fa7dd820491ca2d8372309e5ea9cb06d299767f20215827f81cd1e3022939c4a

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1832137ad26393431fa94684684bb270N.exe
Size

88KB
MD5

1832137ad26393431fa94684684bb270
SHA1

21bed7405fabbff8ba81b3ee8cba240f547fe864
SHA256

fa7dd820491ca2d8372309e5ea9cb06d299767f20215827f81cd1e3022939c4a
SHA512

eaf4b52276ba29d48cca909fce5a5ee31ca5a702bacb925b43534f935caafc94d505a9d04de7050ab9dbf6ad467aae980d5ae1f9c1dbcbdcf0967427f71f3bf8
SSDEEP

768:uvw981E9hKQLroUL4/wQDNrfrunMxVFA3r:aEGJ0oULlYunMxVS3r

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34268CC7-0C67-48d4-BA32-68993B5001EF}\stubpath = "C:\\Windows\\{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe"	{10204438-D764-474f-8E21-17FB94320301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}\stubpath = "C:\\Windows\\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe"	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}	1832137ad26393431fa94684684bb270N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56567CA-1B39-408d-B6A8-663A8009274F}\stubpath = "C:\\Windows\\{F56567CA-1B39-408d-B6A8-663A8009274F}.exe"	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10204438-D764-474f-8E21-17FB94320301}	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10204438-D764-474f-8E21-17FB94320301}\stubpath = "C:\\Windows\\{10204438-D764-474f-8E21-17FB94320301}.exe"	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}\stubpath = "C:\\Windows\\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe"	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34268CC7-0C67-48d4-BA32-68993B5001EF}	{10204438-D764-474f-8E21-17FB94320301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}\stubpath = "C:\\Windows\\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe"	1832137ad26393431fa94684684bb270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}\stubpath = "C:\\Windows\\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe"	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F56567CA-1B39-408d-B6A8-663A8009274F}	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}\stubpath = "C:\\Windows\\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe"	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}\stubpath = "C:\\Windows\\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe"	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe

Executes dropped EXE 9 IoCs

pid	Process
4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
4400	{10204438-D764-474f-8E21-17FB94320301}.exe
4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
1060	{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	{10204438-D764-474f-8E21-17FB94320301}.exe
File created	C:\Windows\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	1832137ad26393431fa94684684bb270N.exe
File created	C:\Windows\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
File created	C:\Windows\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
File created	C:\Windows\{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
File created	C:\Windows\{10204438-D764-474f-8E21-17FB94320301}.exe	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
File created	C:\Windows\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
File created	C:\Windows\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
File created	C:\Windows\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1832137ad26393431fa94684684bb270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10204438-D764-474f-8E21-17FB94320301}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1568	1832137ad26393431fa94684684bb270N.exe
Token: SeIncBasePriorityPrivilege	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
Token: SeIncBasePriorityPrivilege	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
Token: SeIncBasePriorityPrivilege	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
Token: SeIncBasePriorityPrivilege	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
Token: SeIncBasePriorityPrivilege	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
Token: SeIncBasePriorityPrivilege	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
Token: SeIncBasePriorityPrivilege	4400	{10204438-D764-474f-8E21-17FB94320301}.exe
Token: SeIncBasePriorityPrivilege	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4632	1568	1832137ad26393431fa94684684bb270N.exe	86
PID 1568 wrote to memory of 4632	1568	1832137ad26393431fa94684684bb270N.exe	86
PID 1568 wrote to memory of 4632	1568	1832137ad26393431fa94684684bb270N.exe	86
PID 1568 wrote to memory of 3188	1568	1832137ad26393431fa94684684bb270N.exe	87
PID 1568 wrote to memory of 3188	1568	1832137ad26393431fa94684684bb270N.exe	87
PID 1568 wrote to memory of 3188	1568	1832137ad26393431fa94684684bb270N.exe	87
PID 4632 wrote to memory of 3648	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	88
PID 4632 wrote to memory of 3648	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	88
PID 4632 wrote to memory of 3648	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	88
PID 4632 wrote to memory of 4936	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	89
PID 4632 wrote to memory of 4936	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	89
PID 4632 wrote to memory of 4936	4632	{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe	89
PID 3648 wrote to memory of 4532	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	94
PID 3648 wrote to memory of 4532	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	94
PID 3648 wrote to memory of 4532	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	94
PID 3648 wrote to memory of 64	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	95
PID 3648 wrote to memory of 64	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	95
PID 3648 wrote to memory of 64	3648	{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe	95
PID 4532 wrote to memory of 4624	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	96
PID 4532 wrote to memory of 4624	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	96
PID 4532 wrote to memory of 4624	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	96
PID 4532 wrote to memory of 1144	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	97
PID 4532 wrote to memory of 1144	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	97
PID 4532 wrote to memory of 1144	4532	{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe	97
PID 4624 wrote to memory of 4284	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	98
PID 4624 wrote to memory of 4284	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	98
PID 4624 wrote to memory of 4284	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	98
PID 4624 wrote to memory of 4224	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	99
PID 4624 wrote to memory of 4224	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	99
PID 4624 wrote to memory of 4224	4624	{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe	99
PID 4284 wrote to memory of 3484	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	100
PID 4284 wrote to memory of 3484	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	100
PID 4284 wrote to memory of 3484	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	100
PID 4284 wrote to memory of 4596	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	101
PID 4284 wrote to memory of 4596	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	101
PID 4284 wrote to memory of 4596	4284	{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe	101
PID 3484 wrote to memory of 4400	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	102
PID 3484 wrote to memory of 4400	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	102
PID 3484 wrote to memory of 4400	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	102
PID 3484 wrote to memory of 4272	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	103
PID 3484 wrote to memory of 4272	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	103
PID 3484 wrote to memory of 4272	3484	{F56567CA-1B39-408d-B6A8-663A8009274F}.exe	103
PID 4400 wrote to memory of 4156	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	104
PID 4400 wrote to memory of 4156	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	104
PID 4400 wrote to memory of 4156	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	104
PID 4400 wrote to memory of 1948	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	105
PID 4400 wrote to memory of 1948	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	105
PID 4400 wrote to memory of 1948	4400	{10204438-D764-474f-8E21-17FB94320301}.exe	105
PID 4156 wrote to memory of 1060	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	106
PID 4156 wrote to memory of 1060	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	106
PID 4156 wrote to memory of 1060	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	106
PID 4156 wrote to memory of 2088	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	107
PID 4156 wrote to memory of 2088	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	107
PID 4156 wrote to memory of 2088	4156	{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe	107

C:\Users\Admin\AppData\Local\Temp\1832137ad26393431fa94684684bb270N.exe
"C:\Users\Admin\AppData\Local\Temp\1832137ad26393431fa94684684bb270N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
  C:\Windows\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
    C:\Windows\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
      C:\Windows\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
        
        C:\Windows\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
        
        C:\Windows\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
        
        C:\Windows\{F56567CA-1B39-408d-B6A8-663A8009274F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{10204438-D764-474f-8E21-17FB94320301}.exe
        
        C:\Windows\{10204438-D764-474f-8E21-17FB94320301}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
        
        C:\Windows\{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe
        
        C:\Windows\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34268~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10204~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5656~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66742~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE5D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD730~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF00~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C14D4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\183213~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10204438-D764-474f-8E21-17FB94320301}.exe

Filesize
88KB

MD5
55838e389265dc8e5af25b548f2c8986

SHA1
19d85ac56cf375047fa7835babb410c1a17806b8

SHA256
6be2516ee1bcbaa89c0b2eeb692db9bb2f89d064202d283e024c84651f88e63e

SHA512
c56734302e4d6c719d0b4c3e9002e5f6735a848fe5794509ba91387cfabdb1b88d191c9536339ff8735469ffa6d92e642f2442ed8846dfd98876b5e877a6578e

Download Submit
C:\Windows\{34268CC7-0C67-48d4-BA32-68993B5001EF}.exe

Filesize
88KB

MD5
c8c04d4e81bf83b456633b200c077fef

SHA1
ec09cb24de835eac73b30004e249ece2c1d0c12f

SHA256
afcae5b2003436951db0b5a5beeeada8fbe1e9518034bc94d0b41d1963d0e58c

SHA512
08cdc7508f4ab7c98e3fb828abebdc6d0ec1458c71a40799e7c3cf32c6b6950d1b28a0e2d0b312b767f85b6d3fc9d54b54acce56ee7842ad3de84ab251d523ac

Download Submit
C:\Windows\{3CF0065B-94ED-4404-BDBF-80B29B4B0147}.exe

Filesize
88KB

MD5
c150e078d95fdad62892cdca507eff65

SHA1
b9c31b0d0fec1aed7afb9b1372a8e97fa037e2d5

SHA256
ad25302bfb6d2cfc97bea979c1d8f79cf31891a9ab57a994a54e38883c4aa67c

SHA512
500c38ec63d55349be29e5eedfd1c4049a8cd70e501c355eecc0999f0f84c9913813174318859ea48961fde959623f04157b54be1a85fc4a5bbb3a500c2b345c

Download Submit
C:\Windows\{408A0C39-14A5-4bc9-8B3D-D286A50B4213}.exe

Filesize
88KB

MD5
4acbb1a04403a52c33f13c51d71e7a29

SHA1
02c122f8d7e5ef258e3b2470d1036aaf40de8159

SHA256
0bac59c240723278bbb6db391c032268c6b395c397d351764aedd18b5d704c3b

SHA512
87b72e4f3bbcce0f7ef4b9927c23a4572a047959744866fe8bcd7a9d483891736cbbfbff96d2f1623346aed480f8316e076c14aae5a9981be1a2694d67692170

Download Submit
C:\Windows\{5CE5DD98-1C86-4aca-AF11-3127878EC18F}.exe

Filesize
88KB

MD5
ac75eb972d08620241bd74729994b577

SHA1
682a22902f8ebc5a7f840c5b25c310a417dcb229

SHA256
b7be62072b55153eccc4753200d1d1fd8de77e1f324399864690e87583d247d1

SHA512
9520e1887b217931de21425865bb0d1b09ee985c57203a6eec26bc07df85cdcd3b5d9f0fbc19deadb8511256abe88596688479ff52ac0e9995a27f46600f1179

Download Submit
C:\Windows\{66742C64-7D05-43b0-98C3-27A0F5EE0E35}.exe

Filesize
88KB

MD5
a0b912f7e86158efe71bffb5f6106f3a

SHA1
2d24ecf571a3646f6742e0389544648df5df6b9c

SHA256
b0b7ca19391744d942f1cd8fb1caf5a3402d3c02effa30dd798a298556291803

SHA512
6c861f5b73307c28472841d10691443d3ce91c618dff5b81bfffd6141e798a6da56fbf2b521e3d327fd879d156eab18ece003a1b48e1fccb011057f1abe2245d

Download Submit
C:\Windows\{BD730E6F-5E9B-4a87-8B8E-9410F9165637}.exe

Filesize
88KB

MD5
a1cf3becacf0991e34651bfdf1ff23b3

SHA1
436409fc633b4d633f9d6c05a6b8787f4ffcd88a

SHA256
6cf35c9c1a2482ae069157d3e7230cadd8784947020d7c394a723d2a0e1e7aea

SHA512
5e1440b926d00a81eb97df7e927b0a40129e871650a7225dea1eafbe5b8a19d6d77ba8cacb86efaab688fffaed952ace1104e8747143e42a7b9ed96755d2698b

Download Submit
C:\Windows\{C14D4FE0-2413-452b-8B7D-D4F5C7C5DAA8}.exe

Filesize
88KB

MD5
9ae36ba8cb6ae0271d469524740e7911

SHA1
07e7caf787d140b99908c1dbc357213c560b10b1

SHA256
8aee017012edc8cf86ebdcf1a03a45465de3399e7a07fd5ca9fd82a9b56c8185

SHA512
315cc9caf0c52dc3041c037683cd0c39dfc297aa638b1846d52661c64081fc2de6795eba7e89a9c2ec072c00867e464f597689dde7f64ed0a02917a5981e1286

Download Submit
C:\Windows\{F56567CA-1B39-408d-B6A8-663A8009274F}.exe

Filesize
88KB

MD5
a0983697cf616e93c6a08d5b44a6f792

SHA1
cc61024cb4fbce899db46fc995924e682ef5410c

SHA256
35d0265235ce2c4d6bbe595a182c785049fa8ebd5020a92dcda644ded70a7089

SHA512
13b10cf80b902767d015f899e3ea3e292a117ad06174596e6453c9802c98df28c21b5a5c91f2a47a9c5503c034644c1421aea287b3364c8709b878d8b4a596f9

Download Submit
memory/1568-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1568-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3484-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3484-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3648-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3648-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4156-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4156-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4284-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4400-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4532-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4532-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads