e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Size

90KB
MD5

b818cbc08350fa84e9851d85c2ee88ae
SHA1

47ce228e0989c98425de8f1dfb774fdc6edd7e3e
SHA256

e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204
SHA512

af0c5c52bb4ba0340fb95c507321fd4279d64f5514a7401a33d3284159036400a7c7a9dda1a1f259217b679de5c8efe8bd17d8938784fb9111b5362d7f1d0814
SSDEEP

768:Qvw9816vhKQLroM4/wQRNrfrunMxVFA3b7glw:YEGh0oMl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}\stubpath = "C:\\Windows\\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe"	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}\stubpath = "C:\\Windows\\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe"	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90428965-2BD0-40ae-B05D-B622152168C9}	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E62904B1-458C-46f6-B8ED-874823CFD82A}	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}\stubpath = "C:\\Windows\\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe"	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17512F24-9535-443f-9004-FF9E9687FE8B}	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17512F24-9535-443f-9004-FF9E9687FE8B}\stubpath = "C:\\Windows\\{17512F24-9535-443f-9004-FF9E9687FE8B}.exe"	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF0060E-76D0-4271-A52D-8AC5E2712284}	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E4904B-9906-4edf-9296-56438F8567B7}	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97E4904B-9906-4edf-9296-56438F8567B7}\stubpath = "C:\\Windows\\{97E4904B-9906-4edf-9296-56438F8567B7}.exe"	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E62904B1-458C-46f6-B8ED-874823CFD82A}\stubpath = "C:\\Windows\\{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe"	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}\stubpath = "C:\\Windows\\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe"	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF0060E-76D0-4271-A52D-8AC5E2712284}\stubpath = "C:\\Windows\\{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe"	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}\stubpath = "C:\\Windows\\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe"	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}\stubpath = "C:\\Windows\\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe"	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED24144-D440-4ed6-A152-28E0019FA55D}	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED24144-D440-4ed6-A152-28E0019FA55D}\stubpath = "C:\\Windows\\{DED24144-D440-4ed6-A152-28E0019FA55D}.exe"	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90428965-2BD0-40ae-B05D-B622152168C9}\stubpath = "C:\\Windows\\{90428965-2BD0-40ae-B05D-B622152168C9}.exe"	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
1492	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
224	{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
File created	C:\Windows\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
File created	C:\Windows\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
File created	C:\Windows\{90428965-2BD0-40ae-B05D-B622152168C9}.exe	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
File created	C:\Windows\{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
File created	C:\Windows\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
File created	C:\Windows\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
File created	C:\Windows\{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
File created	C:\Windows\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
File created	C:\Windows\{97E4904B-9906-4edf-9296-56438F8567B7}.exe	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
File created	C:\Windows\{17512F24-9535-443f-9004-FF9E9687FE8B}.exe	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
File created	C:\Windows\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
Token: SeIncBasePriorityPrivilege	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
Token: SeIncBasePriorityPrivilege	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
Token: SeIncBasePriorityPrivilege	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
Token: SeIncBasePriorityPrivilege	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe
Token: SeIncBasePriorityPrivilege	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
Token: SeIncBasePriorityPrivilege	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe
Token: SeIncBasePriorityPrivilege	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
Token: SeIncBasePriorityPrivilege	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
Token: SeIncBasePriorityPrivilege	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
Token: SeIncBasePriorityPrivilege	1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
Token: SeIncBasePriorityPrivilege	1492	{17512F24-9535-443f-9004-FF9E9687FE8B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3172	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	93
PID 1728 wrote to memory of 3172	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	93
PID 1728 wrote to memory of 3172	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	93
PID 1728 wrote to memory of 2696	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	94
PID 1728 wrote to memory of 2696	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	94
PID 1728 wrote to memory of 2696	1728	e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe	94
PID 3172 wrote to memory of 4068	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	95
PID 3172 wrote to memory of 4068	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	95
PID 3172 wrote to memory of 4068	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	95
PID 3172 wrote to memory of 2004	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	96
PID 3172 wrote to memory of 2004	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	96
PID 3172 wrote to memory of 2004	3172	{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe	96
PID 4068 wrote to memory of 3244	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	100
PID 4068 wrote to memory of 3244	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	100
PID 4068 wrote to memory of 3244	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	100
PID 4068 wrote to memory of 1412	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	101
PID 4068 wrote to memory of 1412	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	101
PID 4068 wrote to memory of 1412	4068	{DED24144-D440-4ed6-A152-28E0019FA55D}.exe	101
PID 3244 wrote to memory of 760	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	102
PID 3244 wrote to memory of 760	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	102
PID 3244 wrote to memory of 760	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	102
PID 3244 wrote to memory of 4872	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	103
PID 3244 wrote to memory of 4872	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	103
PID 3244 wrote to memory of 4872	3244	{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe	103
PID 760 wrote to memory of 3940	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	104
PID 760 wrote to memory of 3940	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	104
PID 760 wrote to memory of 3940	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	104
PID 760 wrote to memory of 4380	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	105
PID 760 wrote to memory of 4380	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	105
PID 760 wrote to memory of 4380	760	{97E4904B-9906-4edf-9296-56438F8567B7}.exe	105
PID 3940 wrote to memory of 4880	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	107
PID 3940 wrote to memory of 4880	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	107
PID 3940 wrote to memory of 4880	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	107
PID 3940 wrote to memory of 696	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	108
PID 3940 wrote to memory of 696	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	108
PID 3940 wrote to memory of 696	3940	{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe	108
PID 4880 wrote to memory of 3700	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	109
PID 4880 wrote to memory of 3700	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	109
PID 4880 wrote to memory of 3700	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	109
PID 4880 wrote to memory of 3240	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	110
PID 4880 wrote to memory of 3240	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	110
PID 4880 wrote to memory of 3240	4880	{90428965-2BD0-40ae-B05D-B622152168C9}.exe	110
PID 3700 wrote to memory of 4860	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	114
PID 3700 wrote to memory of 4860	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	114
PID 3700 wrote to memory of 4860	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	114
PID 3700 wrote to memory of 2004	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	115
PID 3700 wrote to memory of 2004	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	115
PID 3700 wrote to memory of 2004	3700	{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe	115
PID 4860 wrote to memory of 3312	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	121
PID 4860 wrote to memory of 3312	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	121
PID 4860 wrote to memory of 3312	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	121
PID 4860 wrote to memory of 1524	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	122
PID 4860 wrote to memory of 1524	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	122
PID 4860 wrote to memory of 1524	4860	{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe	122
PID 3312 wrote to memory of 1864	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	123
PID 3312 wrote to memory of 1864	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	123
PID 3312 wrote to memory of 1864	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	123
PID 3312 wrote to memory of 3308	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	124
PID 3312 wrote to memory of 3308	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	124
PID 3312 wrote to memory of 3308	3312	{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe	124
PID 1864 wrote to memory of 1492	1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe	128
PID 1864 wrote to memory of 1492	1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe	128
PID 1864 wrote to memory of 1492	1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe	128
PID 1864 wrote to memory of 3448	1864	{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe	129

C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe
"C:\Users\Admin\AppData\Local\Temp\e79eeddea328c8c1d09a65680408d3d71c6c966423ef6c55c5fcb9e0d06fd204.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
  C:\Windows\{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
    C:\Windows\{DED24144-D440-4ed6-A152-28E0019FA55D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
      C:\Windows\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\{97E4904B-9906-4edf-9296-56438F8567B7}.exe
        
        C:\Windows\{97E4904B-9906-4edf-9296-56438F8567B7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
        
        C:\Windows\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{90428965-2BD0-40ae-B05D-B622152168C9}.exe
        
        C:\Windows\{90428965-2BD0-40ae-B05D-B622152168C9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
        
        C:\Windows\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
        
        C:\Windows\{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
        
        C:\Windows\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
        
        C:\Windows\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
        
        C:\Windows\{17512F24-9535-443f-9004-FF9E9687FE8B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe
        
        C:\Windows\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17512~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95C9F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC2DE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6290~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F05B5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90428~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE7E4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97E49~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EFF0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DED24~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF00~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E79EED~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17512F24-9535-443f-9004-FF9E9687FE8B}.exe

Filesize
90KB

MD5
6871bf2b0fb88fdad7bfdd274d648207

SHA1
d2ac808dcfdd90ca10b5037e5fcebc9510f73b81

SHA256
c87ad3bbd3c527c1189d669f991b20630276c0ec9cebe067d964fee197d4be4d

SHA512
88097d2aa9c28ed6fe409ebc77fa2aaaf194c3a95f145588e8dd0a10e89adbe89b26cb9163edee5c0765a8a7a68c16f6e307694f6b324c5a4388f836ce423fba

Download Submit
C:\Windows\{6EFF0A39-BC9A-4340-8A6E-42FA0B647694}.exe

Filesize
90KB

MD5
3f97fca159ebf3f65de2c7ca17e383c2

SHA1
cc24a261e34c6a5a17818512f3ecfcf1e637892f

SHA256
100487bc5ab6d80d3053494641a2f20ee5af21a64edd4c55b463777caad5b7be

SHA512
ae5cdd95e908347ffade2121da150c3fc436ca8a5ddb45d8a0a3c3679f6e3401d66a6ca9b44f50eead556d4035dccd48557e3059e83e7072fec60ca22722a074

Download Submit
C:\Windows\{90428965-2BD0-40ae-B05D-B622152168C9}.exe

Filesize
90KB

MD5
71fdc6dc4c0d7b3c52400c000e868d2f

SHA1
b59c0d30d8ad688c8fb531cc344e5234f96a8d9e

SHA256
de84d5b6546dea9f6541da244896bc7bd117dfcd11e4a6e00eb580b430991ba0

SHA512
01626531a693524e31f093e26b16a7a353ec5c81e812eca9e30a6d932920ca036d89670aa2cab8fa2fcefe4db75d4cb678d4e75ae27598dd4b5400606aae4d1f

Download Submit
C:\Windows\{95C9F9C0-B900-48b0-95F7-8B87AEBE916F}.exe

Filesize
90KB

MD5
8a55e39fa671e101ca5c23c2a03a0ee7

SHA1
8fbb984f4130a3bc8b14a7726a48cffa2272c461

SHA256
67f55a4a908d6a8b09b06b6d79dbf46b98e6a4dff011e0be64251939f980c89d

SHA512
2f19b3d89388dc43266b84a0c77870009e854f5c67309ab848bc8c3d7ba01c0444b21a3d86d2d2789d818387c96453ee0d5d2276e22dcadd4cefe0c829b5b580

Download Submit
C:\Windows\{97E4904B-9906-4edf-9296-56438F8567B7}.exe

Filesize
90KB

MD5
2f123aa9d76a1054bd645dfda37b91bd

SHA1
e1ddc240391196828255f73c628714e7d2d66f77

SHA256
23a8ea4a62245eb733f13adc7a2ffe0a9e492c9ae838b9d6492203f37c76d416

SHA512
017dff814b5eb567292e12949d772b28e95ecdcc182aae990058fc0e3e3272a981cf98b3ab7565f0817755def4b69f5ac80c5828a90ff00f792733f0f2281b83

Download Submit
C:\Windows\{AEBF9B3B-735B-4ea9-8FC2-4E316EF85715}.exe

Filesize
90KB

MD5
b1e60e25822dc7812beac44efc3e3ef4

SHA1
2f1c40cc4ee9b36a22a7d98b33d519f3ecf814a3

SHA256
e49e691a611a83e878438f0786c661cb5d13566c8e8cbd45dc3d8331490468fe

SHA512
87b4b70bc4a5c89c577a3cabb87c40bda2e533a6496a0d8683dc664452dad693400b859f9a28569ad59a93089d264fcb362de115f252349667461c89528848d7

Download Submit
C:\Windows\{BC2DE4DE-E7B3-4329-B38C-8D171D8A780D}.exe

Filesize
90KB

MD5
a2d06f95bd08bca94e75073197d90e7c

SHA1
f5a5dce96c7ca6411dd88ded9d0d02ea8e7bc7de

SHA256
d28729459133359bec22031d9b5f2ade7cabe5b893205e9c09c55caa947b41a2

SHA512
d30400ed56591c9f17ffca4fda8913d49e83f07348595e7c4f1d2d049a43ef7d060d06743c22ffc70cd2dc4ccd3f3e62bf2382d275679fb1dd4e87e8b1ecaf4c

Download Submit
C:\Windows\{DED24144-D440-4ed6-A152-28E0019FA55D}.exe

Filesize
90KB

MD5
a26fa90a1cdce0d8e065a2983b8bad34

SHA1
1b2210408025b360818dfaef650409971c15378c

SHA256
f5ba3eff604778486fcfb4d16a5e9bd36563d28f913ceab25ef2b690466fbd9f

SHA512
2eed318115bacde7fec66b4d31f605e756d9693cd473c3fd87651dcbf0d4de7d0dc358da27c8c29b6fd44666902802e8911b8a46d90373fb4808c3a5a5613c3b

Download Submit
C:\Windows\{E62904B1-458C-46f6-B8ED-874823CFD82A}.exe

Filesize
90KB

MD5
f3271081b5c9656fa9a3d1030cf3c2ce

SHA1
c0e429209982fdaaeba3d5d194bdd3ac89a7279b

SHA256
615bbe77697da99353ced755f2d85f3caa209e915397b430a3bd867201df9a4c

SHA512
9cef616ed5f6898709ae1d762e4a4283865bc5f6b313a7e70ddfabd9cfd9fbe445df43a16eb2d48de1cb8410d274205ee8c9d770fa9b6241b97c8b0c2bf0979b

Download Submit
C:\Windows\{EAF0060E-76D0-4271-A52D-8AC5E2712284}.exe

Filesize
90KB

MD5
b742a1cdc60f7a60dac7142abacfa06d

SHA1
12bf9582dd8da24d1d26360449c37ebed98b18e8

SHA256
1dfde05c704acb3fd21ac8d19f8b5b4005d87c7ab0fa9dfff4aa6795a71c6167

SHA512
f7d95450f3f6605c314d62b154627a19aaa3db4026c07ce89473215f24a05ea39b0fac2e875c3404968aeb7cfd921d7761e09b750631a314b00d957f13a8381b

Download Submit
C:\Windows\{F05B5FF9-1F6E-4907-B227-51F46D93AC4C}.exe

Filesize
90KB

MD5
e8046ef8512cda55769f4f83db587777

SHA1
4cbbf013c6662085bae145876bb686c4cae3af2f

SHA256
d88d2897195d423d3925c9a2559f5cc921ee40f5a0148711ca15820e212d147d

SHA512
8aad4ae856f73998e4773b9938c31ce1f59b88ac6cdbb2a9104bf35947a2f2e1b2bed21aec0bbf747cf6531d25c11994db5148182cd0cd05539e8d424a9e8c69

Download Submit
C:\Windows\{FE7E4D48-E7F8-4945-9EEF-1983417E5ED4}.exe

Filesize
90KB

MD5
b18d2f9c8b2efbe8d055408689333468

SHA1
7a1e55429941864d9ed629284b34759ec2d9e8d8

SHA256
1dc87d59f22dddb0e99de904d08ee3de320bd07a7dada3958b75c9449dce35cd

SHA512
70e7313883989862599dfcc98382e3f52214f5bbd751f4227f3ce5a98393a1c3440ddaabaa53765f23fa8547f7e178c7f9d1af0f8bdf10a1e1a2ab9ec4e573fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads