185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Size

60KB
MD5

7ae9dc3fdf7f2d09a7a475d049b16b6b
SHA1

081a1f616d62048116d58e0648b490351a37e857
SHA256

185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8
SHA512

950fca39bad00c6df6af6a358d434e3abbb66281674f4f94f05ef434d6d8e6ab6f20c221a5b505f266005fe7e406b4040d6af2df65714dd593db466c44e23135
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroP4/CFsrdHWMZ:vvw9816vhKQLroP4/wQpWMZ

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4123223B-2214-4245-ABC7-DD84421DF410}\stubpath = "C:\\Windows\\{4123223B-2214-4245-ABC7-DD84421DF410}.exe"	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}	{4123223B-2214-4245-ABC7-DD84421DF410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}\stubpath = "C:\\Windows\\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe"	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}\stubpath = "C:\\Windows\\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe"	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}\stubpath = "C:\\Windows\\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe"	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4043114E-5800-4c3e-B85A-93F92070F60A}	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}\stubpath = "C:\\Windows\\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe"	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5C76268-7AB2-4978-B506-9E7C62A35F96}	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4043114E-5800-4c3e-B85A-93F92070F60A}\stubpath = "C:\\Windows\\{4043114E-5800-4c3e-B85A-93F92070F60A}.exe"	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}\stubpath = "C:\\Windows\\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe"	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}\stubpath = "C:\\Windows\\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe"	{4123223B-2214-4245-ABC7-DD84421DF410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4123223B-2214-4245-ABC7-DD84421DF410}	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}\stubpath = "C:\\Windows\\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe"	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}\stubpath = "C:\\Windows\\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe"	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5C76268-7AB2-4978-B506-9E7C62A35F96}\stubpath = "C:\\Windows\\{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe"	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
2944	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
3060	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
2712	{4123223B-2214-4245-ABC7-DD84421DF410}.exe
2308	{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
File created	C:\Windows\{4123223B-2214-4245-ABC7-DD84421DF410}.exe	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
File created	C:\Windows\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
File created	C:\Windows\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
File created	C:\Windows\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
File created	C:\Windows\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
File created	C:\Windows\{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
File created	C:\Windows\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe	{4123223B-2214-4245-ABC7-DD84421DF410}.exe
File created	C:\Windows\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
File created	C:\Windows\{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
File created	C:\Windows\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4123223B-2214-4245-ABC7-DD84421DF410}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Token: SeIncBasePriorityPrivilege	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
Token: SeIncBasePriorityPrivilege	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
Token: SeIncBasePriorityPrivilege	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
Token: SeIncBasePriorityPrivilege	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
Token: SeIncBasePriorityPrivilege	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
Token: SeIncBasePriorityPrivilege	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
Token: SeIncBasePriorityPrivilege	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
Token: SeIncBasePriorityPrivilege	2944	{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
Token: SeIncBasePriorityPrivilege	3060	{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
Token: SeIncBasePriorityPrivilege	2712	{4123223B-2214-4245-ABC7-DD84421DF410}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2212	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	31
PID 1976 wrote to memory of 2212	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	31
PID 1976 wrote to memory of 2212	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	31
PID 1976 wrote to memory of 2212	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	31
PID 1976 wrote to memory of 2988	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	32
PID 1976 wrote to memory of 2988	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	32
PID 1976 wrote to memory of 2988	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	32
PID 1976 wrote to memory of 2988	1976	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	32
PID 2212 wrote to memory of 2820	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	33
PID 2212 wrote to memory of 2820	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	33
PID 2212 wrote to memory of 2820	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	33
PID 2212 wrote to memory of 2820	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	33
PID 2212 wrote to memory of 2892	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	34
PID 2212 wrote to memory of 2892	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	34
PID 2212 wrote to memory of 2892	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	34
PID 2212 wrote to memory of 2892	2212	{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe	34
PID 2820 wrote to memory of 3000	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	35
PID 2820 wrote to memory of 3000	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	35
PID 2820 wrote to memory of 3000	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	35
PID 2820 wrote to memory of 3000	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	35
PID 2820 wrote to memory of 2456	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	36
PID 2820 wrote to memory of 2456	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	36
PID 2820 wrote to memory of 2456	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	36
PID 2820 wrote to memory of 2456	2820	{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe	36
PID 3000 wrote to memory of 2788	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	37
PID 3000 wrote to memory of 2788	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	37
PID 3000 wrote to memory of 2788	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	37
PID 3000 wrote to memory of 2788	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	37
PID 3000 wrote to memory of 1192	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	38
PID 3000 wrote to memory of 1192	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	38
PID 3000 wrote to memory of 1192	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	38
PID 3000 wrote to memory of 1192	3000	{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe	38
PID 2788 wrote to memory of 1972	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	39
PID 2788 wrote to memory of 1972	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	39
PID 2788 wrote to memory of 1972	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	39
PID 2788 wrote to memory of 1972	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	39
PID 2788 wrote to memory of 2172	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	40
PID 2788 wrote to memory of 2172	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	40
PID 2788 wrote to memory of 2172	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	40
PID 2788 wrote to memory of 2172	2788	{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe	40
PID 1972 wrote to memory of 1056	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	41
PID 1972 wrote to memory of 1056	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	41
PID 1972 wrote to memory of 1056	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	41
PID 1972 wrote to memory of 1056	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	41
PID 1972 wrote to memory of 2932	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	42
PID 1972 wrote to memory of 2932	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	42
PID 1972 wrote to memory of 2932	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	42
PID 1972 wrote to memory of 2932	1972	{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe	42
PID 1056 wrote to memory of 1752	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	43
PID 1056 wrote to memory of 1752	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	43
PID 1056 wrote to memory of 1752	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	43
PID 1056 wrote to memory of 1752	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	43
PID 1056 wrote to memory of 1696	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	44
PID 1056 wrote to memory of 1696	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	44
PID 1056 wrote to memory of 1696	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	44
PID 1056 wrote to memory of 1696	1056	{4043114E-5800-4c3e-B85A-93F92070F60A}.exe	44
PID 1752 wrote to memory of 2944	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	45
PID 1752 wrote to memory of 2944	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	45
PID 1752 wrote to memory of 2944	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	45
PID 1752 wrote to memory of 2944	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	45
PID 1752 wrote to memory of 2008	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	46
PID 1752 wrote to memory of 2008	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	46
PID 1752 wrote to memory of 2008	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	46
PID 1752 wrote to memory of 2008	1752	{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe	46

C:\Users\Admin\AppData\Local\Temp\185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
"C:\Users\Admin\AppData\Local\Temp\185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
  C:\Windows\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
    C:\Windows\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
      C:\Windows\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
        
        C:\Windows\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
        
        C:\Windows\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
        
        C:\Windows\{4043114E-5800-4c3e-B85A-93F92070F60A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
        
        C:\Windows\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
        
        C:\Windows\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
        
        C:\Windows\{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{4123223B-2214-4245-ABC7-DD84421DF410}.exe
        
        C:\Windows\{4123223B-2214-4245-ABC7-DD84421DF410}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe
        
        C:\Windows\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41232~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5C76~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA3C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A19FE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40431~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91E27~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1BA6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{417DE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{071A9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F41~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\185C56~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071A9DEE-A89F-4a37-93CD-6B3AE704300D}.exe

Filesize
60KB

MD5
28f333625956af93bf198eb16fb8bdde

SHA1
a54e5fee6245d3f1aa1fbf679f8ce2db5658d04a

SHA256
a91376cbb6277a747944276961387060c651208f7961df93d5064ce7bc532e1d

SHA512
1a6e9eda412ea99e50bd63f51baa0309fd5ea21e700d669dae9be19e8331de093d858a9955c99821e939ebb369107654a1e42950137cfb02bcd02ccae5c78bf5

Download Submit
C:\Windows\{4043114E-5800-4c3e-B85A-93F92070F60A}.exe

Filesize
60KB

MD5
d5d05fb406aa9ed2a187647e5c235667

SHA1
737d1c3b198cc72abd84cc5f53e23655fef3f03e

SHA256
210b07798ba688639724e19816fb6e23c52da1ac5c504bcac486b90542b9bfcf

SHA512
cdcbd210c2675959fbd2998f37b07ec219fac7cbd8989e2508bba872ed320efd8c721ae25035b47b0ba2735c75f5cbde8923ab044320ffc66868156f7b35f02f

Download Submit
C:\Windows\{4123223B-2214-4245-ABC7-DD84421DF410}.exe

Filesize
60KB

MD5
63c2254b1576b9434fef960e4b1ea218

SHA1
8f50a4c72cb7f82fdc452cdce034d867844d3c4d

SHA256
41d282255acd7e32604fd27a70b883f945c83f43316ee0bdbebb623d92210431

SHA512
71c0a18216306658ad08f26e015778317b78e39a4e141a10a88762070461ec6549c305c3fb544f6eea7fe6a9fec3492e4f09cf23cc956c9dc9e56202bcff240e

Download Submit
C:\Windows\{417DE20F-F0EC-4a11-A3BB-B9DF9CDD44A8}.exe

Filesize
60KB

MD5
18a008eac2fad3bb8eb67ee4ea13ebd9

SHA1
d5daa8e2d8d7a447b9df4b18d5d183216ed98d71

SHA256
97ed7f88d172f84856d9e96b56caabbf681bce53a99a4e8ab9f8cf3b41f1d3a1

SHA512
ed4b5e37f43db5c5a09f389d5106d0895aad0db16920b32ac5215a1c0e286110c7df9b90aa132678f9d900c60b62ffe7ca534204e64c603ca03b4d17ec2c9044

Download Submit
C:\Windows\{5DA3CE8E-BACF-461e-A7F6-DEE423CC8ED5}.exe

Filesize
60KB

MD5
441d9e36897b6cc35a864ef5ea46cc6c

SHA1
ddf587a818964a807927391423f8e6ba3c26f323

SHA256
c4659d61c219377f682476ab127287c67fd7f1debb02f8ed71d8214267fef7e4

SHA512
323840ea5b7a891c0813743d9f72c41b3895bb7899accedb680ca73718a31c23998c97637200bd6671ddcbfdd360058b7f640747fed48ebaa980cc925bf803c3

Download Submit
C:\Windows\{91E27F6F-944F-490a-ADA7-7A4338CF7A4D}.exe

Filesize
60KB

MD5
1ef707c16534501f96ca46d9ed87f80a

SHA1
5466a0cb2b1e95451acc5e4de85782497e77f9cb

SHA256
adfdcee2e8b718ffdaac726965e234d9b8ffb81f017bff693baab7b3af07b69d

SHA512
3e647939eea50e8236df2b80de794184e79e82d7b020527a0d57cc5ce638d2d420d1fe9782aff3c2d07828de7b3bfd56699a5fa3bce1050574d6f7cee70f9f20

Download Submit
C:\Windows\{99A25472-1F1B-453d-B480-1E28E8BBCCCA}.exe

Filesize
60KB

MD5
f09ee7fe5a98c4e31efb080b931329c2

SHA1
75a8a00db23f1df24008911affe0ef1b6844db9a

SHA256
7f4fddc0c89f27ee62a800cd0135d495b977d600a0cab2b16271042b1415cb72

SHA512
9056f202cd2173b36097f36b962d35e29d83eba94d0391fa3e6c73955677e2dd498f57211fc3741b4e0290580717f025e08520035477c10bf31f501923b82d77

Download Submit
C:\Windows\{A19FE6F9-32A7-44b9-AD98-341625BE05EA}.exe

Filesize
60KB

MD5
c8c30820b5ad62f3673150d5fd122d4e

SHA1
f6de20fce7db68a6a14673f39a306b412eed448b

SHA256
d194fc9da156ed4ba9b54ad819b1c0dcb77ee7b7c4ca5611feee98861d95c337

SHA512
f6ddb19936bcca403832365b5ca6c25b1dd8e735a077b01b1c2d6ec51bd41f7c5908c4fb4244da520aac0e287a472ff47a18661d8b29d5df74c073974c16c1e2

Download Submit
C:\Windows\{B5C76268-7AB2-4978-B506-9E7C62A35F96}.exe

Filesize
60KB

MD5
a42b9361584ab2ab075a9cc165ec14ff

SHA1
32b2b2974cf9b4bea4cc6d7a4d60ff1f41babe1f

SHA256
50d0c79e2c1456e2b33d66e09a1e9aa2eff29a9841cf12b898969853cf38e5c2

SHA512
8cdd1d82dec25f93be6891dd5949c70baed4cb9bf2945421d6545ab5876de49bfe98c0df4840057c980395d42026d547f14fd96ab4699bcd2bcfac9ee6e539d0

Download Submit
C:\Windows\{C1BA684B-E15A-4c07-8CC0-A52A38EEA91C}.exe

Filesize
60KB

MD5
d3f7855d70a3386a8dfe129153ad6e6f

SHA1
a73cfc9de02a187aa159f7586618ba9cbf4c7c90

SHA256
de60719165044eddba63e185db5d46da4fb7c4a62f4889b6b1bbf61ecf43dc9e

SHA512
70e879df6e964e86fd20c23fabea6b451f285d0ab704a6b3e041493ed7c25dccf5ca74102fc32df0a08cd9d9ca8281749bdf883b10d27e195b4c67e3e853abfc

Download Submit
C:\Windows\{D9F4164A-6DA0-4808-A14D-7F096AB5CD14}.exe

Filesize
60KB

MD5
1b968e84eb90464852c4df1d3fae9579

SHA1
5b6b732cb12073ed100597ac8742b85fbfe531fa

SHA256
f4576ca4cc23ff8488e29102dfeb93b1441ba467b4fcbc95c3ad2f6041ba8bf3

SHA512
da2ebe5fc0bd56af65bac14a292770549036e48433db26d22f6e8a8e6c0ebe30a47553ea5226b0c5c96e6221209582b0118bd50165c8847e50e5eddfcd7b62e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads