2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Size

90KB
MD5

0a28f476335d4936951694495f12e0e9
SHA1

63da632a0cc81e3e9213a32a1d1f5f70a92fcdd9
SHA256

2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd
SHA512

38d848dd3fddbd63c865bf8353492f234526b216335c07495037341ee354442780517273a8856185435b75497e08b32a4023dfe48df007a3c387a91a921fb0a9
SSDEEP

768:Qvw9816vhKQLrom4/wQRNrfrunMxVFA3b7glws:YEGh0oml2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}\stubpath = "C:\\Windows\\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe"	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E25C9C-935C-4d47-8CC7-18E737A17783}\stubpath = "C:\\Windows\\{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe"	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93644F1F-09DC-4e74-8115-4A4D41E534BE}	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A26D830-BBE5-43db-817A-453A1A57D197}\stubpath = "C:\\Windows\\{3A26D830-BBE5-43db-817A-453A1A57D197}.exe"	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71520720-0923-4fb5-B869-1C7167FCF7C2}	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}\stubpath = "C:\\Windows\\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe"	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E25C9C-935C-4d47-8CC7-18E737A17783}	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}\stubpath = "C:\\Windows\\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe"	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93644F1F-09DC-4e74-8115-4A4D41E534BE}\stubpath = "C:\\Windows\\{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe"	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F08AA4-83FC-41be-B306-70DE042F54E4}	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}\stubpath = "C:\\Windows\\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe"	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}\stubpath = "C:\\Windows\\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe"	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A26D830-BBE5-43db-817A-453A1A57D197}	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71520720-0923-4fb5-B869-1C7167FCF7C2}\stubpath = "C:\\Windows\\{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe"	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}\stubpath = "C:\\Windows\\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe"	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F08AA4-83FC-41be-B306-70DE042F54E4}\stubpath = "C:\\Windows\\{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe"	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
1596	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
2256	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
2412	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
884	{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
File created	C:\Windows\{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
File created	C:\Windows\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
File created	C:\Windows\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
File created	C:\Windows\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
File created	C:\Windows\{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
File created	C:\Windows\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
File created	C:\Windows\{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
File created	C:\Windows\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
File created	C:\Windows\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
File created	C:\Windows\{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Token: SeIncBasePriorityPrivilege	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
Token: SeIncBasePriorityPrivilege	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
Token: SeIncBasePriorityPrivilege	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
Token: SeIncBasePriorityPrivilege	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
Token: SeIncBasePriorityPrivilege	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
Token: SeIncBasePriorityPrivilege	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
Token: SeIncBasePriorityPrivilege	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
Token: SeIncBasePriorityPrivilege	1596	{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
Token: SeIncBasePriorityPrivilege	2256	{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
Token: SeIncBasePriorityPrivilege	2412	{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2784	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	30
PID 2732 wrote to memory of 2784	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	30
PID 2732 wrote to memory of 2784	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	30
PID 2732 wrote to memory of 2784	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	30
PID 2732 wrote to memory of 2708	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	31
PID 2732 wrote to memory of 2708	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	31
PID 2732 wrote to memory of 2708	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	31
PID 2732 wrote to memory of 2708	2732	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	31
PID 2784 wrote to memory of 2608	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	33
PID 2784 wrote to memory of 2608	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	33
PID 2784 wrote to memory of 2608	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	33
PID 2784 wrote to memory of 2608	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	33
PID 2784 wrote to memory of 2660	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	34
PID 2784 wrote to memory of 2660	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	34
PID 2784 wrote to memory of 2660	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	34
PID 2784 wrote to memory of 2660	2784	{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe	34
PID 2608 wrote to memory of 700	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	35
PID 2608 wrote to memory of 700	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	35
PID 2608 wrote to memory of 700	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	35
PID 2608 wrote to memory of 700	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	35
PID 2608 wrote to memory of 544	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	36
PID 2608 wrote to memory of 544	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	36
PID 2608 wrote to memory of 544	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	36
PID 2608 wrote to memory of 544	2608	{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe	36
PID 700 wrote to memory of 1808	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	37
PID 700 wrote to memory of 1808	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	37
PID 700 wrote to memory of 1808	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	37
PID 700 wrote to memory of 1808	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	37
PID 700 wrote to memory of 2188	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	38
PID 700 wrote to memory of 2188	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	38
PID 700 wrote to memory of 2188	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	38
PID 700 wrote to memory of 2188	700	{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe	38
PID 1808 wrote to memory of 2028	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	39
PID 1808 wrote to memory of 2028	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	39
PID 1808 wrote to memory of 2028	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	39
PID 1808 wrote to memory of 2028	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	39
PID 1808 wrote to memory of 2072	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	40
PID 1808 wrote to memory of 2072	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	40
PID 1808 wrote to memory of 2072	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	40
PID 1808 wrote to memory of 2072	1808	{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe	40
PID 2028 wrote to memory of 2952	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	41
PID 2028 wrote to memory of 2952	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	41
PID 2028 wrote to memory of 2952	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	41
PID 2028 wrote to memory of 2952	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	41
PID 2028 wrote to memory of 2988	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	42
PID 2028 wrote to memory of 2988	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	42
PID 2028 wrote to memory of 2988	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	42
PID 2028 wrote to memory of 2988	2028	{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe	42
PID 2952 wrote to memory of 2816	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	43
PID 2952 wrote to memory of 2816	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	43
PID 2952 wrote to memory of 2816	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	43
PID 2952 wrote to memory of 2816	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	43
PID 2952 wrote to memory of 1972	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	44
PID 2952 wrote to memory of 1972	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	44
PID 2952 wrote to memory of 1972	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	44
PID 2952 wrote to memory of 1972	2952	{3A26D830-BBE5-43db-817A-453A1A57D197}.exe	44
PID 2816 wrote to memory of 1596	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	45
PID 2816 wrote to memory of 1596	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	45
PID 2816 wrote to memory of 1596	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	45
PID 2816 wrote to memory of 1596	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	45
PID 2816 wrote to memory of 1044	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	46
PID 2816 wrote to memory of 1044	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	46
PID 2816 wrote to memory of 1044	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	46
PID 2816 wrote to memory of 1044	2816	{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe	46

C:\Users\Admin\AppData\Local\Temp\2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
"C:\Users\Admin\AppData\Local\Temp\2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
  C:\Windows\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
    C:\Windows\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
      C:\Windows\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Windows\{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
        
        C:\Windows\{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
        
        C:\Windows\{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
        
        C:\Windows\{3A26D830-BBE5-43db-817A-453A1A57D197}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
        
        C:\Windows\{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
        
        C:\Windows\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
        
        C:\Windows\{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
        
        C:\Windows\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe
        
        C:\Windows\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF99~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F08~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9874~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71520~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A26D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93644~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27E25~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB05~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A07B3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF46A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\265003~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27E25C9C-935C-4d47-8CC7-18E737A17783}.exe

Filesize
90KB

MD5
4ae8d7e6ca90d8ff5404e7262ded3d91

SHA1
b85a9b4c2a1ee7f2d41583117cfc0ffd884b1239

SHA256
6343886aa494b0fc66827cff4e8284df1b7c19c8324dc67795ec1420fd7f3c10

SHA512
cf12860e2f47a1d0932fbb3016ff98d60f3e360a8277516db5673bb665a1b0480a7bdffc16224023bd7e9f0309cc7b1660ea56502a8cf1bceaad523e6abf4cfe

Download Submit
C:\Windows\{3A26D830-BBE5-43db-817A-453A1A57D197}.exe

Filesize
90KB

MD5
5c23b54d7c6b506d51d898445f62e1cb

SHA1
dc2bd0485e7a79d915c0738ca940aa6d66dc9a5a

SHA256
91293ca90a17e68e8d1442e9fcf1730d5513a4829365ac9a63e423254e7308e7

SHA512
10f0daa18f74ab3d1dd77a9a75d6215f5535898b7b27ef623e4c53b80b12ace20bdf7da3b17760203d0eeea74bc897c7c07af06c7e6293bed4c988907d4b2589

Download Submit
C:\Windows\{3CB05DE1-4362-4c81-87EE-A2E73ABDB369}.exe

Filesize
90KB

MD5
db6a6cf81b0710b6b818af696b40fb07

SHA1
8bd8336422ca7bf0670e0c29ed4607a625e58ae9

SHA256
c225a33f0acbf73514a977d9aa156262f8e077aa5ad190dd7433bc382942d84f

SHA512
6c036a39ad2ff9a89548c0bcb84929db6cc3e26b7a7939e4144e5ca92458673e884f4a0ce0a6df754edc968f0e8fa84c348422b75c5ba5baf0cb2bc63618dda8

Download Submit
C:\Windows\{6FF9932B-0474-4ea7-82B9-8BF0CBE7B22B}.exe

Filesize
90KB

MD5
67af3f3008355cde9de429da1aedf25b

SHA1
ecbf224a4c49065cd5bff52063a439108292d362

SHA256
678f7f5d2c6eaa1bebdef8713bd68d6918105298df760788b552501fd85c0c4d

SHA512
5482753e4f332433678d622fe11a37f7eb2dd1df01dec51f19cd4b18160b64d6c44ab827263bda2922530d67e0f81ccb7022e9daad17192f399af2b65be2ffc4

Download Submit
C:\Windows\{71520720-0923-4fb5-B869-1C7167FCF7C2}.exe

Filesize
90KB

MD5
061e28b96f6897922ccbbfdfbae38277

SHA1
bd2868418f9ccb54928665c2f180c203806d7cb8

SHA256
7deb245cffb6dd330a278c471cba4e45500182e3ea80159b66a87fbe18fa50b0

SHA512
9d0791313a8bfc3e0d43d4ff2de48e1c550c6e648c4575ff60aa5806d3c56e3c73856b466bdc1162f1a0a58d880eaaa58f2e65d27bcc7a17b85c8a56b2b1977d

Download Submit
C:\Windows\{7EBDEA02-3E53-4b9a-B47A-6BBA7D093641}.exe

Filesize
90KB

MD5
1fb7bf9e56a3d65eee321391abc995e8

SHA1
1ba78fb8fa942e4f14ed42c34be61f03c730a8ef

SHA256
0ceb669e1a8035b6bac8996aabb3cc25a3ad2d799e18e65939ac35c3735fea99

SHA512
64987bdbe59de0b2011dd9d779eedf4ad978c9a417e66c22a341127e8a3b991aa5cef98a5814816db00bc10b00d8a08e426c09ca9fd2fdd133c08c7d61a679fb

Download Submit
C:\Windows\{93644F1F-09DC-4e74-8115-4A4D41E534BE}.exe

Filesize
90KB

MD5
939d9d5f2d86929cf70e39d64408a30b

SHA1
cae8fa8f5c499e30373084ff7d1ee669eccca1df

SHA256
df3f69fe91247f4fdfa303e8653e8309e65280d85ddee8e2b2f78d3180407335

SHA512
4588cbeb7eda99f48f2e750fae0942d50dcfe593d23c785d09960b1073eeb505e37cf0655882cb0630416b4f9c988ee3bcd87efb0207776a5ff293380cf24543

Download Submit
C:\Windows\{A07B383E-CDD0-468b-B7EF-BD2EC6ED0C06}.exe

Filesize
90KB

MD5
938fa415a8dc7f8d47c24d51079dda4d

SHA1
8b75108db9439c1b1fff084c03063b6fc395c5b8

SHA256
b5b67b34fede242f462baf4075c3ac747796e84df593e7dd1d4d891c28bac445

SHA512
d83d3395fd866b05336765e0ad3e3ecb01c714a38da288bca098f4d019ed54d94b19a7ee1d9642cc6f26717af0093f9943cf2d4706596d8085dfb6ab2fa4bbed

Download Submit
C:\Windows\{B1F08AA4-83FC-41be-B306-70DE042F54E4}.exe

Filesize
90KB

MD5
553185528a916f1d95d22b432e16b50e

SHA1
cfce16b8f83a19f292fb7dbcaaacd13deaf31fb6

SHA256
23c41af6e842a55987b127e1e87f42a26fce909141ab825144cb249d16a07b41

SHA512
62e7dfc82bba5dbd9b85411bd207b47a0d2c9354a91454d5bdf7fee610bc56720d362a0a1029fafd1d0648f5b50b15d3a57ec92bf734374d643982e3577f96e5

Download Submit
C:\Windows\{B9874AFF-B275-48a6-90C1-6B9F5BA9AAA8}.exe

Filesize
90KB

MD5
ca39a85d93ab45ee4213fe2f32c64564

SHA1
f8fe2b216d0233fee7067094356aea079b0f85d4

SHA256
9489fe384dd777177cb89f2bf6269eb53b0d54fa5262e2d83ed46265b9a21c46

SHA512
0602d88fdd3af51d45f60e11d59afa2bcb221818215d5ce5389faa11b08ba1c10abdc6d2edcdbd5e93adab9e87fb68ffe91509d013b8c353823e4dc5e0e0f2e7

Download Submit
C:\Windows\{DF46A2B1-E813-47e0-BBDD-4E23EFC6C434}.exe

Filesize
90KB

MD5
59f396c5070d9b8f1435c1aad30b32dd

SHA1
e5862068f97b487d37366cb2caff84d995938c1e

SHA256
8dd9f12622b5fcea2d35cea85ec65a060e59c15bff71c9c71cb85355a55ad31c

SHA512
4ca0ec110f7875a7c6368c0584bff43e79b5d100ac8c7431d7038cc71082aeffa54719a0cae9f85dd5e310a04702727d4126fd803ed8ba1b7f68e78ca8c81871

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads