081205ed6126e425c2e72e5d34096c3aa60c8771859f810daa79cbb1d6e90657

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 03:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50b931b9aa285d6bc836cf55dc874600N.exe
Size

98KB
MD5

50b931b9aa285d6bc836cf55dc874600
SHA1

465ed9202aada51a0c3714a788d5265252a8e2d6
SHA256

081205ed6126e425c2e72e5d34096c3aa60c8771859f810daa79cbb1d6e90657
SHA512

b5188cf0311793f8ae102dd2c9cd2a9d8e5bd18a8e338ab586ed1b904f871b32f5c18dfa3dc4c408d2d4311ac63ed211479e12ea295d19e7a4c09fc6f1811d13
SSDEEP

768:5vw9816thKQLroo4/wQkNrfrunMxVFA3b7glws:lEG/0oolbunMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}\stubpath = "C:\\Windows\\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe"	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9165F-A14E-45e7-A218-C4D947C1399F}	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}\stubpath = "C:\\Windows\\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe"	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}	50b931b9aa285d6bc836cf55dc874600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA9165F-A14E-45e7-A218-C4D947C1399F}\stubpath = "C:\\Windows\\{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe"	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0454F18E-0CAC-46a7-9152-435D627807C0}	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}\stubpath = "C:\\Windows\\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe"	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}\stubpath = "C:\\Windows\\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe"	50b931b9aa285d6bc836cf55dc874600N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}\stubpath = "C:\\Windows\\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe"	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}\stubpath = "C:\\Windows\\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe"	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}\stubpath = "C:\\Windows\\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe"	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0454F18E-0CAC-46a7-9152-435D627807C0}\stubpath = "C:\\Windows\\{0454F18E-0CAC-46a7-9152-435D627807C0}.exe"	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
2584	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
1976	{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
File created	C:\Windows\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
File created	C:\Windows\{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
File created	C:\Windows\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
File created	C:\Windows\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	50b931b9aa285d6bc836cf55dc874600N.exe
File created	C:\Windows\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
File created	C:\Windows\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
File created	C:\Windows\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
File created	C:\Windows\{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50b931b9aa285d6bc836cf55dc874600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2092	50b931b9aa285d6bc836cf55dc874600N.exe
Token: SeIncBasePriorityPrivilege	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
Token: SeIncBasePriorityPrivilege	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
Token: SeIncBasePriorityPrivilege	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
Token: SeIncBasePriorityPrivilege	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
Token: SeIncBasePriorityPrivilege	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
Token: SeIncBasePriorityPrivilege	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
Token: SeIncBasePriorityPrivilege	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
Token: SeIncBasePriorityPrivilege	2584	{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2704	2092	50b931b9aa285d6bc836cf55dc874600N.exe	30
PID 2092 wrote to memory of 2704	2092	50b931b9aa285d6bc836cf55dc874600N.exe	30
PID 2092 wrote to memory of 2704	2092	50b931b9aa285d6bc836cf55dc874600N.exe	30
PID 2092 wrote to memory of 2704	2092	50b931b9aa285d6bc836cf55dc874600N.exe	30
PID 2092 wrote to memory of 2756	2092	50b931b9aa285d6bc836cf55dc874600N.exe	31
PID 2092 wrote to memory of 2756	2092	50b931b9aa285d6bc836cf55dc874600N.exe	31
PID 2092 wrote to memory of 2756	2092	50b931b9aa285d6bc836cf55dc874600N.exe	31
PID 2092 wrote to memory of 2756	2092	50b931b9aa285d6bc836cf55dc874600N.exe	31
PID 2704 wrote to memory of 2644	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	33
PID 2704 wrote to memory of 2644	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	33
PID 2704 wrote to memory of 2644	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	33
PID 2704 wrote to memory of 2644	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	33
PID 2704 wrote to memory of 2596	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	34
PID 2704 wrote to memory of 2596	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	34
PID 2704 wrote to memory of 2596	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	34
PID 2704 wrote to memory of 2596	2704	{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe	34
PID 2644 wrote to memory of 3004	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	35
PID 2644 wrote to memory of 3004	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	35
PID 2644 wrote to memory of 3004	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	35
PID 2644 wrote to memory of 3004	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	35
PID 2644 wrote to memory of 1628	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	36
PID 2644 wrote to memory of 1628	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	36
PID 2644 wrote to memory of 1628	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	36
PID 2644 wrote to memory of 1628	2644	{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe	36
PID 3004 wrote to memory of 1292	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	37
PID 3004 wrote to memory of 1292	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	37
PID 3004 wrote to memory of 1292	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	37
PID 3004 wrote to memory of 1292	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	37
PID 3004 wrote to memory of 264	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	38
PID 3004 wrote to memory of 264	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	38
PID 3004 wrote to memory of 264	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	38
PID 3004 wrote to memory of 264	3004	{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe	38
PID 1292 wrote to memory of 1964	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	39
PID 1292 wrote to memory of 1964	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	39
PID 1292 wrote to memory of 1964	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	39
PID 1292 wrote to memory of 1964	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	39
PID 1292 wrote to memory of 1808	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	40
PID 1292 wrote to memory of 1808	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	40
PID 1292 wrote to memory of 1808	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	40
PID 1292 wrote to memory of 1808	1292	{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe	40
PID 1964 wrote to memory of 1912	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	41
PID 1964 wrote to memory of 1912	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	41
PID 1964 wrote to memory of 1912	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	41
PID 1964 wrote to memory of 1912	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	41
PID 1964 wrote to memory of 2016	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	42
PID 1964 wrote to memory of 2016	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	42
PID 1964 wrote to memory of 2016	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	42
PID 1964 wrote to memory of 2016	1964	{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe	42
PID 1912 wrote to memory of 1052	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	43
PID 1912 wrote to memory of 1052	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	43
PID 1912 wrote to memory of 1052	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	43
PID 1912 wrote to memory of 1052	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	43
PID 1912 wrote to memory of 1288	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	44
PID 1912 wrote to memory of 1288	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	44
PID 1912 wrote to memory of 1288	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	44
PID 1912 wrote to memory of 1288	1912	{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe	44
PID 1052 wrote to memory of 2584	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	45
PID 1052 wrote to memory of 2584	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	45
PID 1052 wrote to memory of 2584	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	45
PID 1052 wrote to memory of 2584	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	45
PID 1052 wrote to memory of 2236	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	46
PID 1052 wrote to memory of 2236	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	46
PID 1052 wrote to memory of 2236	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	46
PID 1052 wrote to memory of 2236	1052	{0454F18E-0CAC-46a7-9152-435D627807C0}.exe	46

C:\Users\Admin\AppData\Local\Temp\50b931b9aa285d6bc836cf55dc874600N.exe
"C:\Users\Admin\AppData\Local\Temp\50b931b9aa285d6bc836cf55dc874600N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
  C:\Windows\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
    C:\Windows\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
      C:\Windows\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
        
        C:\Windows\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
        
        C:\Windows\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
        
        C:\Windows\{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
        
        C:\Windows\{0454F18E-0CAC-46a7-9152-435D627807C0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
        
        C:\Windows\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe
        
        C:\Windows\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30FE3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0454F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA91~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64DBB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5005F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F97F8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D766C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{094F8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50B931~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0454F18E-0CAC-46a7-9152-435D627807C0}.exe

Filesize
98KB

MD5
4af1bec21317875714cb43645f5b74f2

SHA1
b6e601e22db8e99538d292688a3113d03c639e70

SHA256
f40da51b0ff1b32a50be16f67ccd50316b2f107503b6641c0b9a15b6097ffdce

SHA512
7ab9bff8550b5cc3947cbb9151225b1779d80dda1a54029141afe77a526b2b3d65388980d753756666fef2319f286ee6ab96c0530273e636e37fb011b3a41a73

Download Submit
C:\Windows\{094F8E99-8899-4c58-BBAC-A6D81F38C1B6}.exe

Filesize
98KB

MD5
aa4b5c5b8af19fc020cd61357fea3f46

SHA1
7fa77d8b7b1f83b3dcd94e39ce3a6ddaab7ea65f

SHA256
d68989aeb15008e7d447472c15c209cc1e6fa15aa5b677ff6228fe13bc340e8b

SHA512
2c034ec7436bdad6e52a431b76741d0017ac43fd8bdfbbf834c6c417ca39217b2fc5ceeaed3618feaa3d643fcf3898a7aa0718d93c2fc4d0fd5eee1c6fc9936f

Download Submit
C:\Windows\{30FE344D-6A5F-4a1f-9471-3812263BD4A7}.exe

Filesize
98KB

MD5
3a9e4cdb7f12d029a826eda6e2c82c87

SHA1
ab5cc0bea5ebcd4db4730f5bafbb9f464fbe29d7

SHA256
dd827ce1b8bea61af3e5dfcf97c8dfa6b4ad0f7881eb96252507efcc90daacb9

SHA512
5ee495efd8d3fb7d12427c64b969629af9465ec811806352a4aab5cdd0b9b27bba29ffe8a48f20dda82e9b939778112666c77a82a5f8045ccf70a0fea4a7efeb

Download Submit
C:\Windows\{5005F049-BA9A-46b9-A02F-9000A8F37A1E}.exe

Filesize
98KB

MD5
465b84c551f70d7f8ad3259b90efa9dc

SHA1
97e98ce87cd21be240fc46b08976de58e2b255e6

SHA256
d91d7626bc69f488a5cff07fb4719f0e5714d999b5f8e09cfd20714121239ac3

SHA512
4aa0b60bfee1811e893c1d7dd99c66d5293eaa5c712dfb30a62c1305a24f30a14295a117e45811a1d3798dd4bd288f64080ff0a7c54052b3df6d9fce638abcf8

Download Submit
C:\Windows\{64DBBBF1-D002-4f86-B060-04842AC9CC4E}.exe

Filesize
98KB

MD5
d211250667b701a80225ee28fcccf68d

SHA1
6d6180d26ce0fd1852969a40cab177bf06d016cb

SHA256
a4e17643f32e4634f40e52c5ce0eeca125d9288adf506c6b9755ee613742b73c

SHA512
38d457e72a047762a1ef035373bb67f4d87cd16e2ed16eac0b6db611e3e71809d5ffdfabc9fc644744bb4c10136cbf36b624d6a2e37150f283d55694a2b3ba58

Download Submit
C:\Windows\{9AA9165F-A14E-45e7-A218-C4D947C1399F}.exe

Filesize
98KB

MD5
6c5a800441fa7fe0cd6c57dd36451c9d

SHA1
3f31b1c704edcdff6b18939225f0a0230564e5cf

SHA256
38455c88cba676d144c422989a81046b03c6659242befcad0ee13d5e493200df

SHA512
cf214497ddaef58185089518776dbc112dd55e2c5bc5aa3220bd9682e310b7e3eb37b19260637823f4e8bac67702545cb3d948f1f9a4c02a5e785d173ebb8ff8

Download Submit
C:\Windows\{CC8DF14A-7C77-4dd5-B0D7-480A03CE8983}.exe

Filesize
98KB

MD5
832f5e104e5d2fc64623c14e672a2ad1

SHA1
8794436fc19fc11322abcfa1573bc7cfd521e5f9

SHA256
8c5e2e013d38deb6c6b2c71be899617642cf4c5e30be91fd0228c37247035e97

SHA512
0bbced309e55e527acd24a78b9a75a3b4c55f22144482ce3615f744bde73ae330801869217af6464bd4d032e1b630391ab178a8846a7f7564b10ec2309927549

Download Submit
C:\Windows\{D766C9E4-71BF-4898-B2BB-E4D9477E8140}.exe

Filesize
98KB

MD5
6ec79d63d8c6f66afee290f1dd44509d

SHA1
801ef0287bb3665f60be547ebcc5a83d6d4f6101

SHA256
19ff6083b20f048db9324d45487ad9b660a075f0cb9161f64786cafd0ef3bf3e

SHA512
320b62a28b52f184e9779454d199fac37607ec6c6fb8cc760b72fa24757c936fb0da6f22729a235f35fe9fc7ead7c6b3da108a170b37a149fba5c36683cf64f7

Download Submit
C:\Windows\{F97F8F4D-35C7-480d-830C-E6F8A0C595D9}.exe

Filesize
98KB

MD5
d1a1a564da328fb76e20b8de5da6ca9a

SHA1
cdba793ea4ff06058b37e94eb87f8f07146edc0f

SHA256
e4b2b337d37f700da4e3bc23a0b13044619bac63210c60dc25ff95d32dad978f

SHA512
7892273082190081de39690198feba2fb3e88f69c35516eda7d3668dc98df643e253e7aa55c2d4345016e475ddd593a0887d195b3f1c74c841fc6cec29a3af63

Download Submit
memory/1052-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1052-78-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1292-43-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/1292-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1292-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1912-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1912-67-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1912-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-70-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/1964-58-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/1964-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-56-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2092-7-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2092-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2092-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-87-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2644-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2644-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2644-27-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2704-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-17-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2704-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3004-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3004-36-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/3004-37-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads