d8b9fb74a5042f32bde6105eb99f260be83ecf710f0e166180bbc1f76e1afd6f

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64de30bfe3019e6bff78885e7c62f090N.exe
Size

90KB
MD5

64de30bfe3019e6bff78885e7c62f090
SHA1

bd873aa9f02932cca2cfdae6ccfc7d4a5bc4db86
SHA256

d8b9fb74a5042f32bde6105eb99f260be83ecf710f0e166180bbc1f76e1afd6f
SHA512

e65c5bbebdb19cd7ccab1944bea53723cae6c111c3cc28268274353d2e38576c556671c3b723d9d0b4f6bfea7a38c19bd677b4da69f2e1d9a0c436a180f1e70d
SSDEEP

768:Qvw9816vhKQLrod4/wQRNrfrunMxVFA3b7glws:YEGh0odl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}\stubpath = "C:\\Windows\\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe"	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}\stubpath = "C:\\Windows\\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe"	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B99BC10-CA7C-482c-9711-8EBD660BC275}\stubpath = "C:\\Windows\\{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe"	64de30bfe3019e6bff78885e7c62f090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C9242F-33AB-48f7-910A-CE5B084D7012}\stubpath = "C:\\Windows\\{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe"	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B99BC10-CA7C-482c-9711-8EBD660BC275}	64de30bfe3019e6bff78885e7c62f090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6576EE83-6061-4d42-87D3-4684CDFD21E9}\stubpath = "C:\\Windows\\{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe"	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}\stubpath = "C:\\Windows\\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe"	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}\stubpath = "C:\\Windows\\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe"	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}\stubpath = "C:\\Windows\\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe"	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}\stubpath = "C:\\Windows\\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe"	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6576EE83-6061-4d42-87D3-4684CDFD21E9}	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C9242F-33AB-48f7-910A-CE5B084D7012}	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
388	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
2972	{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	64de30bfe3019e6bff78885e7c62f090N.exe
File created	C:\Windows\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
File created	C:\Windows\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
File created	C:\Windows\{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
File created	C:\Windows\{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
File created	C:\Windows\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
File created	C:\Windows\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
File created	C:\Windows\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
File created	C:\Windows\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64de30bfe3019e6bff78885e7c62f090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1316	64de30bfe3019e6bff78885e7c62f090N.exe
Token: SeIncBasePriorityPrivilege	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
Token: SeIncBasePriorityPrivilege	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
Token: SeIncBasePriorityPrivilege	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
Token: SeIncBasePriorityPrivilege	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
Token: SeIncBasePriorityPrivilege	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
Token: SeIncBasePriorityPrivilege	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
Token: SeIncBasePriorityPrivilege	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
Token: SeIncBasePriorityPrivilege	388	{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2984	1316	64de30bfe3019e6bff78885e7c62f090N.exe	31
PID 1316 wrote to memory of 2984	1316	64de30bfe3019e6bff78885e7c62f090N.exe	31
PID 1316 wrote to memory of 2984	1316	64de30bfe3019e6bff78885e7c62f090N.exe	31
PID 1316 wrote to memory of 2984	1316	64de30bfe3019e6bff78885e7c62f090N.exe	31
PID 1316 wrote to memory of 2000	1316	64de30bfe3019e6bff78885e7c62f090N.exe	32
PID 1316 wrote to memory of 2000	1316	64de30bfe3019e6bff78885e7c62f090N.exe	32
PID 1316 wrote to memory of 2000	1316	64de30bfe3019e6bff78885e7c62f090N.exe	32
PID 1316 wrote to memory of 2000	1316	64de30bfe3019e6bff78885e7c62f090N.exe	32
PID 2984 wrote to memory of 2816	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	33
PID 2984 wrote to memory of 2816	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	33
PID 2984 wrote to memory of 2816	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	33
PID 2984 wrote to memory of 2816	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	33
PID 2984 wrote to memory of 2800	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	34
PID 2984 wrote to memory of 2800	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	34
PID 2984 wrote to memory of 2800	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	34
PID 2984 wrote to memory of 2800	2984	{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe	34
PID 2816 wrote to memory of 2780	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	35
PID 2816 wrote to memory of 2780	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	35
PID 2816 wrote to memory of 2780	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	35
PID 2816 wrote to memory of 2780	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	35
PID 2816 wrote to memory of 2852	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	36
PID 2816 wrote to memory of 2852	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	36
PID 2816 wrote to memory of 2852	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	36
PID 2816 wrote to memory of 2852	2816	{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe	36
PID 2780 wrote to memory of 2712	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	37
PID 2780 wrote to memory of 2712	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	37
PID 2780 wrote to memory of 2712	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	37
PID 2780 wrote to memory of 2712	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	37
PID 2780 wrote to memory of 2616	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	38
PID 2780 wrote to memory of 2616	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	38
PID 2780 wrote to memory of 2616	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	38
PID 2780 wrote to memory of 2616	2780	{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe	38
PID 2712 wrote to memory of 2192	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	39
PID 2712 wrote to memory of 2192	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	39
PID 2712 wrote to memory of 2192	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	39
PID 2712 wrote to memory of 2192	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	39
PID 2712 wrote to memory of 668	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	40
PID 2712 wrote to memory of 668	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	40
PID 2712 wrote to memory of 668	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	40
PID 2712 wrote to memory of 668	2712	{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe	40
PID 2192 wrote to memory of 2864	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	41
PID 2192 wrote to memory of 2864	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	41
PID 2192 wrote to memory of 2864	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	41
PID 2192 wrote to memory of 2864	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	41
PID 2192 wrote to memory of 688	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	42
PID 2192 wrote to memory of 688	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	42
PID 2192 wrote to memory of 688	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	42
PID 2192 wrote to memory of 688	2192	{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe	42
PID 2864 wrote to memory of 1692	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	43
PID 2864 wrote to memory of 1692	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	43
PID 2864 wrote to memory of 1692	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	43
PID 2864 wrote to memory of 1692	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	43
PID 2864 wrote to memory of 772	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	44
PID 2864 wrote to memory of 772	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	44
PID 2864 wrote to memory of 772	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	44
PID 2864 wrote to memory of 772	2864	{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe	44
PID 1692 wrote to memory of 388	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	45
PID 1692 wrote to memory of 388	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	45
PID 1692 wrote to memory of 388	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	45
PID 1692 wrote to memory of 388	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	45
PID 1692 wrote to memory of 1576	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	46
PID 1692 wrote to memory of 1576	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	46
PID 1692 wrote to memory of 1576	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	46
PID 1692 wrote to memory of 1576	1692	{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe	46

C:\Users\Admin\AppData\Local\Temp\64de30bfe3019e6bff78885e7c62f090N.exe
"C:\Users\Admin\AppData\Local\Temp\64de30bfe3019e6bff78885e7c62f090N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
  C:\Windows\{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
    C:\Windows\{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
      C:\Windows\{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
        
        C:\Windows\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
        
        C:\Windows\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
        
        C:\Windows\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
        
        C:\Windows\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
        
        C:\Windows\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe
        
        C:\Windows\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEB8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEFA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F631D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{823C5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BD2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6576E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21C92~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6B99B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\64DE30~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EEB8F5F-8DD2-4230-9C95-C67EC626737A}.exe

Filesize
90KB

MD5
b117f6f92c3dc4f03bd410a5802c965d

SHA1
32ffb527f8ade000c5d7d6b7bb69e658a230000f

SHA256
b3201d418407195767106fddca23442325a98d9c4a5de4a6fc245cd42baf1bfc

SHA512
57030bd7b06eaf9c04798cdfda0f4a015a095851e14f40bb371b70c5dd351472d3e822f90aec6bc71d322c9b3fb3f8c195bcb210c2c294b0f2c13ff3f8f44052

Download Submit
C:\Windows\{21C9242F-33AB-48f7-910A-CE5B084D7012}.exe

Filesize
90KB

MD5
01b088a27337d4df8bac47569f573e83

SHA1
dfdad89c1458a2035a490a916107d5c96c8314bb

SHA256
a8d009338e97ba81a0aa13e571f577bda8aa5d3bb30986e7616482a2354e09fc

SHA512
12169dc27ae154d4c7d5b9dfaed8d6800dba3046bb3c9dc5d41d7988752c01ae56a54fab9e8dd035cf80172af9335c5c96b2b25c2c37177f437a9821dd8a6c74

Download Submit
C:\Windows\{6576EE83-6061-4d42-87D3-4684CDFD21E9}.exe

Filesize
90KB

MD5
3f7366652acbf188a00c9dbdbce42b5e

SHA1
11fec5d2a4a00abdbaa993c754d1b2369187198f

SHA256
8bd704ded2252f4a865b424406e4a9824b0064ead5a8d000b2f4d88673ac86f2

SHA512
e2217c233db9509cde6a813780082dcdf172ea4e059f28e64190ee54a629660582a261faf3ad6177211c64ba295c63e550855923749cf23d7c4ae8eb6f3fc4ef

Download Submit
C:\Windows\{6B99BC10-CA7C-482c-9711-8EBD660BC275}.exe

Filesize
90KB

MD5
673dcf6c58e96beda09e9885ccf9e304

SHA1
777b0e33ea88d48b0e4ded7dfe05f528636a090a

SHA256
9af2486b472f140f09f5223cb510e90d60c59bf0b391e291e475dd4f507b6e80

SHA512
350b2de686d052e07d082a594cd5cc48fc2e4cfd93ec163c697d2ba895d3fdc867a279b66f635ea01964c13a03627c43a334efe0f2c308dad3e391b0162282c0

Download Submit
C:\Windows\{823C5CC2-136D-4e07-AE0F-B2676863DCF1}.exe

Filesize
90KB

MD5
a2212431ef41d918a878c9158caf32ee

SHA1
aaa522871c0874eaf7bee452f8fadddd853001c9

SHA256
0045393f46f8f66379242a6d34d00c100bffb8744ab3c9bd937112f1c39c9e2f

SHA512
0ae1d3052a99b45fb1ba499cc0d01f515150aa192f9413cf4d8cce2c2f72bac1785128e7a40d6448c7fd48f3f02b12dffb3805282305185c477511726a6e3009

Download Submit
C:\Windows\{D729D69B-85DB-4abe-8D4D-B2EDB89C7FB3}.exe

Filesize
90KB

MD5
9567694277d574b25d96ec3c8ec3c8f3

SHA1
c2b2a82c1c24dd98dbf3e538d2b0543114751bcb

SHA256
409c3e336f7c2f9f8804586a60f8098f6932dc206039e93d4b68204b1ad91378

SHA512
57e4a1604beb61cb2123a9a95099616d5c2f3cfeca7c9cffdb27659cd3621df9d89dd019ae984dd1e1454f2936634e718641ae7ff77d78dfccbbb9de632a0ea7

Download Submit
C:\Windows\{DFEFA790-F4B2-4eb2-A4FF-D937250BF627}.exe

Filesize
90KB

MD5
4b3b510d681026ab38f1bf0417b61eba

SHA1
243cb4b0ac7b640d27c6a09cc9889b42bbb5daba

SHA256
1e2b4c6681267ff49f5fdc4ed75ea5e575be954afbce77f7299e7468ab4fa1d1

SHA512
e2d625b07740a4361609bbb6da77dbb5457b6102024d63774bc0e8b1571462f2f7f528bc1f6becba1c41ef62f005b1ba405997a7726fc4d63ffdec2cb684c43d

Download Submit
C:\Windows\{E6BD2F95-33B4-45b1-8442-D4A3A9B07F0A}.exe

Filesize
90KB

MD5
ae2c5baab3180d00e97b1f150a4e8a77

SHA1
b7820026a9dc354d6176e96ef3a7ba7550800e65

SHA256
cda1cd9356d8a7577ed954988cfa14c815fd511cd68e8c487b98ac50db5dfe53

SHA512
c17facfb91261f95b2c0bf93669467f138252f66e881c1c549baf358fc280cb45e34eacc6de15cf25d0485ffdaa747cf7c7b9f54dbeaaa20edd3604fbfd15cb3

Download Submit
C:\Windows\{F631D019-92C5-4d0e-A1FA-8CB87812FF79}.exe

Filesize
90KB

MD5
47c6cbed8756584e27eef26ecc6c2400

SHA1
b07f0814bc7fed8a45930ccd9ef0fdb3845e2fd2

SHA256
a63ab811b1bc0a46ae745857e336da2f913138eb76e93977699d8f641506ce4c

SHA512
af31c93955cab1f538f5a2bcd35b2ee6548b1ce26c4267ac269219362c1e1f56e572d2a047079ac9649bf73bf32e9294bcd20a98f476309b294736e468934050

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads