddec5265f5cd5d32baa7c8651175a5f6e750

SHA256
481a77ad6174ef07cd115e67233b5e8a2559cb8378a427ae5c8b595b641b5f5c

SHA512
478eb121b24a5b9f97470ad7e14fd14f10679f04ff394d5fbc585e955d9117f990309595dc3acd10cb8be7522971f351c9dd79d2dde7e596197d01de6aa08a90

Download Submit
C:\Windows\{23F98860-0E08-46a1-8E86-55E219F52D37}.exe

Filesize
90KB

MD5
bda670cf9159d1930a65c1f5a20f301e

SHA1
8c547ae060f59adfccb3106afde79d1c7c067a76

SHA256
48a44f024ad60b6657c3cb9a5eedb08ebddf7807f3d5374ad082930786af9b6a

SHA512
89ad006f0cb4e03ed1553e1d6989e56636a0e4176c5819bdff9c115b68fac37d42ce8e6bb4aa42a1a4914afad452d7f0b437ee8dcf2bc24b5517942aa6a12a26

Download Submit
C:\Windows\{27D463BD-DC54-4f54-8E4D-FA9FC02467E8}.exe

Filesize
90KB

MD5
010e27c40e8672ed17efd95a9c4169fa

SHA1
4d2a5eec9f0c8f476f96075ac31a806b8c87cdf0

SHA256
a322789963017cf1cbb6583543c0fff5a9e1a0d8a229efa3559bd4f6ddeb93a5

SHA512
56f3583e7a7d843830819a46a669a18215003970868215f2630773ef72141dc04acebdbf73f1a07d9cb78616b67d6a57ea9047dcb460caf1ad42cb7c5f56b686

Download Submit
C:\Windows\{3D59F03B-9147-4720-A9BF-E8A7A1F8B85E}.exe

Filesize
90KB

MD5
96a39d985e577db9bc4be5acf21251e1

SHA1
9c67ce889c01034ce9b3951b5a8c7e24163cc54e

SHA256
403aaf84148e1d2ef6ac81188a85e0aa93afd489b5a64fc78239b16301ff9632

SHA512
1a91f555fbcbbf423fa491b36417353be1e7c42971730b64c17ad8fe0f0fbbe72a76c510be8df6d1b4081daa3978b10bffa28c11b1bf4af01cf325fa55a2e812

Download Submit
C:\Windows\{6AE57317-56A3-4473-9C94-942C23C2BC4D}.exe

Filesize
90KB

MD5
cd48cecd00f03b42b0acf73315483eae

SHA1
8c2c056d9e2c2cbc3eb4ffd959ec470867fa5c01

SHA256
95282ee4cf94a4403956f26caf6accf70933e8727609cb6b06bfd82cfd6e2ec7

SHA512
95e4d755591f39d6ee71f1c2bb4875ceb2c814a9b0b6597524584af993c7189a5a3dfc28bf9fb4bda04abb12e48f198d53532e18af0184b434f0b0e25c7e607f

Download Submit
C:\Windows\{769AD103-B897-4f1e-9069-7EFB6418BC46}.exe

Filesize
90KB

MD5
d8df5fabbd7a8fefed451a7cffdd28ee

SHA1
f5e558e0bcfda64cf16bb37729610de648555a4b

SHA256
612cca142abc926642b79f0c259e57ec449d74a3d66612fb1ace48c3d05025b9

SHA512
8db799133dc3bd9d109abb70f8899c95bb536af34d2cd732428b98cefdeba9f14b5502e033375f9c246a3663cc8a8f137a28212cc4dfb7b00d2a30e8d9993856

Download Submit
C:\Windows\{D3AE11BF-A542-4c6a-B76B-B1B376EB29FC}.exe

Filesize
90KB

MD5
007597a3bd354ae73e92c7d2861103ab

SHA1
68e3f2c07c7fa61580f63f15edcb4da76771cb66

SHA256
27cd828780b89a23efa2c438bae5df768f64551a30f9ac555433d7c69634bf70

SHA512
546c3cf51c403f6d110e58f06b33e9694b357d4ea3bb6c672e54d5358a5de3d2e5aacc846a8bf07673cf48dd43965903303f2192c924897991c614fbb6345c63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads