ac0226b77c3ae0bb3f73d6190f6ad80f7091334ac17825e51b8567ee038fd856

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 19:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48a910f152ae24e7d2cee33a538c0de0N.exe
Size

64KB
MD5

48a910f152ae24e7d2cee33a538c0de0
SHA1

fc008aff3cd72d21c7f7029e3ea9a0934c933e18
SHA256

ac0226b77c3ae0bb3f73d6190f6ad80f7091334ac17825e51b8567ee038fd856
SHA512

a67408109f3664cf4e78cc671a43674006849e84c20d8a5d9cc57790f5b6bae867c00a9ed304e93a8b4cae633ba97927b5499535ceecacda92835e5b7590db71
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwy2Y04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLron4/CFsrdF

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}\stubpath = "C:\\Windows\\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe"	48a910f152ae24e7d2cee33a538c0de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C5D37B7-0687-425a-BF31-B0B640688DA9}	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C04B2BF-4386-4967-BCDF-92077FC8729E}	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C04B2BF-4386-4967-BCDF-92077FC8729E}\stubpath = "C:\\Windows\\{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe"	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}\stubpath = "C:\\Windows\\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe"	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}\stubpath = "C:\\Windows\\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe"	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}\stubpath = "C:\\Windows\\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe"	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}\stubpath = "C:\\Windows\\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe"	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}	48a910f152ae24e7d2cee33a538c0de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}\stubpath = "C:\\Windows\\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe"	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}\stubpath = "C:\\Windows\\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe"	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C5D37B7-0687-425a-BF31-B0B640688DA9}\stubpath = "C:\\Windows\\{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe"	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe

Executes dropped EXE 9 IoCs

pid	Process
3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
1432	{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
File created	C:\Windows\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
File created	C:\Windows\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	48a910f152ae24e7d2cee33a538c0de0N.exe
File created	C:\Windows\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
File created	C:\Windows\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
File created	C:\Windows\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
File created	C:\Windows\{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
File created	C:\Windows\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
File created	C:\Windows\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48a910f152ae24e7d2cee33a538c0de0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4512	48a910f152ae24e7d2cee33a538c0de0N.exe
Token: SeIncBasePriorityPrivilege	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
Token: SeIncBasePriorityPrivilege	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
Token: SeIncBasePriorityPrivilege	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
Token: SeIncBasePriorityPrivilege	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
Token: SeIncBasePriorityPrivilege	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
Token: SeIncBasePriorityPrivilege	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
Token: SeIncBasePriorityPrivilege	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
Token: SeIncBasePriorityPrivilege	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3080	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	95
PID 4512 wrote to memory of 3080	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	95
PID 4512 wrote to memory of 3080	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	95
PID 4512 wrote to memory of 4972	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	96
PID 4512 wrote to memory of 4972	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	96
PID 4512 wrote to memory of 4972	4512	48a910f152ae24e7d2cee33a538c0de0N.exe	96
PID 3080 wrote to memory of 4300	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	97
PID 3080 wrote to memory of 4300	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	97
PID 3080 wrote to memory of 4300	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	97
PID 3080 wrote to memory of 2476	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	98
PID 3080 wrote to memory of 2476	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	98
PID 3080 wrote to memory of 2476	3080	{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe	98
PID 4300 wrote to memory of 4600	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	108
PID 4300 wrote to memory of 4600	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	108
PID 4300 wrote to memory of 4600	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	108
PID 4300 wrote to memory of 4512	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	109
PID 4300 wrote to memory of 4512	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	109
PID 4300 wrote to memory of 4512	4300	{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe	109
PID 4600 wrote to memory of 4288	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	110
PID 4600 wrote to memory of 4288	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	110
PID 4600 wrote to memory of 4288	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	110
PID 4600 wrote to memory of 4576	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	111
PID 4600 wrote to memory of 4576	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	111
PID 4600 wrote to memory of 4576	4600	{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe	111
PID 4288 wrote to memory of 620	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	112
PID 4288 wrote to memory of 620	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	112
PID 4288 wrote to memory of 620	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	112
PID 4288 wrote to memory of 396	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	113
PID 4288 wrote to memory of 396	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	113
PID 4288 wrote to memory of 396	4288	{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe	113
PID 620 wrote to memory of 1076	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	115
PID 620 wrote to memory of 1076	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	115
PID 620 wrote to memory of 1076	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	115
PID 620 wrote to memory of 3824	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	116
PID 620 wrote to memory of 3824	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	116
PID 620 wrote to memory of 3824	620	{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe	116
PID 1076 wrote to memory of 3040	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	117
PID 1076 wrote to memory of 3040	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	117
PID 1076 wrote to memory of 3040	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	117
PID 1076 wrote to memory of 4704	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	118
PID 1076 wrote to memory of 4704	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	118
PID 1076 wrote to memory of 4704	1076	{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe	118
PID 3040 wrote to memory of 224	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	119
PID 3040 wrote to memory of 224	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	119
PID 3040 wrote to memory of 224	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	119
PID 3040 wrote to memory of 3592	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	120
PID 3040 wrote to memory of 3592	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	120
PID 3040 wrote to memory of 3592	3040	{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe	120
PID 224 wrote to memory of 1432	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	121
PID 224 wrote to memory of 1432	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	121
PID 224 wrote to memory of 1432	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	121
PID 224 wrote to memory of 4252	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	122
PID 224 wrote to memory of 4252	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	122
PID 224 wrote to memory of 4252	224	{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe	122

C:\Users\Admin\AppData\Local\Temp\48a910f152ae24e7d2cee33a538c0de0N.exe
"C:\Users\Admin\AppData\Local\Temp\48a910f152ae24e7d2cee33a538c0de0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
  C:\Windows\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
    C:\Windows\{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
      C:\Windows\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
        
        C:\Windows\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
        
        C:\Windows\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
        
        C:\Windows\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
        
        C:\Windows\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
        
        C:\Windows\{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe
        
        C:\Windows\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C5D3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B94~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F3E5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30F01~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C7CF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99E16~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C04B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6596C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\48A910~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C5D37B7-0687-425a-BF31-B0B640688DA9}.exe

Filesize
64KB

MD5
d1acd0f8dbbac9795664a4c292bd7f6b

SHA1
592017051ef8ea394808a35b4c6a820233d16e32

SHA256
438807f0fd3db4ab8b4a38e92450c4a0291dc7737666427f092f66ebac09703b

SHA512
01ddf7501617116313baf3bbbc699795a486d8cd0dbabbe19d2cf4354b018e5ad895c1cb5e6336502cd6a2854736ba74445a5f2b0c647081d44a81b554e40e4f

Download Submit
C:\Windows\{30F010D0-03D9-43ae-98D7-FABAA53A22A8}.exe

Filesize
64KB

MD5
b2bd8e15a2b4b4083ad0db836cf1d32f

SHA1
067c7c0537feb5eb728b6df3b3b9e54162c09f42

SHA256
a030137550ed5b0cd2397a66d29a4d768da9169a62b63b04f7d6125d65fd5068

SHA512
2fbd3c83620603cfd0378e1ce9dbf790e12e83ebdce4c8da3f5dc75f639753dc802f455323bb8ae4610c7cf281830293f595c1b20d9374b9ea9fbadf5f9aa615

Download Submit
C:\Windows\{5C04B2BF-4386-4967-BCDF-92077FC8729E}.exe

Filesize
64KB

MD5
d7d72dbcad00b3446da9d46e421463b3

SHA1
f6a5457759c07f8b5bb095ad25088ab03f5b3316

SHA256
47c0f5020bce17791aa47e18efcad3e5d7ac3db46a9197b5923ae562bf84ead2

SHA512
e12b733aa92b1532ed57056a0c4932860773bfa547bbb369b6f227f9f0fdc6ea69c24ec1a4c9e18ad4772ba10c8370e9d069cc429dc71bd022b2efc35c80fb32

Download Submit
C:\Windows\{5C7CFB73-500D-4f8b-A808-4013E4AB44FA}.exe

Filesize
64KB

MD5
acc9870e503714a0a65c22d5e6c655d9

SHA1
a44c2c533fe9689459c6dc24ebb7bd3480b24148

SHA256
01f880bd6c51f817a9fae8d0afc116fa026c0b8bfbe476bc48c007b340514747

SHA512
7588584cf2366fafd723a19766518092276d3d9620f55345bbb2b5833484733dbb8b846bde9a5b59dfde20f726fc49ee4d49f9361b273779a734c9caf21e30da

Download Submit
C:\Windows\{6596C3AA-2D0E-4328-9129-C56D4DA8B1DD}.exe

Filesize
64KB

MD5
7e57f1d3fb179587d97275f18d2d8b78

SHA1
f17ffdde6ee1ce72072692d665eed28071cb649e

SHA256
8d6b1ecd218df75493b585af3c5685f85b0e67a5e69cd356f029cce37fb00bbf

SHA512
fac71c42b4e56303689feb416f0818af07724677e024e39061648609e66e309f81c1e1c69f34d56cd662da2c40346658c286faa23895146d21605c40a771b886

Download Submit
C:\Windows\{76B94E0B-8BA0-4529-B805-6D1CE18910ED}.exe

Filesize
64KB

MD5
cc2396371fc699ba71ec7f23e9dc4856

SHA1
aa7e4edad37515a4ed86ea736f3d9aeec3b222c1

SHA256
079007bd7c7260c30cd0aa85cc4b3c1ad107e6dd6301bec0bf88683116ee9344

SHA512
fca3356e492a24be43233e8f80078cc1f91e9129acba57ff93d104acf59c458374e6bdc304c2120d6fe8383b3bf9388f5766c77aba8ad31f7ed2d11637523b60

Download Submit
C:\Windows\{94AEF29E-6D7E-4ad1-9EE3-EF6FBF6C4E4B}.exe

Filesize
64KB

MD5
ccd7cc8d3fd0542b60c6cc2026231ed9

SHA1
26eabc63fab5795f9fde81495067b5a26ed14d16

SHA256
cceda0e43ffb274972f2ce80d4cb7ee674a829de94437e955034878392ee845e

SHA512
396cc2d342d233084d03dbafb5288a644b26ed0169f1a5ad96d00edbc2f71dc79af6811947b705960207d6bf33b605405a5e1e8fd19b189e4e5ddb5c75cfb86d

Download Submit
C:\Windows\{99E165B5-D316-42e6-A86F-3B1C7E90F6C9}.exe

Filesize
64KB

MD5
1ad9bc284663cb5fd710ad998aed0a00

SHA1
1e13ba5de19c79450a533010e1e4efbc68cff3fd

SHA256
5f5f8f59c2fdea1c9b060c9efde1b4d81d2c4086773f5880ef4fb6fff61766b7

SHA512
023ad927222f86c7c00074a1ff4c35e9f0522b0e8d493a86dd5f8af2aec3a56ae713025c78de2e5e3d30555fed932c14a5f6e5cf3d3c41055a2c078fc66bc682

Download Submit
C:\Windows\{9F3E5F9A-2192-4769-9E82-FE1F01E0D8A3}.exe

Filesize
64KB

MD5
0bf3a46f84545ee2a613d26186a8cd05

SHA1
a08c6de65abac1e5b4058ce3581de2661792ceeb

SHA256
0edb41ff34154002ab7fe5e7459bbe2bba048fc7c71736f4c8806864195d5d5b

SHA512
2d820e49a6b1920f3cc19bcc9270aaf059ab63417e098b2c295d426afa0dde6cf2462003ab4166b4e3de9559e790494dc181477fc4a4dea7a7e5847d6d5609be

Download Submit
memory/224-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/620-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1076-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1076-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1432-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3080-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3080-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4288-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4288-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4300-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4300-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4512-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4512-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4600-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4600-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads