7e80f4c3de232199039b43990c9b4e67ba45017eabea3d799d000a1a624e5208

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 07:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63fd02fdf10254b3f8cf4048fe202220N.exe
Size

60KB
MD5

63fd02fdf10254b3f8cf4048fe202220
SHA1

6f84b4e82557b9ae089b679cb8a8302dbaaae84f
SHA256

7e80f4c3de232199039b43990c9b4e67ba45017eabea3d799d000a1a624e5208
SHA512

c9a5d7aa6d13b04fcbe8b76729d01c0c4b35632afd5232bcfdb56176a8dc03c51940af1d14182b3a1fe42520be3900703dd5e03eff057e06e5bd01ef966309d6
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw8Y04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroK4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F3842E-C007-4545-964F-1704306F8F34}	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}	{C4F3842E-C007-4545-964F-1704306F8F34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D49C6D-ACB7-41de-AE08-7BF389679264}	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14D49C6D-ACB7-41de-AE08-7BF389679264}\stubpath = "C:\\Windows\\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe"	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF12EF98-E628-4efc-9991-6F07989600CD}\stubpath = "C:\\Windows\\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe"	63fd02fdf10254b3f8cf4048fe202220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F3842E-C007-4545-964F-1704306F8F34}\stubpath = "C:\\Windows\\{C4F3842E-C007-4545-964F-1704306F8F34}.exe"	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}\stubpath = "C:\\Windows\\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe"	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF12EF98-E628-4efc-9991-6F07989600CD}	63fd02fdf10254b3f8cf4048fe202220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}\stubpath = "C:\\Windows\\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe"	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}\stubpath = "C:\\Windows\\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe"	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}\stubpath = "C:\\Windows\\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe"	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}\stubpath = "C:\\Windows\\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe"	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}\stubpath = "C:\\Windows\\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe"	{C4F3842E-C007-4545-964F-1704306F8F34}.exe

Executes dropped EXE 9 IoCs

pid	Process
4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe
1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
764	{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	63fd02fdf10254b3f8cf4048fe202220N.exe
File created	C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
File created	C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	{C4F3842E-C007-4545-964F-1704306F8F34}.exe
File created	C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
File created	C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
File created	C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
File created	C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
File created	C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
File created	C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63fd02fdf10254b3f8cf4048fe202220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4F3842E-C007-4545-964F-1704306F8F34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1528	63fd02fdf10254b3f8cf4048fe202220N.exe
Token: SeIncBasePriorityPrivilege	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
Token: SeIncBasePriorityPrivilege	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe
Token: SeIncBasePriorityPrivilege	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
Token: SeIncBasePriorityPrivilege	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
Token: SeIncBasePriorityPrivilege	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
Token: SeIncBasePriorityPrivilege	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
Token: SeIncBasePriorityPrivilege	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
Token: SeIncBasePriorityPrivilege	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4400	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	86
PID 1528 wrote to memory of 4400	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	86
PID 1528 wrote to memory of 4400	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	86
PID 1528 wrote to memory of 2000	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	87
PID 1528 wrote to memory of 2000	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	87
PID 1528 wrote to memory of 2000	1528	63fd02fdf10254b3f8cf4048fe202220N.exe	87
PID 4400 wrote to memory of 4212	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	88
PID 4400 wrote to memory of 4212	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	88
PID 4400 wrote to memory of 4212	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	88
PID 4400 wrote to memory of 4952	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	89
PID 4400 wrote to memory of 4952	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	89
PID 4400 wrote to memory of 4952	4400	{FF12EF98-E628-4efc-9991-6F07989600CD}.exe	89
PID 4212 wrote to memory of 1016	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	93
PID 4212 wrote to memory of 1016	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	93
PID 4212 wrote to memory of 1016	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	93
PID 4212 wrote to memory of 3640	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	94
PID 4212 wrote to memory of 3640	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	94
PID 4212 wrote to memory of 3640	4212	{C4F3842E-C007-4545-964F-1704306F8F34}.exe	94
PID 1016 wrote to memory of 3584	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	95
PID 1016 wrote to memory of 3584	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	95
PID 1016 wrote to memory of 3584	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	95
PID 1016 wrote to memory of 540	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	96
PID 1016 wrote to memory of 540	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	96
PID 1016 wrote to memory of 540	1016	{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe	96
PID 3584 wrote to memory of 1476	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	97
PID 3584 wrote to memory of 1476	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	97
PID 3584 wrote to memory of 1476	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	97
PID 3584 wrote to memory of 3784	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	98
PID 3584 wrote to memory of 3784	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	98
PID 3584 wrote to memory of 3784	3584	{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe	98
PID 1476 wrote to memory of 740	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	99
PID 1476 wrote to memory of 740	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	99
PID 1476 wrote to memory of 740	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	99
PID 1476 wrote to memory of 3356	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	100
PID 1476 wrote to memory of 3356	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	100
PID 1476 wrote to memory of 3356	1476	{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe	100
PID 740 wrote to memory of 4836	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	101
PID 740 wrote to memory of 4836	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	101
PID 740 wrote to memory of 4836	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	101
PID 740 wrote to memory of 3244	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	102
PID 740 wrote to memory of 3244	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	102
PID 740 wrote to memory of 3244	740	{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe	102
PID 4836 wrote to memory of 2836	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	103
PID 4836 wrote to memory of 2836	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	103
PID 4836 wrote to memory of 2836	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	103
PID 4836 wrote to memory of 2992	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	104
PID 4836 wrote to memory of 2992	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	104
PID 4836 wrote to memory of 2992	4836	{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe	104
PID 2836 wrote to memory of 764	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	105
PID 2836 wrote to memory of 764	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	105
PID 2836 wrote to memory of 764	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	105
PID 2836 wrote to memory of 1316	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	106
PID 2836 wrote to memory of 1316	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	106
PID 2836 wrote to memory of 1316	2836	{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe	106

C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe
"C:\Users\Admin\AppData\Local\Temp\63fd02fdf10254b3f8cf4048fe202220N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
  C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe
    C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
      C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
        
        C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
        
        C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
        
        C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
        
        C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
        
        C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe
        
        C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA2D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F62B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3AEE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A154~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14D49~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3798B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F38~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF12E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\63FD02~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=13A2025C455B6ED02F7C168E44E06F7E; domain=.bing.com; expires=Sat, 30-Aug-2025 07:15:37 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 80F41ED0F66C4D38AC5D2DE47D57F321 Ref B: LON04EDGE0811 Ref C: 2024-08-05T07:15:37Z
date: Mon, 05 Aug 2024 07:15:36 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=13A2025C455B6ED02F7C168E44E06F7E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=8k3cmTTq_Edz_6sY3jxV5XY66GwEdYUg3wbDshBYC7E; domain=.bing.com; expires=Sat, 30-Aug-2025 07:15:37 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 944433855F324A0AB89FBB5EBA7CA279 Ref B: LON04EDGE0811 Ref C: 2024-08-05T07:15:37Z
date: Mon, 05 Aug 2024 07:15:36 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=13A2025C455B6ED02F7C168E44E06F7E; MSPTC=8k3cmTTq_Edz_6sY3jxV5XY66GwEdYUg3wbDshBYC7E

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3A253CD362F4E45AAE56739A3428522 Ref B: LON04EDGE0811 Ref C: 2024-08-05T07:15:37Z
date: Mon, 05 Aug 2024 07:15:36 GMT
DNS

68.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=688aaf29e84a4a599e6a7721ef6ee2cf&localId=w:C73FBD69-E259-A995-64BC-A5A688D3CF0D&deviceId=6755468654711223&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

68.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

68.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14D49C6D-ACB7-41de-AE08-7BF389679264}.exe

Filesize
60KB

MD5
a2feacc942a5dea3b311153f2554abe6

SHA1
6b38c86009851a8f2b249a356907214204443645

SHA256
ef54f384644938927d494e0473587df25e906aad8356f53b94a1a9a9fe32a99f

SHA512
67b9f871beb756803925369bd04078e9989a0665ae556e053c18ef77864f82d1c9e08b9db1cb5179fb9b6027029c38d4de1a6cd16d73dab83aeb8775c9c2b3fd

Download Submit
C:\Windows\{1A154B48-5EDE-4767-BF0E-D5D46E1B266C}.exe

Filesize
60KB

MD5
4f938fa42bfbcd194ef5fb52c0e2a5e9

SHA1
be2cc58781032aad9e12e45625697e636324b349

SHA256
85277c1f6dae4050439147e1f2ba610579445006fd069f5ff4ddfc2099fb17c7

SHA512
42d303ce3da4dbee9449aa2af775c70cacaaddd409bb5ddece1cfa2b082f5ec1467e5efc295e0766e68839d977fcc89a0ada50dffdcc930b4bf04b513621b562

Download Submit
C:\Windows\{1EA2D21B-8257-4c44-BE40-B99B133B1F4B}.exe

Filesize
60KB

MD5
9f49697262fc012bbf9f0feb97b8f9a7

SHA1
a006cffbff1fc0f372f8e87a4e5288dc144ab151

SHA256
c08e8c79f1ec61e953bbcd94367a65ff8e86016958427ea0693366b34cc8d249

SHA512
a5fca47bc61914f52b3abcb69cc683c5dadc40fe4166b99295108df6a8b08891b777426eed810284d68e5717cab4731a738b4e4706c43b049cafc86fe17ebbf5

Download Submit
C:\Windows\{1F62BEDC-5EC2-4627-B48F-EBE3EFC7CBDF}.exe

Filesize
60KB

MD5
2c624bdca137ab28036876df923bdb1b

SHA1
bf1687e151770c4ed3edefda0174ebeb294114a2

SHA256
91d9c54f4f3ac1c802535502a15a32ea33564b8fb1e75607e3f5cbf59b8aac22

SHA512
0b1f36dc38461ea239d377b8c8b690316959c41dce9fed4d27b3b13c57d118b2fb13d5a7817ccb06a49bfe47d5bcde8e5c799425941122a0119cd5c633ff6acc

Download Submit
C:\Windows\{3798BF84-84D5-4c1a-A41B-2546DF0416A1}.exe

Filesize
60KB

MD5
757a8f269d8bd044d461eee3bc76b286

SHA1
79b1f94274137a1c24e118f6ca5b889ecdc9714b

SHA256
7f9b1ce569c85b1ada7fc4e1f1aa20198cee62ffefe18537eaf58d35151fb3e7

SHA512
9c2c9836bcdfc0afcd4a854636f86d4fe88bf92ea32c9ad3f3639c8130f3349f8b741a791ab34c4cb45ec331da7236e6fa3904ef6da1e19fdebc0c8e1c75cc9c

Download Submit
C:\Windows\{524D7F45-47B7-4b2b-B0BD-D779BA5D238B}.exe

Filesize
60KB

MD5
02fca4528a0848900d550b45d975a725

SHA1
31c27ce91b54b9446e3cd9af6fa2f01e24ad5d22

SHA256
8a87ac4bf20e38c81f452742041d051ae022516205f82b9fc2d7014b89054d88

SHA512
919afac1a5fce81096641f1bc32abd5ed59e19e39146be15f5048f33e8cb5185a799c610183449ce726719bd3050e81edb0bef70779b7962be23613e2b6f8118

Download Submit
C:\Windows\{C4F3842E-C007-4545-964F-1704306F8F34}.exe

Filesize
60KB

MD5
58267e3956e7803f753402e6483a330e

SHA1
7ebcb7e2bc298c2d37401b70e9ee50195b82c63b

SHA256
92633a6cbbb030befaa578329c63d9570397d4dddd8fe9e9ead1b2f0e570f29f

SHA512
7c2b8cf54784cb2c2513e017aeb33cf421135122fc8cb58eb39a0c9ac52d14640fa617dd01a9241bb887b665a50d2dffbbbbdba4fd5f0c22e094974fce532cb4

Download Submit
C:\Windows\{E3AEE6E0-E361-45da-A18D-93C22FFF9574}.exe

Filesize
60KB

MD5
04318a7381e0af8ad3a6dc2135688c7a

SHA1
a5afbea4f72dcf0464169fd4557c8852d7c73293

SHA256
bf0abe9ae2f67583d38e1b944eba001788c249be4857949f5eca2e3b52f4f3c7

SHA512
139187dfee8dde12037d71d51f47461ae523a60acc48af1db1624808606600c672133f4778099c25a78ecf69c896ba000355cb1ba7b179a1a8436f5b625d3ec6

Download Submit
C:\Windows\{FF12EF98-E628-4efc-9991-6F07989600CD}.exe

Filesize
60KB

MD5
5f053fe0ee03f72f76195666ca5ef7fb

SHA1
7d93a3841c7b771020ed7e8f3fc7c49220343197

SHA256
d49efed93f9d34ba389d1145b1821d7268349c874ea4ec57f74b08f68f18e7d9

SHA512
c5434b468d700aa6fd77e35178025aacbe8bac57c202b93d0708b503918c51ae778f0d30792305a2ff834e7571a47d535c324aeab4647c80af0d53f30c98345d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.