91ca7c533b28ab0358dd290ebc8a8f87e38decbd9841b1a0ae93cd1ebbe60523

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

530a6ea9e6b9832b4e4240312ff509a0N.exe
Size

90KB
MD5

530a6ea9e6b9832b4e4240312ff509a0
SHA1

4f03b3c0db585f8a1f445bd98de6aea9919de548
SHA256

91ca7c533b28ab0358dd290ebc8a8f87e38decbd9841b1a0ae93cd1ebbe60523
SHA512

48f2a6b78efc1d3b3e8eecfd864797af08e2eb35f1869c822d0cb69d07038733b6d5238249a17b4b05f789d5d8c0598b6da171e06800f4a3a3c0ddfbab798131
SSDEEP

768:Qvw9816vhKQLroQ4/wQRNrfrunMxVFA3b7glw6:YEGh0oQl2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}\stubpath = "C:\\Windows\\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe"	530a6ea9e6b9832b4e4240312ff509a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}\stubpath = "C:\\Windows\\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe"	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}\stubpath = "C:\\Windows\\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe"	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}	530a6ea9e6b9832b4e4240312ff509a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}\stubpath = "C:\\Windows\\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe"	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}\stubpath = "C:\\Windows\\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe"	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{272B0EE9-32F7-4517-864D-D04153BAB958}	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE2E580-E769-4200-B37C-D4D8F45CB910}\stubpath = "C:\\Windows\\{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe"	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}\stubpath = "C:\\Windows\\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe"	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{272B0EE9-32F7-4517-864D-D04153BAB958}\stubpath = "C:\\Windows\\{272B0EE9-32F7-4517-864D-D04153BAB958}.exe"	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CE2E580-E769-4200-B37C-D4D8F45CB910}	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}\stubpath = "C:\\Windows\\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe"	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
1696	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
2964	{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
File created	C:\Windows\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
File created	C:\Windows\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
File created	C:\Windows\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
File created	C:\Windows\{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
File created	C:\Windows\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	530a6ea9e6b9832b4e4240312ff509a0N.exe
File created	C:\Windows\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
File created	C:\Windows\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
File created	C:\Windows\{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530a6ea9e6b9832b4e4240312ff509a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe
Token: SeIncBasePriorityPrivilege	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
Token: SeIncBasePriorityPrivilege	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
Token: SeIncBasePriorityPrivilege	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
Token: SeIncBasePriorityPrivilege	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
Token: SeIncBasePriorityPrivilege	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
Token: SeIncBasePriorityPrivilege	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
Token: SeIncBasePriorityPrivilege	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
Token: SeIncBasePriorityPrivilege	1696	{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1644	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	31
PID 2388 wrote to memory of 1644	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	31
PID 2388 wrote to memory of 1644	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	31
PID 2388 wrote to memory of 1644	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	31
PID 2388 wrote to memory of 2340	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	32
PID 2388 wrote to memory of 2340	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	32
PID 2388 wrote to memory of 2340	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	32
PID 2388 wrote to memory of 2340	2388	530a6ea9e6b9832b4e4240312ff509a0N.exe	32
PID 1644 wrote to memory of 1876	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	33
PID 1644 wrote to memory of 1876	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	33
PID 1644 wrote to memory of 1876	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	33
PID 1644 wrote to memory of 1876	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	33
PID 1644 wrote to memory of 2752	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	34
PID 1644 wrote to memory of 2752	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	34
PID 1644 wrote to memory of 2752	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	34
PID 1644 wrote to memory of 2752	1644	{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe	34
PID 1876 wrote to memory of 2748	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	35
PID 1876 wrote to memory of 2748	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	35
PID 1876 wrote to memory of 2748	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	35
PID 1876 wrote to memory of 2748	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	35
PID 1876 wrote to memory of 2480	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	36
PID 1876 wrote to memory of 2480	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	36
PID 1876 wrote to memory of 2480	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	36
PID 1876 wrote to memory of 2480	1876	{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe	36
PID 2748 wrote to memory of 2628	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	37
PID 2748 wrote to memory of 2628	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	37
PID 2748 wrote to memory of 2628	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	37
PID 2748 wrote to memory of 2628	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	37
PID 2748 wrote to memory of 2772	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	38
PID 2748 wrote to memory of 2772	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	38
PID 2748 wrote to memory of 2772	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	38
PID 2748 wrote to memory of 2772	2748	{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe	38
PID 2628 wrote to memory of 2672	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	39
PID 2628 wrote to memory of 2672	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	39
PID 2628 wrote to memory of 2672	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	39
PID 2628 wrote to memory of 2672	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	39
PID 2628 wrote to memory of 2212	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	40
PID 2628 wrote to memory of 2212	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	40
PID 2628 wrote to memory of 2212	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	40
PID 2628 wrote to memory of 2212	2628	{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe	40
PID 2672 wrote to memory of 1796	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	41
PID 2672 wrote to memory of 1796	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	41
PID 2672 wrote to memory of 1796	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	41
PID 2672 wrote to memory of 1796	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	41
PID 2672 wrote to memory of 2784	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	42
PID 2672 wrote to memory of 2784	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	42
PID 2672 wrote to memory of 2784	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	42
PID 2672 wrote to memory of 2784	2672	{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe	42
PID 1796 wrote to memory of 1616	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	43
PID 1796 wrote to memory of 1616	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	43
PID 1796 wrote to memory of 1616	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	43
PID 1796 wrote to memory of 1616	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	43
PID 1796 wrote to memory of 2024	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	44
PID 1796 wrote to memory of 2024	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	44
PID 1796 wrote to memory of 2024	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	44
PID 1796 wrote to memory of 2024	1796	{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe	44
PID 1616 wrote to memory of 1696	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	45
PID 1616 wrote to memory of 1696	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	45
PID 1616 wrote to memory of 1696	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	45
PID 1616 wrote to memory of 1696	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	45
PID 1616 wrote to memory of 1668	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	46
PID 1616 wrote to memory of 1668	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	46
PID 1616 wrote to memory of 1668	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	46
PID 1616 wrote to memory of 1668	1616	{272B0EE9-32F7-4517-864D-D04153BAB958}.exe	46

C:\Users\Admin\AppData\Local\Temp\530a6ea9e6b9832b4e4240312ff509a0N.exe
"C:\Users\Admin\AppData\Local\Temp\530a6ea9e6b9832b4e4240312ff509a0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
  C:\Windows\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
    C:\Windows\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
      C:\Windows\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
        
        C:\Windows\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
        
        C:\Windows\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
        
        C:\Windows\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
        
        C:\Windows\{272B0EE9-32F7-4517-864D-D04153BAB958}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
        
        C:\Windows\{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe
        
        C:\Windows\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE2E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{272B0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874D7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD98F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8ED6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6274~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F68C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0D16~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\530A6E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CDAD9BF-4140-471c-A30A-BCB35AF4D78C}.exe

Filesize
90KB

MD5
80994ef0f0bf3b5fd08248a4abcd4cf2

SHA1
f3e608dedbeda098b42a742473c41c0325edfca4

SHA256
afe84d0b6b97ed626ba6a9e8cd3f8f445b55188a5fbe19482000cdf5c1f3ad10

SHA512
329ce081b110f3cfa7b6479f612030721e1869dcf4e41fcdb13aad7521bfcbc5382032220a199cb600597ddae18606221ec3ea34e8f7605fbee68af887d13619

Download Submit
C:\Windows\{0CE2E580-E769-4200-B37C-D4D8F45CB910}.exe

Filesize
90KB

MD5
e90731be5de49d3b692de8232e05e2ba

SHA1
57767e37061fddc5a80418b3a4d145ad364c7aaa

SHA256
d893b0b4a4a936d7a94fca33f79f6c1050eb78d9fc7ce055a4e0c4eb5881a062

SHA512
cb2d4cc4aff318a68d16bc572d19de4a091278271070d98e3cd928530483aee26cb3c4f8627c933492aeaeef69897fde18bd1f3ad1bce1dc8cbde911ecf96083

Download Submit
C:\Windows\{272B0EE9-32F7-4517-864D-D04153BAB958}.exe

Filesize
90KB

MD5
08d90742d48f44fca65cc96bbe688709

SHA1
b5da1d75dc542bf92d7ca25739b20dffebfdb9a1

SHA256
83b0440dc7a8b6a83f8d64c341e3420b4f7d74a86866e85aaa06010975d46d53

SHA512
4e84a7bd1f6fa3da23bfc71d59e892beaa86fa5319560c91f2118d4e42069886d53a033fca7cb6160e394f58ea982794bacd2bb2fce5f5c0cab4517e7da072dd

Download Submit
C:\Windows\{3F68C063-8ED9-4853-93D5-FCD928FC10FF}.exe

Filesize
90KB

MD5
07dc29b188d3c6462f08fbb97e7a9cda

SHA1
9fa9f1fe462031a40fe555dd495f9e347c76c35a

SHA256
b3e86bf0ab28e53b01dae46308ae3016d7629635404037cc382a1461e3e9139a

SHA512
ffc9ea5e6b54d0035c14a11dab76a01d80bf059ed867c51fe4fcfd519000c5c6ced88d5a8d2d58e3db257fa051f00d58f782c276552a83d9bd8d4d6e7c54e5b6

Download Submit
C:\Windows\{874D7689-8132-4e51-AA42-2AD9EB1CBDEE}.exe

Filesize
90KB

MD5
67b5b898f5f28984bebc2a7f7aad19bb

SHA1
9bc7d7f674de3801229ba4c4526cb5763a9694b5

SHA256
9c857e152683061e62c4c3f6ce6f76d2363e4a77ced5db9e70274ed6d69dc24e

SHA512
9dbd33c9c6759993e966ff42b224b813699efaba136e7c64594f0e3813c26167d5cb937b6fda509198bd554dbda5f89b3f1835469911ea6c9048da51234c2230

Download Submit
C:\Windows\{A8ED674A-1BBC-429c-B13F-C7AC2D10E9CC}.exe

Filesize
90KB

MD5
b363779da33f41090e1a6fdfab93dd91

SHA1
4e5711113a605a2e65e07801cf632b4336147f7c

SHA256
4ed1880ef4d93eebc5b241b0e986359509866cc765a2a1c6027055e6e6b5b360

SHA512
ed377af481df48ebeb2dd7dc4d9bc734d4f9b8f3ad8e47a8ae4872a11ccc2da1bb73cde3a5432166fbceecc0cc7cd504a3c04724ce3d8d3c0d9e9412a76d26d3

Download Submit
C:\Windows\{B0D161FB-D76A-4e4c-A807-D5E796EA3BE5}.exe

Filesize
90KB

MD5
622bb211d8ce70c52a98798c20dbe841

SHA1
383b668d61ec1d946445d3a86cba01b19fec86d6

SHA256
53c44df96509eacf285e6bf0f015797f9a632ad172bf331c7d09b6f4594534dd

SHA512
e11dd26336107951197d2e9c8543a61fdb79197a640c6ab586985e466003bfdb42988f25241997a26fa9e32fb2179febe6ca693571a580305a8cf9e1f2439d97

Download Submit
C:\Windows\{C62748AB-3AB0-4b8f-B3C4-D0E00750FAA2}.exe

Filesize
90KB

MD5
648b9d630e987679017175e75234d0b2

SHA1
3c7c6af2836a03dd32912b4460f9a020eb8d59e5

SHA256
f9612f8fc4c2aa5181cfadc75fa0e0b6743c0d4fbe730e448bb5d2060377bed8

SHA512
f5c4ab5c3b91384a2a6eb4ebd48aef0e40dc3292d642b33739da9460be1579056b5695ac6cf713a4040f6a680d78208d9fb55753c4e2f6c747f2fb0231d8a44e

Download Submit
C:\Windows\{CD98F2DE-19DF-4e05-8F36-BA0013AF6928}.exe

Filesize
90KB

MD5
198efd22fd487db91eacfa3b33a02b57

SHA1
9a1f60b3fb77fb0a3e1fd971f25aafcfc029de62

SHA256
9aaa8c68a9140fb2f6089724d23b6432e43aca6e40a26701317c183dc45f721c

SHA512
f344b3b5a2946df8b09c8e4f3efccd670490755cf5a8c5219ea98d734791bc57a3f9e25aab770c570407d1d622192c82f3b8fc2fac7ccba22f31e628ef8a7352

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads