91ca7c533b28ab0358dd290ebc8a8f87e38decbd9841b1a0ae93cd1ebbe60523

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

530a6ea9e6b9832b4e4240312ff509a0N.exe
Size

90KB
MD5

530a6ea9e6b9832b4e4240312ff509a0
SHA1

4f03b3c0db585f8a1f445bd98de6aea9919de548
SHA256

91ca7c533b28ab0358dd290ebc8a8f87e38decbd9841b1a0ae93cd1ebbe60523
SHA512

48f2a6b78efc1d3b3e8eecfd864797af08e2eb35f1869c822d0cb69d07038733b6d5238249a17b4b05f789d5d8c0598b6da171e06800f4a3a3c0ddfbab798131
SSDEEP

768:Qvw9816vhKQLroQ4/wQRNrfrunMxVFA3b7glw6:YEGh0oQl2unMxVS3Hgl

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE174AF-923D-420e-B8F8-F34219A282C3}\stubpath = "C:\\Windows\\{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe"	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}	530a6ea9e6b9832b4e4240312ff509a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194FBB72-70E0-49dd-9778-A2AE14318115}\stubpath = "C:\\Windows\\{194FBB72-70E0-49dd-9778-A2AE14318115}.exe"	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F88454AC-E7B1-400c-A665-75A4C27908A9}	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFE174AF-923D-420e-B8F8-F34219A282C3}	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F88454AC-E7B1-400c-A665-75A4C27908A9}\stubpath = "C:\\Windows\\{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe"	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012762FA-D953-472a-96E7-0EB8322F08C6}	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012762FA-D953-472a-96E7-0EB8322F08C6}\stubpath = "C:\\Windows\\{012762FA-D953-472a-96E7-0EB8322F08C6}.exe"	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A94EA15-95A2-45ef-815D-972BE1905C99}	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A94EA15-95A2-45ef-815D-972BE1905C99}\stubpath = "C:\\Windows\\{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe"	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194FBB72-70E0-49dd-9778-A2AE14318115}	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50AE7768-A1A6-4c62-907D-F904F68B1584}\stubpath = "C:\\Windows\\{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe"	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5F4336-7B1C-462a-A86D-A277097C7E18}	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5F4336-7B1C-462a-A86D-A277097C7E18}\stubpath = "C:\\Windows\\{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe"	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}\stubpath = "C:\\Windows\\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe"	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}\stubpath = "C:\\Windows\\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe"	530a6ea9e6b9832b4e4240312ff509a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50AE7768-A1A6-4c62-907D-F904F68B1584}	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe

Executes dropped EXE 9 IoCs

pid	Process
1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
3924	{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
File created	C:\Windows\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	530a6ea9e6b9832b4e4240312ff509a0N.exe
File created	C:\Windows\{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
File created	C:\Windows\{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
File created	C:\Windows\{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
File created	C:\Windows\{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
File created	C:\Windows\{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
File created	C:\Windows\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
File created	C:\Windows\{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530a6ea9e6b9832b4e4240312ff509a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	740	530a6ea9e6b9832b4e4240312ff509a0N.exe
Token: SeIncBasePriorityPrivilege	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
Token: SeIncBasePriorityPrivilege	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
Token: SeIncBasePriorityPrivilege	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
Token: SeIncBasePriorityPrivilege	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
Token: SeIncBasePriorityPrivilege	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
Token: SeIncBasePriorityPrivilege	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
Token: SeIncBasePriorityPrivilege	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
Token: SeIncBasePriorityPrivilege	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1228	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	86
PID 740 wrote to memory of 1228	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	86
PID 740 wrote to memory of 1228	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	86
PID 740 wrote to memory of 3264	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	87
PID 740 wrote to memory of 3264	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	87
PID 740 wrote to memory of 3264	740	530a6ea9e6b9832b4e4240312ff509a0N.exe	87
PID 1228 wrote to memory of 4576	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	88
PID 1228 wrote to memory of 4576	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	88
PID 1228 wrote to memory of 4576	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	88
PID 1228 wrote to memory of 4800	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	89
PID 1228 wrote to memory of 4800	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	89
PID 1228 wrote to memory of 4800	1228	{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe	89
PID 4576 wrote to memory of 3432	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	93
PID 4576 wrote to memory of 3432	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	93
PID 4576 wrote to memory of 3432	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	93
PID 4576 wrote to memory of 3728	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	94
PID 4576 wrote to memory of 3728	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	94
PID 4576 wrote to memory of 3728	4576	{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe	94
PID 3432 wrote to memory of 4128	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	95
PID 3432 wrote to memory of 4128	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	95
PID 3432 wrote to memory of 4128	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	95
PID 3432 wrote to memory of 2904	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	96
PID 3432 wrote to memory of 2904	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	96
PID 3432 wrote to memory of 2904	3432	{194FBB72-70E0-49dd-9778-A2AE14318115}.exe	96
PID 4128 wrote to memory of 976	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	97
PID 4128 wrote to memory of 976	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	97
PID 4128 wrote to memory of 976	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	97
PID 4128 wrote to memory of 724	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	98
PID 4128 wrote to memory of 724	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	98
PID 4128 wrote to memory of 724	4128	{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe	98
PID 976 wrote to memory of 3208	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	99
PID 976 wrote to memory of 3208	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	99
PID 976 wrote to memory of 3208	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	99
PID 976 wrote to memory of 2572	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	100
PID 976 wrote to memory of 2572	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	100
PID 976 wrote to memory of 2572	976	{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe	100
PID 3208 wrote to memory of 2332	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	101
PID 3208 wrote to memory of 2332	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	101
PID 3208 wrote to memory of 2332	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	101
PID 3208 wrote to memory of 5032	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	102
PID 3208 wrote to memory of 5032	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	102
PID 3208 wrote to memory of 5032	3208	{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe	102
PID 2332 wrote to memory of 4864	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	103
PID 2332 wrote to memory of 4864	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	103
PID 2332 wrote to memory of 4864	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	103
PID 2332 wrote to memory of 688	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	104
PID 2332 wrote to memory of 688	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	104
PID 2332 wrote to memory of 688	2332	{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe	104
PID 4864 wrote to memory of 3924	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	105
PID 4864 wrote to memory of 3924	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	105
PID 4864 wrote to memory of 3924	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	105
PID 4864 wrote to memory of 2504	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	106
PID 4864 wrote to memory of 2504	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	106
PID 4864 wrote to memory of 2504	4864	{012762FA-D953-472a-96E7-0EB8322F08C6}.exe	106

C:\Users\Admin\AppData\Local\Temp\530a6ea9e6b9832b4e4240312ff509a0N.exe
"C:\Users\Admin\AppData\Local\Temp\530a6ea9e6b9832b4e4240312ff509a0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
  C:\Windows\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
    C:\Windows\{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
      C:\Windows\{194FBB72-70E0-49dd-9778-A2AE14318115}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
        
        C:\Windows\{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - C:\Windows\{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
        
        C:\Windows\{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
        
        C:\Windows\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
        
        C:\Windows\{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
        
        C:\Windows\{012762FA-D953-472a-96E7-0EB8322F08C6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe
        
        C:\Windows\{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01276~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8845~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70B00~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50AE7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE5F4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{194FB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3A94E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3B70~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\530A6E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{012762FA-D953-472a-96E7-0EB8322F08C6}.exe

Filesize
90KB

MD5
757a2c807820c256496db7fe1eaffc45

SHA1
9a177b8e91037f0697014b7b9096877539e747f5

SHA256
a93c788dce87ba0b3c4823ea3ef4677034fd3de8519572f2002cf0b5121b4fb1

SHA512
6a8a33f3cd7016ffc55611e45fa2121e8807f42e40c04b351d8f607157534f825ce18aaee1074a1a54cabd994895d2050aee097c07f8105de550496d5002fe83

Download Submit
C:\Windows\{194FBB72-70E0-49dd-9778-A2AE14318115}.exe

Filesize
90KB

MD5
3d94739b96487496381268467a27fd66

SHA1
310ec23dc15e70f66dfe30b1b9288fea6330a224

SHA256
640071e59d3bc479e22b4adf1aa09894d8be226eafe1a70042b437dd8213490d

SHA512
78458f827371f41e28b5908b13d617092f7661018481e7f7691862e415c56afa95d6d24fe676dfe24a10ea5cce4461fe80dccce4822377cf705d667e6c5dd99e

Download Submit
C:\Windows\{3A94EA15-95A2-45ef-815D-972BE1905C99}.exe

Filesize
90KB

MD5
49137f55c092b2df3ba2bf4722eb6be2

SHA1
28b88a1075bf8191f8f64f2652232483937ee980

SHA256
b1c0ba101fb616aabd6f139d8403726d6d0f25996f46e32daf1c11c12bda5bc7

SHA512
c4345e2dcd487b561006eaece3a0c6f710ad102b7f3a643b922c3fb927692423b75f136c9fe76ff0f904f6f98ad72151f55ade17af5d14740abd707b1bea57f3

Download Submit
C:\Windows\{50AE7768-A1A6-4c62-907D-F904F68B1584}.exe

Filesize
90KB

MD5
a8969cb2fc66cb854a6c8f13f4c0053b

SHA1
b6dc1c65a75eb5596cd0005b511ea5c0c4aaa558

SHA256
fe385b362d91be008b572f982712f9cf0e29961a542c5cb04507d49f8f796550

SHA512
d0039acd0827f7391488b38ca4b87dce24bc1c9a733bc60ff967d9c101693c572d1e2c38223d6b9b108e3e029eb631ebb1c2f48fdc25a6cf3a015e4988bddb8e

Download Submit
C:\Windows\{70B00222-C755-4b33-B6B5-B0D93CF5B84B}.exe

Filesize
90KB

MD5
85b86dc1a57eadce70b88a9ceead90cd

SHA1
33756334ca89cc5a470ebd8618340fad5191963a

SHA256
10846cc217068b85c35d1c5912b2f968af785a4af093cb5a970ddb1f2dfacb06

SHA512
5dc70e30995a5a59daebd1d72584a347aeb07ca8243667d824e1f57e86afc62ff7023e8b50617987a90d5b139adcea286fafb45cf63cef13054fac3981b96bd2

Download Submit
C:\Windows\{B3B70F25-C771-4747-B21D-DC5B1597A2BD}.exe

Filesize
90KB

MD5
ec6d79b6f108fe86a1b3febe1cb8f92c

SHA1
4103a6ed4be1e06b1b154a9b2aa3de43d1a2ecfa

SHA256
1b969487da7731f0508a7b6b0ecb70344be1a0535f5a9454d1a7390e9f8a8b39

SHA512
5b4edb34cbf94efda33422940c266f1093b58c9637bf96d1ae5ef110d7375fb25e421bb4ac3980c45a3dd92031f9f493ad378096de4db0f907ef9f9b223a9971

Download Submit
C:\Windows\{BE5F4336-7B1C-462a-A86D-A277097C7E18}.exe

Filesize
90KB

MD5
dfc92d6fd4cd13ab6aba61c8860e907e

SHA1
382550a54481fd5461b010e729549587acea2c0a

SHA256
ed6be5751013d0d64f914910959736c146878adb7b867ff2da016041586efbef

SHA512
5f77b7319b7cceb6072c193b7f6d49507bc40af16ba0c5838f2aa017531dd86b127bc783ae23d2ff49a8547792adc8b3ec12330a619070d8de170e5a22218bab

Download Submit
C:\Windows\{DFE174AF-923D-420e-B8F8-F34219A282C3}.exe

Filesize
90KB

MD5
b78b7ab5a0a6cbb0b80ac4fe3263ba61

SHA1
4abf7b2c4976ffc82fa109a9f372ef30125cfd46

SHA256
c1c3a1247ac2e8e037e656af24b8f8fc3e8368eb13fd7154c98a1b46237011f2

SHA512
5e3ad5bfbfa46de04e3ec77f59a45a5330e7c9701c9ad11ea907c2dd338b3395ea32780380b833114acb02f2339c8348f8773b7d62e1756fdd33d21d5b907648

Download Submit
C:\Windows\{F88454AC-E7B1-400c-A665-75A4C27908A9}.exe

Filesize
90KB

MD5
06539edd39d6bbfc3f6d4395ba3defbf

SHA1
5e6e755551a34c713ea1d51ce8011ac7ea7fc04b

SHA256
d41405e0f6f223f3bc2ddd094ea4eeb1e2e005635868bafd4ea6aebaa0c2dfc3

SHA512
e8b543366d15b062db8668d8cde06f20ef999b6771abce495d351ac9511f921d0e5a86edc81cb1c187592f99cb22720bd5f65edc2795dc319438177b12970d72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads