081205ed6126e425c2e72e5d34096c3aa60c8771859f810daa79cbb1d6e90657

Analysis

max time kernel
118s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b931b9aa285d6bc836cf55dc874600N.exe
Size

98KB
MD5

50b931b9aa285d6bc836cf55dc874600
SHA1

465ed9202aada51a0c3714a788d5265252a8e2d6
SHA256

081205ed6126e425c2e72e5d34096c3aa60c8771859f810daa79cbb1d6e90657
SHA512

b5188cf0311793f8ae102dd2c9cd2a9d8e5bd18a8e338ab586ed1b904f871b32f5c18dfa3dc4c408d2d4311ac63ed211479e12ea295d19e7a4c09fc6f1811d13
SSDEEP

768:5vw9816thKQLroo4/wQkNrfrunMxVFA3b7glws:lEG/0oolbunMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA1B285-5B6C-496b-8821-FF8240D23996}	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA1B285-5B6C-496b-8821-FF8240D23996}\stubpath = "C:\\Windows\\{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe"	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{921A79AA-1E2F-4d2d-A646-50959D1C3331}	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}\stubpath = "C:\\Windows\\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe"	50b931b9aa285d6bc836cf55dc874600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}\stubpath = "C:\\Windows\\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe"	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7917BFA8-D168-4a7a-BD84-465BB393567B}\stubpath = "C:\\Windows\\{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe"	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{921A79AA-1E2F-4d2d-A646-50959D1C3331}\stubpath = "C:\\Windows\\{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe"	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}\stubpath = "C:\\Windows\\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe"	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}\stubpath = "C:\\Windows\\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe"	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}\stubpath = "C:\\Windows\\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe"	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B776B73-7E27-489e-907B-8290FE2D27D0}	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B776B73-7E27-489e-907B-8290FE2D27D0}\stubpath = "C:\\Windows\\{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe"	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}	50b931b9aa285d6bc836cf55dc874600N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7917BFA8-D168-4a7a-BD84-465BB393567B}	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe

Executes dropped EXE 9 IoCs

pid	Process
3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
4244	{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
File created	C:\Windows\{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
File created	C:\Windows\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
File created	C:\Windows\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	50b931b9aa285d6bc836cf55dc874600N.exe
File created	C:\Windows\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
File created	C:\Windows\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
File created	C:\Windows\{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
File created	C:\Windows\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
File created	C:\Windows\{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50b931b9aa285d6bc836cf55dc874600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	208	50b931b9aa285d6bc836cf55dc874600N.exe
Token: SeIncBasePriorityPrivilege	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
Token: SeIncBasePriorityPrivilege	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
Token: SeIncBasePriorityPrivilege	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
Token: SeIncBasePriorityPrivilege	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
Token: SeIncBasePriorityPrivilege	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
Token: SeIncBasePriorityPrivilege	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
Token: SeIncBasePriorityPrivilege	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
Token: SeIncBasePriorityPrivilege	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3604	208	50b931b9aa285d6bc836cf55dc874600N.exe	89
PID 208 wrote to memory of 3604	208	50b931b9aa285d6bc836cf55dc874600N.exe	89
PID 208 wrote to memory of 3604	208	50b931b9aa285d6bc836cf55dc874600N.exe	89
PID 208 wrote to memory of 3708	208	50b931b9aa285d6bc836cf55dc874600N.exe	90
PID 208 wrote to memory of 3708	208	50b931b9aa285d6bc836cf55dc874600N.exe	90
PID 208 wrote to memory of 3708	208	50b931b9aa285d6bc836cf55dc874600N.exe	90
PID 3604 wrote to memory of 700	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	91
PID 3604 wrote to memory of 700	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	91
PID 3604 wrote to memory of 700	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	91
PID 3604 wrote to memory of 4392	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	92
PID 3604 wrote to memory of 4392	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	92
PID 3604 wrote to memory of 4392	3604	{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe	92
PID 700 wrote to memory of 3552	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	97
PID 700 wrote to memory of 3552	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	97
PID 700 wrote to memory of 3552	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	97
PID 700 wrote to memory of 3160	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	98
PID 700 wrote to memory of 3160	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	98
PID 700 wrote to memory of 3160	700	{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe	98
PID 3552 wrote to memory of 872	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	99
PID 3552 wrote to memory of 872	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	99
PID 3552 wrote to memory of 872	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	99
PID 3552 wrote to memory of 4840	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	100
PID 3552 wrote to memory of 4840	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	100
PID 3552 wrote to memory of 4840	3552	{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe	100
PID 872 wrote to memory of 1048	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	102
PID 872 wrote to memory of 1048	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	102
PID 872 wrote to memory of 1048	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	102
PID 872 wrote to memory of 4796	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	103
PID 872 wrote to memory of 4796	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	103
PID 872 wrote to memory of 4796	872	{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe	103
PID 1048 wrote to memory of 768	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	104
PID 1048 wrote to memory of 768	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	104
PID 1048 wrote to memory of 768	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	104
PID 1048 wrote to memory of 3748	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	105
PID 1048 wrote to memory of 3748	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	105
PID 1048 wrote to memory of 3748	1048	{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe	105
PID 768 wrote to memory of 1328	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	106
PID 768 wrote to memory of 1328	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	106
PID 768 wrote to memory of 1328	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	106
PID 768 wrote to memory of 3644	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	107
PID 768 wrote to memory of 3644	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	107
PID 768 wrote to memory of 3644	768	{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe	107
PID 1328 wrote to memory of 704	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	108
PID 1328 wrote to memory of 704	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	108
PID 1328 wrote to memory of 704	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	108
PID 1328 wrote to memory of 4776	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	109
PID 1328 wrote to memory of 4776	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	109
PID 1328 wrote to memory of 4776	1328	{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe	109
PID 704 wrote to memory of 4244	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	110
PID 704 wrote to memory of 4244	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	110
PID 704 wrote to memory of 4244	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	110
PID 704 wrote to memory of 3296	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	111
PID 704 wrote to memory of 3296	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	111
PID 704 wrote to memory of 3296	704	{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe	111

C:\Users\Admin\AppData\Local\Temp\50b931b9aa285d6bc836cf55dc874600N.exe
"C:\Users\Admin\AppData\Local\Temp\50b931b9aa285d6bc836cf55dc874600N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
  C:\Windows\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
    C:\Windows\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
      C:\Windows\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
        
        C:\Windows\{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
        
        C:\Windows\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
        
        C:\Windows\{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
        
        C:\Windows\{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
        
        C:\Windows\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe
        
        C:\Windows\{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A968~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{921A7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7917B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BCB3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FA1B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97997~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C164~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A407C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50B931~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B776B73-7E27-489e-907B-8290FE2D27D0}.exe

Filesize
98KB

MD5
a24365b9ac7c9ffd530879f76357e23d

SHA1
bc495021984ed807d2cd7135715ddd6cd702d546

SHA256
8c5e45973822fe71277babbb6b8bed0d1f2f5a852d05c3d52262bb6c28c7ef02

SHA512
353823ceef8e5dd54fd862fd410f2ac6a9563a6b52177c07fe734b1201720cfc37134a5d18473c4dd84ca97ec33b26c876488894bead823eda2b252bc7323615

Download Submit
C:\Windows\{5BCB32A9-3F32-4bd0-BE9B-EAD800811601}.exe

Filesize
98KB

MD5
2fd7aca0c2887a1685edd2024606eefd

SHA1
9da363923f44f848766ca60d69eff96e219b631c

SHA256
e3d62f3b4889b73f03a6d5922f9ea1c380a1f90cae4b1882c004cce50e430f63

SHA512
a6cee886149745ef68eb161badf45294de2499cff68668064802ec8cd1227a4efaba8421b5495431fab40b9d75ec4b0321872169314f53469c035121ea274a5e

Download Submit
C:\Windows\{5C164C9D-04D0-4e4c-8FDE-F44F41AB388B}.exe

Filesize
98KB

MD5
d208a82961ba9084de5874546f3b7706

SHA1
1e763e74656de2205507716b2969075fdaa26575

SHA256
3808cc48716f7a0144bb5519f1d4c5307c3f475594e2d31fea2d817e728ea28e

SHA512
c56d6eeffcac5cf42e5cec28e7be5d2d6f4d3a5b07dc8a14c9cedfcc2221b9c1cbf20aa9c12333555d3e64b0feca02eeab899a6a1bfb89a81bfeddac1264efe4

Download Submit
C:\Windows\{6A968BA8-30CB-4c16-8F1A-2CCC2296A80A}.exe

Filesize
98KB

MD5
37f7079f80356bc9a695d634315d9e17

SHA1
eaf4c3ede2de50dfd5e720cb0b2329687a213732

SHA256
a253156378be67ecef5e79c5da3b5ba18cba53b74bca5f3742dd2755d3ca673d

SHA512
67a3067f66512dd89287104d99212a6b3e58713ba5cf6c64dfb2d07c79351b8bab7ff8682bf74dd0767f3de51575b9a13126c42ae9871da984537745e6fdb0de

Download Submit
C:\Windows\{7917BFA8-D168-4a7a-BD84-465BB393567B}.exe

Filesize
98KB

MD5
dafb1f2362ad35d36f16c28e6a9b9dac

SHA1
04accef396a1296b155b0a50adb1a29633665e41

SHA256
28bcd12b5604177fd5afbda55d38280116780f79964ceb5ba1fb463328024717

SHA512
515ec8fecf44f9bc3cb0d88f5ebf5b50a2ba17f52f47d0ccc00d0653205feee141d9637c24eafec042b1ecaa21345cbb9a3e2295d6fc7133f39157d1f228b080

Download Submit
C:\Windows\{8FA1B285-5B6C-496b-8821-FF8240D23996}.exe

Filesize
98KB

MD5
6883b049a02fcc94a9fb625e0e4975c9

SHA1
7578b2d2b361748405dfd7bee86a3114b1ab45cd

SHA256
4628d2870a457c065d7ba4de6ca375104f723c51835e662113e85404dddc0184

SHA512
cd6f27e8d46a81573bb025beb21309c2e4be6996b27ff1aa0e7544882fead9361bf16e07b6d264408f09a0ed7507c538a377c06c3a8035ff1b2473035c1d3e63

Download Submit
C:\Windows\{921A79AA-1E2F-4d2d-A646-50959D1C3331}.exe

Filesize
98KB

MD5
3de69a775b902f6684f1a171929d4fd2

SHA1
0c2e925e04343fde0744f0081640181ab098cc5c

SHA256
46bac9d6ea5a3299aaa6baf31562ecbb73b93b9852b7eb416b0e9c352fb115a8

SHA512
c5c7656f5787753d0f82b68184421800531f0ce0cfd12f45eb875226ec437e59a36509cb9990da34898d59f62fbf0c7049b9f14373a39880357bb19f96b72dbe

Download Submit
C:\Windows\{9799794E-BBDF-4131-8F29-6BBA81DEEB51}.exe

Filesize
98KB

MD5
4e0a83bbcf2c9f3b42a58745ec1dddb7

SHA1
e095e39860912d4e48be64dbebc354844537b46f

SHA256
8946aecdf104f97dfd84b803923ffc569afb84b31c0a26d05c682a8b7ec1877c

SHA512
4f1dc4a45e382b752691ced1f3d2977724d61dc25c8224c99ecd0facb664bdb9c8187f5f7112818646f424fb6c2dc85d35150276de5431f6cd56bfd9f3eabc39

Download Submit
C:\Windows\{A407C7C8-66E2-4fa7-9144-23084F51BA2B}.exe

Filesize
98KB

MD5
96f574181e9ba2fb5cd01c3b8e910f00

SHA1
d60394c272b2837b3336fff0b0eeebc127f87b62

SHA256
5d0cb9bdeb963258f77b5b1fd439529f3a9a91319c3d2592e70de8133016766c

SHA512
d7c522de9158d98b6dff29acc9d30ad8948888113acfb287699339593d117fb1af1d8079d64a30e4df6fc81b011036e7971b9bc134cb278aa83ec2899c72e960

Download Submit
memory/208-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/208-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/700-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/700-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/704-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/704-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/768-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1048-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1328-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1328-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3552-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3552-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3604-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3604-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4244-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads