7e80f4c3de232199039b43990c9b4e67ba45017eabea3d799d000a1a624e5208

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63fd02fdf10254b3f8cf4048fe202220N.exe
Size

60KB
MD5

63fd02fdf10254b3f8cf4048fe202220
SHA1

6f84b4e82557b9ae089b679cb8a8302dbaaae84f
SHA256

7e80f4c3de232199039b43990c9b4e67ba45017eabea3d799d000a1a624e5208
SHA512

c9a5d7aa6d13b04fcbe8b76729d01c0c4b35632afd5232bcfdb56176a8dc03c51940af1d14182b3a1fe42520be3900703dd5e03eff057e06e5bd01ef966309d6
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw8Y04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroK4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B52EA7-3086-4a69-B727-EE924010208A}\stubpath = "C:\\Windows\\{08B52EA7-3086-4a69-B727-EE924010208A}.exe"	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}\stubpath = "C:\\Windows\\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe"	{08B52EA7-3086-4a69-B727-EE924010208A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358B9E13-CD5B-41d9-AE8C-57F52556D800}	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}\stubpath = "C:\\Windows\\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe"	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}\stubpath = "C:\\Windows\\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe"	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}\stubpath = "C:\\Windows\\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe"	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}\stubpath = "C:\\Windows\\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe"	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}\stubpath = "C:\\Windows\\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe"	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B52EA7-3086-4a69-B727-EE924010208A}	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}	{08B52EA7-3086-4a69-B727-EE924010208A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D99108F-7339-4f28-A968-87A876CE9C62}\stubpath = "C:\\Windows\\{2D99108F-7339-4f28-A968-87A876CE9C62}.exe"	63fd02fdf10254b3f8cf4048fe202220N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D99108F-7339-4f28-A968-87A876CE9C62}	63fd02fdf10254b3f8cf4048fe202220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358B9E13-CD5B-41d9-AE8C-57F52556D800}\stubpath = "C:\\Windows\\{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe"	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe
2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
2980	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
2928	{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
File created	C:\Windows\{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
File created	C:\Windows\{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	63fd02fdf10254b3f8cf4048fe202220N.exe
File created	C:\Windows\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
File created	C:\Windows\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
File created	C:\Windows\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
File created	C:\Windows\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
File created	C:\Windows\{08B52EA7-3086-4a69-B727-EE924010208A}.exe	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
File created	C:\Windows\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	{08B52EA7-3086-4a69-B727-EE924010208A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08B52EA7-3086-4a69-B727-EE924010208A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63fd02fdf10254b3f8cf4048fe202220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	63fd02fdf10254b3f8cf4048fe202220N.exe
Token: SeIncBasePriorityPrivilege	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
Token: SeIncBasePriorityPrivilege	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
Token: SeIncBasePriorityPrivilege	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
Token: SeIncBasePriorityPrivilege	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
Token: SeIncBasePriorityPrivilege	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe
Token: SeIncBasePriorityPrivilege	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
Token: SeIncBasePriorityPrivilege	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
Token: SeIncBasePriorityPrivilege	2980	{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2168	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	29
PID 2516 wrote to memory of 2168	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	29
PID 2516 wrote to memory of 2168	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	29
PID 2516 wrote to memory of 2168	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	29
PID 2516 wrote to memory of 3056	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	30
PID 2516 wrote to memory of 3056	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	30
PID 2516 wrote to memory of 3056	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	30
PID 2516 wrote to memory of 3056	2516	63fd02fdf10254b3f8cf4048fe202220N.exe	30
PID 2168 wrote to memory of 1576	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	31
PID 2168 wrote to memory of 1576	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	31
PID 2168 wrote to memory of 1576	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	31
PID 2168 wrote to memory of 1576	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	31
PID 2168 wrote to memory of 2292	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	32
PID 2168 wrote to memory of 2292	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	32
PID 2168 wrote to memory of 2292	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	32
PID 2168 wrote to memory of 2292	2168	{2D99108F-7339-4f28-A968-87A876CE9C62}.exe	32
PID 1576 wrote to memory of 1996	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	33
PID 1576 wrote to memory of 1996	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	33
PID 1576 wrote to memory of 1996	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	33
PID 1576 wrote to memory of 1996	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	33
PID 1576 wrote to memory of 2204	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	34
PID 1576 wrote to memory of 2204	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	34
PID 1576 wrote to memory of 2204	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	34
PID 1576 wrote to memory of 2204	1576	{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe	34
PID 1996 wrote to memory of 2836	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	35
PID 1996 wrote to memory of 2836	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	35
PID 1996 wrote to memory of 2836	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	35
PID 1996 wrote to memory of 2836	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	35
PID 1996 wrote to memory of 2816	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	36
PID 1996 wrote to memory of 2816	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	36
PID 1996 wrote to memory of 2816	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	36
PID 1996 wrote to memory of 2816	1996	{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe	36
PID 2836 wrote to memory of 2668	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	37
PID 2836 wrote to memory of 2668	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	37
PID 2836 wrote to memory of 2668	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	37
PID 2836 wrote to memory of 2668	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	37
PID 2836 wrote to memory of 1820	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	38
PID 2836 wrote to memory of 1820	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	38
PID 2836 wrote to memory of 1820	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	38
PID 2836 wrote to memory of 1820	2836	{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe	38
PID 2668 wrote to memory of 2956	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	39
PID 2668 wrote to memory of 2956	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	39
PID 2668 wrote to memory of 2956	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	39
PID 2668 wrote to memory of 2956	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	39
PID 2668 wrote to memory of 3016	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	40
PID 2668 wrote to memory of 3016	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	40
PID 2668 wrote to memory of 3016	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	40
PID 2668 wrote to memory of 3016	2668	{08B52EA7-3086-4a69-B727-EE924010208A}.exe	40
PID 2956 wrote to memory of 2664	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	41
PID 2956 wrote to memory of 2664	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	41
PID 2956 wrote to memory of 2664	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	41
PID 2956 wrote to memory of 2664	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	41
PID 2956 wrote to memory of 532	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	42
PID 2956 wrote to memory of 532	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	42
PID 2956 wrote to memory of 532	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	42
PID 2956 wrote to memory of 532	2956	{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe	42
PID 2664 wrote to memory of 2980	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	43
PID 2664 wrote to memory of 2980	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	43
PID 2664 wrote to memory of 2980	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	43
PID 2664 wrote to memory of 2980	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	43
PID 2664 wrote to memory of 776	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	44
PID 2664 wrote to memory of 776	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	44
PID 2664 wrote to memory of 776	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	44
PID 2664 wrote to memory of 776	2664	{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe	44

C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe
"C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
  C:\Windows\{2D99108F-7339-4f28-A968-87A876CE9C62}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
    C:\Windows\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
      C:\Windows\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
        
        C:\Windows\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\{08B52EA7-3086-4a69-B727-EE924010208A}.exe
        
        C:\Windows\{08B52EA7-3086-4a69-B727-EE924010208A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
        
        C:\Windows\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
        
        C:\Windows\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
        
        C:\Windows\{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe
        
        C:\Windows\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{358B9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BDD5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7BED~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08B52~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6429D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B47D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DAB42~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D991~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\63FD02~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B52EA7-3086-4a69-B727-EE924010208A}.exe

Filesize
60KB

MD5
598e5235599d0d2cf79d0b3373c1cb74

SHA1
d02663a544a9235d93aeca070246f534477e547d

SHA256
d6289486e5a7c47e4e040e30068308a878e1fd937c8305a110b8796912def9bf

SHA512
0a5c42c0c440f3131d908df0d73ff01f925eeb5b00b83aac483d7bc974f1687b7615da874f8aad1642493796720b6bd02a7985eb3f0655892d9952d8c96905f4

Download Submit
C:\Windows\{0BDD5150-74EC-41f2-B4E4-9B69B7DE4E65}.exe

Filesize
60KB

MD5
c5f6ab607c3e81245a8c64a355df01f1

SHA1
8a4eff566257c4f6d9e1f2d38363cc706450d0f4

SHA256
208155d221272a930b6378ebb6494dd18b196814566b44fc5d478c1d1cb4cb13

SHA512
a77db52933eac6578cef49fc3a4b59bc1e6f211aa8a5508471c0c383d077582776d9c0d1b7a3dc45ffb84f328210b6f4ddec1668c44af0be895db1a6caba019a

Download Submit
C:\Windows\{20FE2CE7-E1E7-48e0-AF1C-12E28527577C}.exe

Filesize
60KB

MD5
c0e9f8f7a18992dc37385e30b905b1f0

SHA1
675f2972a432c3064b27776ea1ebc25f6c190d04

SHA256
5e089fa956038961a68f825a27fcdaf9c5f2715ce9a186a31e1b44074ca5c903

SHA512
9eadb9636d495c52cf4736c574c6244ab5919067e2ea6e9f49bff35b524a33255a4a1fdae93045ca652f8b579f7aeb23043b5f331cb69f3aec4272cc782d12c2

Download Submit
C:\Windows\{2D99108F-7339-4f28-A968-87A876CE9C62}.exe

Filesize
60KB

MD5
dc1fe902631d62b7d5fd0816d222097f

SHA1
0732ecf3843aabcd90a9818b8d1b442453f7d2bf

SHA256
9ba2b65dc5e3204ccac94b0013dd5c1668014b7b9c257a6a9acf00073d6d4f5b

SHA512
e3465eff68ad7b746e7341e07e16c779cac984345b16e43a5fbce63ec4f6fe39faff59b77b1857b3b08ba54dfb0c560ef0c5899e77b22d49ecd850d760d9d8a1

Download Submit
C:\Windows\{358B9E13-CD5B-41d9-AE8C-57F52556D800}.exe

Filesize
60KB

MD5
2439f8fe9e517258289316fd0b972249

SHA1
2b5137c4caf056c3bc312d1745ce0919aefb655d

SHA256
60e075c907f4293cb48bcc4c35ab944b4691f4aa7cc5df278594f61f3c097c43

SHA512
7482db860b28177f959f24845c437ca01a0d48f8ad8924d13d27b2f421f2fa5fd65133594a237d158c63c02b5c1ecbd2885589a45858afb6b6b87263295da9b2

Download Submit
C:\Windows\{5B47D052-C9AD-4829-B6CD-6CEDEEDE6647}.exe

Filesize
60KB

MD5
2c8df8a62a68720be7c870612d7165cf

SHA1
8607caf9173659af26a14418b9b31c1963facd7c

SHA256
db3ab925d5b9271fc905ea953f5a789c5114685b8c62fcd8846e4a1064447e14

SHA512
76d7c80fec7cfce4e7a3cc149b461cb12fefb1c51f6d991e2c1f976e35dc1683c76c8bf092b941f7ea59acbfabb48f7ac1ecd152714cb953bd95b2397ec1fd42

Download Submit
C:\Windows\{6429D08D-33A3-4cb3-B22C-3EE4F7287301}.exe

Filesize
60KB

MD5
fd05ef340f39a286a788307f10b7ea0c

SHA1
f745ae4fc524719fd0c422703c40905a96cb0530

SHA256
7ce8fdebb38f93db725c70ce7b042673884a9f439562bf4cc872c5ba8fe116a0

SHA512
4983bf4b633f548705178568e3cab7b03c699d5cd4b65fb13b591274011cb4874bcf32d2e00ff66d27dfb039186c65676340dee7d7585f18d646a4e3474764d0

Download Submit
C:\Windows\{B7BEDA96-F7F4-427c-A0C8-AFFE97D09C0A}.exe

Filesize
60KB

MD5
c292a0ebe8600de6ba6452122513771c

SHA1
6353fcaa48c1dd4865d15e6e50cc2ea60e9425ab

SHA256
03f00e0171a061c461dcba2559979b4d193f8cf50b7db898d0a7c1f01251aafd

SHA512
5fc1d3d608a485cd57fb364c5122be84b63a37f2ec8e1a21123ca2e204c0b136a5e15135d6ec69f9191a48bf5d6063a430cc725dc6b13dc0e7f67a1d79af3759

Download Submit
C:\Windows\{DAB42D6E-EE31-4735-A4ED-EEDD32F64921}.exe

Filesize
60KB

MD5
014f72a11f142c5283194ac1b927aaf6

SHA1
29c4fa176d34e8986977c7ec3aa6426d485b575b

SHA256
cce04c68d2ff5b8b721078ac935abca01f0e2ccedae2fe57e7eb133ceb67c62f

SHA512
2588f4060e1810c0ee51492b7fa4d697e42f0beaa3e9c3886f14ca33a5b85470251b3a380eb379a5150d7dc75b37fdc989867fd37a035697a930c45857a94d4b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads