60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
Size

91KB
MD5

ce4676724f204827706ab7318b0ccef8
SHA1

8356cde6c3ab83dd6c0975f91f5aa8392e42a3d2
SHA256

60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588
SHA512

97054354696d079af939cffb21382ffa0097bd15d09e8755e0a44454ab1ca1dd927e7ffb09619f32fc5fd39fd75e152edad39b14eb9ecf8f1f7a6e3c3be8f3a2
SSDEEP

768:5vw9816uhKiro24/wQNNrfrunMxVFA3b7t:lEGkmo2lCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F956EB8-D5B5-4783-8F35-C85840E519DB}\stubpath = "C:\\Windows\\{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe"	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790B8149-DF50-491a-A1EE-C01A6C0872BE}	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}\stubpath = "C:\\Windows\\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe"	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F956EB8-D5B5-4783-8F35-C85840E519DB}	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}\stubpath = "C:\\Windows\\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe"	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{840B0FF4-2532-4a73-BE73-2AA0872F136A}\stubpath = "C:\\Windows\\{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe"	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}\stubpath = "C:\\Windows\\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe"	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94156201-4E0A-4559-A4C1-BF07AB783248}\stubpath = "C:\\Windows\\{94156201-4E0A-4559-A4C1-BF07AB783248}.exe"	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}\stubpath = "C:\\Windows\\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe"	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}\stubpath = "C:\\Windows\\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe"	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94156201-4E0A-4559-A4C1-BF07AB783248}	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}\stubpath = "C:\\Windows\\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe"	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790B8149-DF50-491a-A1EE-C01A6C0872BE}\stubpath = "C:\\Windows\\{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe"	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{840B0FF4-2532-4a73-BE73-2AA0872F136A}	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}\stubpath = "C:\\Windows\\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe"	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
1292	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
2112	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
2056	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
1020	{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
File created	C:\Windows\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
File created	C:\Windows\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
File created	C:\Windows\{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
File created	C:\Windows\{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
File created	C:\Windows\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
File created	C:\Windows\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
File created	C:\Windows\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
File created	C:\Windows\{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
File created	C:\Windows\{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
File created	C:\Windows\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
Token: SeIncBasePriorityPrivilege	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
Token: SeIncBasePriorityPrivilege	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
Token: SeIncBasePriorityPrivilege	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
Token: SeIncBasePriorityPrivilege	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
Token: SeIncBasePriorityPrivilege	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
Token: SeIncBasePriorityPrivilege	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
Token: SeIncBasePriorityPrivilege	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
Token: SeIncBasePriorityPrivilege	1292	{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
Token: SeIncBasePriorityPrivilege	2112	{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
Token: SeIncBasePriorityPrivilege	2056	{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2460	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	31
PID 3032 wrote to memory of 2460	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	31
PID 3032 wrote to memory of 2460	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	31
PID 3032 wrote to memory of 2460	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	31
PID 3032 wrote to memory of 1740	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	32
PID 3032 wrote to memory of 1740	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	32
PID 3032 wrote to memory of 1740	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	32
PID 3032 wrote to memory of 1740	3032	60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe	32
PID 2460 wrote to memory of 2696	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	33
PID 2460 wrote to memory of 2696	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	33
PID 2460 wrote to memory of 2696	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	33
PID 2460 wrote to memory of 2696	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	33
PID 2460 wrote to memory of 2784	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	34
PID 2460 wrote to memory of 2784	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	34
PID 2460 wrote to memory of 2784	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	34
PID 2460 wrote to memory of 2784	2460	{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe	34
PID 2696 wrote to memory of 2760	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	35
PID 2696 wrote to memory of 2760	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	35
PID 2696 wrote to memory of 2760	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	35
PID 2696 wrote to memory of 2760	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	35
PID 2696 wrote to memory of 2848	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	36
PID 2696 wrote to memory of 2848	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	36
PID 2696 wrote to memory of 2848	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	36
PID 2696 wrote to memory of 2848	2696	{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe	36
PID 2760 wrote to memory of 2720	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	37
PID 2760 wrote to memory of 2720	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	37
PID 2760 wrote to memory of 2720	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	37
PID 2760 wrote to memory of 2720	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	37
PID 2760 wrote to memory of 2556	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	38
PID 2760 wrote to memory of 2556	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	38
PID 2760 wrote to memory of 2556	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	38
PID 2760 wrote to memory of 2556	2760	{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe	38
PID 2720 wrote to memory of 2440	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	39
PID 2720 wrote to memory of 2440	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	39
PID 2720 wrote to memory of 2440	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	39
PID 2720 wrote to memory of 2440	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	39
PID 2720 wrote to memory of 1968	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	40
PID 2720 wrote to memory of 1968	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	40
PID 2720 wrote to memory of 1968	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	40
PID 2720 wrote to memory of 1968	2720	{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe	40
PID 2440 wrote to memory of 2864	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	41
PID 2440 wrote to memory of 2864	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	41
PID 2440 wrote to memory of 2864	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	41
PID 2440 wrote to memory of 2864	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	41
PID 2440 wrote to memory of 1952	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	42
PID 2440 wrote to memory of 1952	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	42
PID 2440 wrote to memory of 1952	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	42
PID 2440 wrote to memory of 1952	2440	{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe	42
PID 2864 wrote to memory of 2884	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	43
PID 2864 wrote to memory of 2884	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	43
PID 2864 wrote to memory of 2884	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	43
PID 2864 wrote to memory of 2884	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	43
PID 2864 wrote to memory of 2860	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	44
PID 2864 wrote to memory of 2860	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	44
PID 2864 wrote to memory of 2860	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	44
PID 2864 wrote to memory of 2860	2864	{94156201-4E0A-4559-A4C1-BF07AB783248}.exe	44
PID 2884 wrote to memory of 1292	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	45
PID 2884 wrote to memory of 1292	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	45
PID 2884 wrote to memory of 1292	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	45
PID 2884 wrote to memory of 1292	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	45
PID 2884 wrote to memory of 992	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	46
PID 2884 wrote to memory of 992	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	46
PID 2884 wrote to memory of 992	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	46
PID 2884 wrote to memory of 992	2884	{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe	46

C:\Users\Admin\AppData\Local\Temp\60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe
"C:\Users\Admin\AppData\Local\Temp\60616971b7b54fdecaa4f0ad03f4637896a47a7f4ef44013a9498a5ebdfdd588.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
  C:\Windows\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
    C:\Windows\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
      C:\Windows\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
        
        C:\Windows\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
        
        C:\Windows\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
        
        C:\Windows\{94156201-4E0A-4559-A4C1-BF07AB783248}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
        
        C:\Windows\{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
        
        C:\Windows\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
        
        C:\Windows\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
        
        C:\Windows\{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe
        
        C:\Windows\{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{790B8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65CF2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ADAE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F956~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94156~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0298C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42D9C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79C3D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3B7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD197~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\606169~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0298CC59-7C5F-4ab1-9A20-A5D218EAC046}.exe

Filesize
91KB

MD5
71e921df1eba22d7583db44ec106ba97

SHA1
77d39771bdbc1cc2ebe89bd8bdfa3804b597b70b

SHA256
6ab0c6eae47d744b5da64be398f169af8a75ccbb5c94d613ae3917c483cb3a96

SHA512
4b5feed4aac9472c4320b828eeb586ae5b36b91bc840247f5b86a6f0c7d862d558c338e93c20e5e0d9f6066b263102fb31f34f3593a22df0e2628952953ad64d

Download Submit
C:\Windows\{0F956EB8-D5B5-4783-8F35-C85840E519DB}.exe

Filesize
91KB

MD5
cb6d8dd8927e845561d44e6a23f90020

SHA1
a8f46f7482a547571ba8f98e5443da190694cd81

SHA256
8a918d188ae55c5c091f582d91a5b05c42e5d65da6c62706e21cecdacd26e94d

SHA512
01d9cc52db77de3fa51ec6878ff654e1740fa97c2d8b7cc9a87a33a422a02a27bedbc074e9f6aa95f2d498f861622e05962565e71b530823420851eaac7c0a57

Download Submit
C:\Windows\{2ADAEDF3-4C16-455f-8F48-17EE787035C2}.exe

Filesize
91KB

MD5
d74a078024160edec31b37bacdd1feca

SHA1
f2c1f14604ed67888ebd7ae4a7a18e91274eb4ca

SHA256
974100609ceede34432a5b1cd04f19ed0e4f9fe7a41d83b4b41b9fc58bfb968d

SHA512
4ce94b1469479e90e31cbb9c7d3e99378b2daf4c6964dc1231d08402f8a59e5f20b8c9c6ddff97b8e5f16f5dfde920226893a7854cb77f1f1de7332dc5d4c7e0

Download Submit
C:\Windows\{42D9CBC9-B34C-4d5f-99FF-9067A1A009E2}.exe

Filesize
91KB

MD5
09231c46261cd46138db9f2168436caa

SHA1
8e505fe858d3bd1ab9e0f1c034a96d09573d01ce

SHA256
6c390c359fa74ec599719a08e57ba6586252511f0ed3ced31aaf773cd45bb2c1

SHA512
21aa3c5c972c23d14d232515a75c29a669c57088f228d37eefa1802d2db37436c08143ffc17ba4fe3fdae427f3e9d4fe43b1128e2683ad26a6ff583481f5bc3c

Download Submit
C:\Windows\{65CF2ED6-D9F3-472d-B8A3-3F75521991EF}.exe

Filesize
91KB

MD5
fbb11bf19824f0de0e53355ebb134b48

SHA1
300c8b54c8d370948e8618831f95d67ce2e3efca

SHA256
f28fc6a6f1360cfe6819bf79e0d6b500a4bfc7f91b13c1c32dd628be9ed8d50f

SHA512
d65ea470448e733044e927ca020ba0e7321d73999afee00dbcacf605c9a795e626fdabab412890420bae3b780ee12943af3def41aaf0ede7448ba26c352bbd01

Download Submit
C:\Windows\{790B8149-DF50-491a-A1EE-C01A6C0872BE}.exe

Filesize
91KB

MD5
a1a29babdad15930c59ffe060077b46d

SHA1
155c906657764b49eb6f6dd9852c983fc546f0d4

SHA256
45cd9873c112b05853fbcb957bfb8a8f976be41513660aeccb581967583c6a4c

SHA512
347c16b5e71dc37ac3039d52b483c03892ace963b177e8fb2d7022e4639ceee4664836548ac485fd66730670a96301596376f2d0ba7282a0c2224c646cab9a4e

Download Submit
C:\Windows\{79C3DDB6-EBDB-4d42-A984-FACE96BC8461}.exe

Filesize
91KB

MD5
cdebbb475d7b2dab74944f761cbc9c54

SHA1
aa6fbdf22a53ad7098dac122f2722b04bbc296a6

SHA256
6d41fa8f47a3c76e8796f57829b5f4449510ebde7121e58715221942dda85863

SHA512
caa9fa490108d9e79a73f6fb029cb2e4d0389be9a0f4195aaf04d6efe9bf82e22b1ba695e8bf747ca6337c7327e192b9bd4ce8f38bda2fddc2e3f24fd28d2f61

Download Submit
C:\Windows\{840B0FF4-2532-4a73-BE73-2AA0872F136A}.exe

Filesize
91KB

MD5
0c51bab8136b93818a347390b1a0dfb9

SHA1
a7a1f392a78d40cd7fbd1723735808d2bb435c70

SHA256
2644db7c2d53ae5bc6421decf6e207f8f495d98a8da71925c0f59fb167a1f9ec

SHA512
86bd950d04483f57dcd52ae28289366f94d02b206b770982533dda0f8433bd08f4017593aecdcb2440cebece80806b0c6c42ac64a11e5b6982645093c66a8603

Download Submit
C:\Windows\{94156201-4E0A-4559-A4C1-BF07AB783248}.exe

Filesize
91KB

MD5
106ea202a1c1572b65b787af980580ef

SHA1
26a9677f3c2eeb66d8e95d5eaef8c02ae6a3ccca

SHA256
472ae39e20a00bf26cf89a0eb7845ee2ff8958cea92af8347294c8a6625b6a6a

SHA512
60fe861a4b9db9c4a6120a975aafc9bdb06cdef9054a0562156375153c0bfa4654a97ebb0600ae3d7191834a9de5e138b12caa89c5f0e282dd3ab70d26c2adc5

Download Submit
C:\Windows\{CD197D6A-1FEB-44aa-B031-9A6748AC5BD1}.exe

Filesize
91KB

MD5
5188f1d73a083eb0fb5057746eb17a34

SHA1
a7f1b9acf65304586dffc8ba4055a74bad729ae0

SHA256
c55e85b6ea6908e6b92bcfda1cba90b209e196ffaa4f914b2ff2a8f1be3fec07

SHA512
c19935c78e70e38aba4dd1c6397b2a5e4ea814f5198556446247a6124016b2a7c1b6596e0b57cc7ca48935000cef8e9141ba43497367b1a3a443f0ccb56a5764

Download Submit
C:\Windows\{DB3B7B2D-F116-4f9f-8FB2-617EA68876A4}.exe

Filesize
91KB

MD5
a40da3af29215d256ae34eb268774d50

SHA1
7b18f13d1e16746969b443ad52226e3e6df007a6

SHA256
9c96929de83d8e515221e5d8608326e96d7fe68560284e8d081efda7945b6fcd

SHA512
63ec5fe6bef2deff910b73a3d603b2043ed659f3849617e5d09903c76b8659609fa8517a5d372e00c062dfd94ab8e852e9d28f4014ca42792e2bdde5d10d0cd4

Download Submit
memory/1292-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1292-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2056-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-78-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2440-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2696-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2696-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2720-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2864-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2864-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2884-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-7-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads