e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204

Analysis

max time kernel
138s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Size

90KB
MD5

b818cbc08350fa84e9851d85c2ee88ae
SHA1

47ce228e0989c98425de8f1dfb774fdc6edd7e3e
SHA256

e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204
SHA512

af0c5c52bb4ba0340fb95c507321fd4279d64f5514a7401a33d3284159036400a7c7a9dda1a1f259217b679de5c8efe8bd17d8938784fb9111b5362d7f1d0814
SSDEEP

768:Qvw9816vhKQLroM4/wQRNrfrunMxVFA3b7glw:YEGh0oMl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5471426E-99AE-4234-AFF0-3B05D9ACF661}	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7465776D-89AE-4620-9DE4-9738CE5D30E4}\stubpath = "C:\\Windows\\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe"	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}\stubpath = "C:\\Windows\\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe"	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA43E890-A880-4b70-970E-653B874380D5}\stubpath = "C:\\Windows\\{EA43E890-A880-4b70-970E-653B874380D5}.exe"	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}\stubpath = "C:\\Windows\\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe"	{EA43E890-A880-4b70-970E-653B874380D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9328F258-02A8-4753-A9CB-0545654ADF3D}	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9328F258-02A8-4753-A9CB-0545654ADF3D}\stubpath = "C:\\Windows\\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe"	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245C5DAE-2010-4e47-B778-45B23B1872E3}\stubpath = "C:\\Windows\\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe"	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}\stubpath = "C:\\Windows\\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe"	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA43E890-A880-4b70-970E-653B874380D5}	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}	{EA43E890-A880-4b70-970E-653B874380D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3198862D-2807-487a-BB45-E8334FE1D2EC}\stubpath = "C:\\Windows\\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe"	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5471426E-99AE-4234-AFF0-3B05D9ACF661}\stubpath = "C:\\Windows\\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe"	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}\stubpath = "C:\\Windows\\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe"	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3198862D-2807-487a-BB45-E8334FE1D2EC}	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{245C5DAE-2010-4e47-B778-45B23B1872E3}	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B80A74D8-7BEB-470b-9150-D61105C649B7}\stubpath = "C:\\Windows\\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe"	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7465776D-89AE-4620-9DE4-9738CE5D30E4}	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B80A74D8-7BEB-470b-9150-D61105C649B7}	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe
2976	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
568	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
2552	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
1044	{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
File created	C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
File created	C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
File created	C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
File created	C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
File created	C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
File created	C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
File created	C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
File created	C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
File created	C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
File created	C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe	{EA43E890-A880-4b70-970E-653B874380D5}.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA43E890-A880-4b70-970E-653B874380D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Token: SeIncBasePriorityPrivilege	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
Token: SeIncBasePriorityPrivilege	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
Token: SeIncBasePriorityPrivilege	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
Token: SeIncBasePriorityPrivilege	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
Token: SeIncBasePriorityPrivilege	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
Token: SeIncBasePriorityPrivilege	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
Token: SeIncBasePriorityPrivilege	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe
Token: SeIncBasePriorityPrivilege	2976	{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
Token: SeIncBasePriorityPrivilege	568	{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
Token: SeIncBasePriorityPrivilege	2552	{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2804	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	29
PID 2508 wrote to memory of 2804	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	29
PID 2508 wrote to memory of 2804	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	29
PID 2508 wrote to memory of 2804	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	29
PID 2508 wrote to memory of 2400	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	30
PID 2508 wrote to memory of 2400	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	30
PID 2508 wrote to memory of 2400	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	30
PID 2508 wrote to memory of 2400	2508	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	30
PID 2804 wrote to memory of 2872	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	31
PID 2804 wrote to memory of 2872	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	31
PID 2804 wrote to memory of 2872	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	31
PID 2804 wrote to memory of 2872	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	31
PID 2804 wrote to memory of 2756	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	32
PID 2804 wrote to memory of 2756	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	32
PID 2804 wrote to memory of 2756	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	32
PID 2804 wrote to memory of 2756	2804	{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe	32
PID 2872 wrote to memory of 3004	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	33
PID 2872 wrote to memory of 3004	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	33
PID 2872 wrote to memory of 3004	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	33
PID 2872 wrote to memory of 3004	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	33
PID 2872 wrote to memory of 2796	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	34
PID 2872 wrote to memory of 2796	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	34
PID 2872 wrote to memory of 2796	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	34
PID 2872 wrote to memory of 2796	2872	{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe	34
PID 3004 wrote to memory of 2640	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	35
PID 3004 wrote to memory of 2640	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	35
PID 3004 wrote to memory of 2640	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	35
PID 3004 wrote to memory of 2640	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	35
PID 3004 wrote to memory of 2692	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	36
PID 3004 wrote to memory of 2692	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	36
PID 3004 wrote to memory of 2692	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	36
PID 3004 wrote to memory of 2692	3004	{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe	36
PID 2640 wrote to memory of 996	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	37
PID 2640 wrote to memory of 996	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	37
PID 2640 wrote to memory of 996	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	37
PID 2640 wrote to memory of 996	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	37
PID 2640 wrote to memory of 2864	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	38
PID 2640 wrote to memory of 2864	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	38
PID 2640 wrote to memory of 2864	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	38
PID 2640 wrote to memory of 2864	2640	{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe	38
PID 996 wrote to memory of 1616	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	39
PID 996 wrote to memory of 1616	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	39
PID 996 wrote to memory of 1616	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	39
PID 996 wrote to memory of 1616	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	39
PID 996 wrote to memory of 2348	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	40
PID 996 wrote to memory of 2348	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	40
PID 996 wrote to memory of 2348	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	40
PID 996 wrote to memory of 2348	996	{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe	40
PID 1616 wrote to memory of 2808	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	41
PID 1616 wrote to memory of 2808	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	41
PID 1616 wrote to memory of 2808	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	41
PID 1616 wrote to memory of 2808	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	41
PID 1616 wrote to memory of 2856	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	42
PID 1616 wrote to memory of 2856	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	42
PID 1616 wrote to memory of 2856	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	42
PID 1616 wrote to memory of 2856	1616	{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe	42
PID 2808 wrote to memory of 2976	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	43
PID 2808 wrote to memory of 2976	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	43
PID 2808 wrote to memory of 2976	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	43
PID 2808 wrote to memory of 2976	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	43
PID 2808 wrote to memory of 3036	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	44
PID 2808 wrote to memory of 3036	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	44
PID 2808 wrote to memory of 3036	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	44
PID 2808 wrote to memory of 3036	2808	{EA43E890-A880-4b70-970E-653B874380D5}.exe	44

C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
"C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
  C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
    C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
      C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
        
        C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
        
        C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
        
        C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe
        
        C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
        
        C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
        
        C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
        
        C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe
        
        C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe
        12⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31988~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9328F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E98F0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA43E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{947BE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74657~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32BEE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B80A7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54714~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{245C5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E79EED~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{245C5DAE-2010-4e47-B778-45B23B1872E3}.exe

Filesize
90KB

MD5
281c7067732bc9d3adb6723fdf03a307

SHA1
70ac9d8e46a439796a7e3403471efff7ff3d0666

SHA256
b13cfc596e31a02d8274fb3cd253608994d5fb50e56c5a46d351e67180fb10ae

SHA512
eac32a6f58143d084adc5ff9b8fba4e11760ac4defeade0d5c4566c3f032fb3b1e71c7cf08178dec95cb798e44d3184115fe1aa04cdb52c0742dac751bb36469

Download Submit
C:\Windows\{3198862D-2807-487a-BB45-E8334FE1D2EC}.exe

Filesize
90KB

MD5
7fa9097ee4a808dd220e31588a3017ce

SHA1
885eca1c90b1e1c40344fe93c8c0b28f3460ade0

SHA256
d8a09f5d7315760fdaf602c46a08d22418e649c67a2af99960f01efc05a10f66

SHA512
bf8eadacd0dea56d9c81e6bfa83a375106bd6b23cbe710aa50f8bd4d8f0deb82d690bea06232539d850fa99f9925e6722a06ba572ff450f54fd9842dc2089536

Download Submit
C:\Windows\{32BEEA6F-F63B-4640-83B2-8F359AA3D030}.exe

Filesize
90KB

MD5
244482c0118c7f5eb82779a67c9e0774

SHA1
132dbe0af36ff7e488c31c57979f0f76d8ee98b7

SHA256
cb74ce2d358bf8fa89e95e354019aa69632cd8631344939525b9549297403503

SHA512
7d44b604ade365a28f60709b2610afc5a30fd2bf95a68ec0043db05fac62d7cf2dddf223424ff84b20215256e36b58704ba5c61120da1382793bfb5eec5674d9

Download Submit
C:\Windows\{5471426E-99AE-4234-AFF0-3B05D9ACF661}.exe

Filesize
90KB

MD5
3d895c63fae7f94dbad33804a9ff1e99

SHA1
0b1ee733bcefd1f5e23c1c4d2cea80f7b6f328a0

SHA256
b5719074d82305b68a7487a005915f7a03b2e3b2e003023012ba8e89ce3bb547

SHA512
373c440e9d9d77144c7fd5bbf5fa294f8cafefdc3d38b6cbb3c837ca3b3a017390f9b795a20a9dde7be073ce56b04936688a4430c0e41b37c8ae94b56a9c1f55

Download Submit
C:\Windows\{7465776D-89AE-4620-9DE4-9738CE5D30E4}.exe

Filesize
90KB

MD5
20d8ce97e1d9c1482da6ce61182aa0cf

SHA1
8cf3323fc62f836bbe53b674faa52d23fce1ae39

SHA256
0d245df2cc88590d0b148f4e9f44d75e30df54bdd4f46c672f84f439cb1ccd33

SHA512
d512d0eec4d29158b3eaf8300af27cc1d0ecf54f586fa397b058e2b164f17a45e630b4b3388073ee3bff0f08630ffe01e840c4e135d03bac80a5a08598d7159b

Download Submit
C:\Windows\{9328F258-02A8-4753-A9CB-0545654ADF3D}.exe

Filesize
90KB

MD5
ebbb318b0345033b1a3873dc56a29323

SHA1
e950f12f2be8fb4114f9824899e160ef5049520f

SHA256
471f2587d52a2600538455f8768f5f4592cd7ef4845b4017d7ef92c081e8400a

SHA512
f6e1cd762994c2a09b3114da521802c5b3750927fd6bd4cb80a7a38a588254cf14a55aabff02ea6e30b831bc96f5ac6964a76f8703bc4d693abfe596b26281cc

Download Submit
C:\Windows\{947BEBCE-2D74-4baf-A7D3-53536E331B2F}.exe

Filesize
90KB

MD5
3bdfdbb67833f1d0cc0b3ee5dd72dd27

SHA1
33c1cf0d4c041a070464cb3160a8c0d4b70bc4ca

SHA256
1f99c4f313e50a1eaf441ce7a1b67220c4ca91bec3634348e51ae54ec58fb54e

SHA512
ba10722128f60b99e9788178b497de9863924c3a4eb30e66dad5fd2b4a3646e44f6145eb30d35c34d42a2d6bba2233e40f8318661cbf8b020086ee10f057cfaf

Download Submit
C:\Windows\{B80A74D8-7BEB-470b-9150-D61105C649B7}.exe

Filesize
90KB

MD5
e87e7a61031a6a02e67f3db0fa43c2f3

SHA1
80d87b653dd73fc46f01e2828702d006d79342ff

SHA256
6afb5ff19095d0b01197746f24ad2b8076ba37b687932a981535fc06169d6bcf

SHA512
bcea3b4c400a42dd19baa9c5d615df84a8f0fbf1b5e9a121871a11cfc603d4bcf5202eebe327df944722dde08ea50fd479d257ab25c4453957f4ee8aae5d31dd

Download Submit
C:\Windows\{E98F00B1-16F8-4c9d-B25E-25038A4BBC8E}.exe

Filesize
90KB

MD5
97d7fbe946b328673fddd689e09e6798

SHA1
c8058deda47f6a8ff132039eb314914d8cd0f4d8

SHA256
88f71e0fd5ff4704717f7500610e9298bf072594858fd97ba2df995791c5bbec

SHA512
331188683448e6b65c629a3590c34ea6a58c7f9b2777302cd52dde2c8d70fc7b2642b8ead096b16ecd5dd621e76d9da8cf949966c6da8a3d00fd93a2ec2fd5db

Download Submit
C:\Windows\{EA43E890-A880-4b70-970E-653B874380D5}.exe

Filesize
90KB

MD5
2a5935d2558a705ee09ecc23b543fdee

SHA1
1b1d1232fa1175427191d6e657d09b4049059d67

SHA256
a91b28503e78b8088728ae918b8c57facf5b8181df4224f3f6444d258548a3f0

SHA512
6f7603b8b15d89dff416973d5742bc06e5023c24ca30d61c3b14690fb544a2498143906c88bcbd5a2e00e4c71ef973deb55ff2c6632706eb190ba2778d113439

Download Submit
C:\Windows\{F9EE1185-19E6-48e6-92BE-82A33A6D4937}.exe

Filesize
90KB

MD5
923135c8414a4e893b0b67ff291aa5c8

SHA1
64057712eeea39de4123b41f8d416e4707fa67f9

SHA256
995cf95dc9599c8efcf28ec8746be639bbd158c230cecf8a113fe8a75c206165

SHA512
8863be0e5856e890936415f2a661f010d18a7aef7cbd03cb0d24b8efcbdc97beb91a60e772284befb3e5adcea5d931ccdab4c1f4b7986b877ab3f1a9101ab22b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads