2fcf555ffeab3230e32fec7de9d2e9de9c2ba436245a14ce86aaba241fc3f679

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd524d23ac2dc7ff6679df3652ff49f0N.exe
Size

89KB
MD5

dd524d23ac2dc7ff6679df3652ff49f0
SHA1

e4beb221ea156469a625bc2824268be9597f70fa
SHA256

2fcf555ffeab3230e32fec7de9d2e9de9c2ba436245a14ce86aaba241fc3f679
SHA512

9da24a6a41413daa51e108f18aa74c3750ce0724176709574d910e508d8a874d660d0087efe482383c6ee5ebfcdf3a8154590fa0f51905ff364ab6377aac0461
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3k:lEG/0onlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A52562-57F2-4e44-812D-918E578316FC}	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E3A30F-1771-4b03-801D-77EBCB477B7E}	{03A52562-57F2-4e44-812D-918E578316FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}\stubpath = "C:\\Windows\\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe"	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C75A03F-231C-4978-B81E-FA25348935A3}\stubpath = "C:\\Windows\\{3C75A03F-231C-4978-B81E-FA25348935A3}.exe"	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}\stubpath = "C:\\Windows\\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe"	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}\stubpath = "C:\\Windows\\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe"	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}\stubpath = "C:\\Windows\\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe"	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34028C3E-3D60-4646-814A-2C1460F9AC45}\stubpath = "C:\\Windows\\{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe"	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}	dd524d23ac2dc7ff6679df3652ff49f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03A52562-57F2-4e44-812D-918E578316FC}\stubpath = "C:\\Windows\\{03A52562-57F2-4e44-812D-918E578316FC}.exe"	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E3A30F-1771-4b03-801D-77EBCB477B7E}\stubpath = "C:\\Windows\\{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe"	{03A52562-57F2-4e44-812D-918E578316FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}\stubpath = "C:\\Windows\\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe"	dd524d23ac2dc7ff6679df3652ff49f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C75A03F-231C-4978-B81E-FA25348935A3}	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34028C3E-3D60-4646-814A-2C1460F9AC45}	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
2456	{03A52562-57F2-4e44-812D-918E578316FC}.exe
1620	{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
File created	C:\Windows\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
File created	C:\Windows\{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
File created	C:\Windows\{03A52562-57F2-4e44-812D-918E578316FC}.exe	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
File created	C:\Windows\{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe	{03A52562-57F2-4e44-812D-918E578316FC}.exe
File created	C:\Windows\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	dd524d23ac2dc7ff6679df3652ff49f0N.exe
File created	C:\Windows\{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
File created	C:\Windows\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
File created	C:\Windows\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03A52562-57F2-4e44-812D-918E578316FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd524d23ac2dc7ff6679df3652ff49f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe
Token: SeIncBasePriorityPrivilege	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
Token: SeIncBasePriorityPrivilege	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
Token: SeIncBasePriorityPrivilege	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
Token: SeIncBasePriorityPrivilege	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
Token: SeIncBasePriorityPrivilege	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
Token: SeIncBasePriorityPrivilege	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
Token: SeIncBasePriorityPrivilege	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
Token: SeIncBasePriorityPrivilege	2456	{03A52562-57F2-4e44-812D-918E578316FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2812	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	29
PID 3048 wrote to memory of 2812	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	29
PID 3048 wrote to memory of 2812	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	29
PID 3048 wrote to memory of 2812	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	29
PID 3048 wrote to memory of 2212	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	30
PID 3048 wrote to memory of 2212	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	30
PID 3048 wrote to memory of 2212	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	30
PID 3048 wrote to memory of 2212	3048	dd524d23ac2dc7ff6679df3652ff49f0N.exe	30
PID 2812 wrote to memory of 2892	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	31
PID 2812 wrote to memory of 2892	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	31
PID 2812 wrote to memory of 2892	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	31
PID 2812 wrote to memory of 2892	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	31
PID 2812 wrote to memory of 2748	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	32
PID 2812 wrote to memory of 2748	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	32
PID 2812 wrote to memory of 2748	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	32
PID 2812 wrote to memory of 2748	2812	{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe	32
PID 2892 wrote to memory of 2968	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	33
PID 2892 wrote to memory of 2968	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	33
PID 2892 wrote to memory of 2968	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	33
PID 2892 wrote to memory of 2968	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	33
PID 2892 wrote to memory of 2664	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	34
PID 2892 wrote to memory of 2664	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	34
PID 2892 wrote to memory of 2664	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	34
PID 2892 wrote to memory of 2664	2892	{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe	34
PID 2968 wrote to memory of 2736	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	35
PID 2968 wrote to memory of 2736	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	35
PID 2968 wrote to memory of 2736	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	35
PID 2968 wrote to memory of 2736	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	35
PID 2968 wrote to memory of 2804	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	36
PID 2968 wrote to memory of 2804	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	36
PID 2968 wrote to memory of 2804	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	36
PID 2968 wrote to memory of 2804	2968	{3C75A03F-231C-4978-B81E-FA25348935A3}.exe	36
PID 2736 wrote to memory of 1640	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	37
PID 2736 wrote to memory of 1640	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	37
PID 2736 wrote to memory of 1640	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	37
PID 2736 wrote to memory of 1640	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	37
PID 2736 wrote to memory of 1456	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	38
PID 2736 wrote to memory of 1456	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	38
PID 2736 wrote to memory of 1456	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	38
PID 2736 wrote to memory of 1456	2736	{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe	38
PID 1640 wrote to memory of 2388	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	39
PID 1640 wrote to memory of 2388	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	39
PID 1640 wrote to memory of 2388	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	39
PID 1640 wrote to memory of 2388	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	39
PID 1640 wrote to memory of 2836	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	40
PID 1640 wrote to memory of 2836	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	40
PID 1640 wrote to memory of 2836	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	40
PID 1640 wrote to memory of 2836	1640	{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe	40
PID 2388 wrote to memory of 376	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	41
PID 2388 wrote to memory of 376	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	41
PID 2388 wrote to memory of 376	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	41
PID 2388 wrote to memory of 376	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	41
PID 2388 wrote to memory of 2704	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	42
PID 2388 wrote to memory of 2704	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	42
PID 2388 wrote to memory of 2704	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	42
PID 2388 wrote to memory of 2704	2388	{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe	42
PID 376 wrote to memory of 2456	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	43
PID 376 wrote to memory of 2456	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	43
PID 376 wrote to memory of 2456	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	43
PID 376 wrote to memory of 2456	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	43
PID 376 wrote to memory of 2588	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	44
PID 376 wrote to memory of 2588	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	44
PID 376 wrote to memory of 2588	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	44
PID 376 wrote to memory of 2588	376	{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe	44

C:\Users\Admin\AppData\Local\Temp\dd524d23ac2dc7ff6679df3652ff49f0N.exe
"C:\Users\Admin\AppData\Local\Temp\dd524d23ac2dc7ff6679df3652ff49f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
  C:\Windows\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
    C:\Windows\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
      C:\Windows\{3C75A03F-231C-4978-B81E-FA25348935A3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
        
        C:\Windows\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
        
        C:\Windows\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
        
        C:\Windows\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
        
        C:\Windows\{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{03A52562-57F2-4e44-812D-918E578316FC}.exe
        
        C:\Windows\{03A52562-57F2-4e44-812D-918E578316FC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe
        
        C:\Windows\{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03A52~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34028~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6DC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15B6D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5399~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C75A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDAD4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2E8C9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DD524D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03A52562-57F2-4e44-812D-918E578316FC}.exe

Filesize
89KB

MD5
c495641ee77d4dde539213e23d8093b2

SHA1
c6eae89e29c8be4a4d11f0b3d4fb5f107716fb59

SHA256
a21e905f0c2fa6a1499063d7cb837717db953d28ee568c72fa72b1e5600e329c

SHA512
8770b64a731cc4b009d38b24dc3156b73d9489cdadfec34602b3f220140eb22f950508f5bd563857bfa42510bb070a35175c1aaf17cc479791ab88524bcec033

Download Submit
C:\Windows\{15B6DFEF-C224-4dda-99D1-1B0EE1776DFF}.exe

Filesize
89KB

MD5
c41073b1c98411d94355ee42bcf645fb

SHA1
194b6867e60845a1c30fae64a1458ac3deb9beae

SHA256
189497d9903f5c35e0b698e431661efee42c8a2c9a93ec8acecf21bcdefcefef

SHA512
20b21e6ff6c5023c919269b8bfaf70dd0dbfbb67b6f58684ca923534605bb827f451a1e54443ae72c0f9d897fb8f170fd8c3d0a3f5eaaf804a2b38fb5ee1825c

Download Submit
C:\Windows\{2E8C9790-B0A1-4087-96E8-F9A5C8F4A47D}.exe

Filesize
89KB

MD5
c4e6bdc489f1a3be041b5bc8d018eb91

SHA1
d1a9f92be6751bfbad294646a329d9cd57a24405

SHA256
a8865276252d41ccdbbf70b154ac7047868ac4a50819c61505aba8d74e545d00

SHA512
c8f6fe690087e8cd88ae1bf1906ecc19abf4bf4ee37a10aada95318dfa76db9b10f15cc9b45d1ffacdce22468e78c1b73129c71160102ffb47cc5d43a7bf5400

Download Submit
C:\Windows\{34028C3E-3D60-4646-814A-2C1460F9AC45}.exe

Filesize
89KB

MD5
afecde5efde9214e7b7ed336dd994fec

SHA1
4cd81bc1fd9256b2bb9ab170292806f3dd136300

SHA256
46d7a2a85daaa0233fcdad222aa9cc64872ae48c392f98e9f32d0bb6d54bd90c

SHA512
4fab5937c39729271a7d40226d375e87f70a19e989714fbb6070a3181109c97b1680c45f157a5e325e1dabc5c85ae8fa1c2e1cd97c022d61e3b747faf18275ce

Download Submit
C:\Windows\{3C75A03F-231C-4978-B81E-FA25348935A3}.exe

Filesize
89KB

MD5
3af20afe08d7de0f4efb0bcceda76deb

SHA1
2b21d4fdfd03729597a73be3ed5289bf4753c60f

SHA256
7a43be409178245f344fa100b868328c61f14ea9e211d66fdbe7cf874196e870

SHA512
404161311d273978c0b25ad41ec070a63cc60e27f04116f1c60f027e178dce6e181d3fa002622c8374e892257acb9c57c27fb66b3d018c11cdec7522c87c8fa7

Download Submit
C:\Windows\{61E3A30F-1771-4b03-801D-77EBCB477B7E}.exe

Filesize
89KB

MD5
18fc510de6f8b85d9567a4f902c9d8a4

SHA1
768ffcb24a78e1d513c598dd6354cdc9c7a81ba0

SHA256
2ace1bf5e16f164c713d7b8926d4e7a6f249fbd7b49d0ab8f7da862784805510

SHA512
9dcc8b17ea3e27940ee4aa5b6ddf0daa042d1eff923ed59a03ec2e619fef7101c00d7b00cef40b32250ff3997fb731736e67e44d709fb39e76267e39d16cd3e5

Download Submit
C:\Windows\{BE6DCE49-464E-4f6b-97B3-6BD052A341F0}.exe

Filesize
89KB

MD5
c3c944659fc2216663e42dda1a8c56c5

SHA1
e90ebd186f061c470438e35778798ca91c43fdbb

SHA256
86f7440f426b5bbe442aff45d2c6d4aae1b4f0a0a9e8afd2bcd12b8473826a3b

SHA512
fae38d6d4185cae6e2af8a70a84ca3a8c6375e7fe8a8812865ef3cc2664762c1e55f2006a849cbd8a7e894e6fce0c0a628d68c356f07c52e61d601191891eaa9

Download Submit
C:\Windows\{E53996E5-4EE6-42c1-98A5-D35242B0CD1B}.exe

Filesize
89KB

MD5
b87cdf6bbe99006387971df23517283f

SHA1
f0a9877e7fb0bf3f07fae9d5f08bb4229f64f129

SHA256
b541f5f1996d9acf3a0ceeba70e1cf7a2b1081cdf9d778923277277817112571

SHA512
204d0103e2e0aa1dff573c72628b6f738a5cf74abb6975908ff5d8153f05b9f12f4d1186c2c8930f3c9f736f1af08418f6f9ac50f91184f91e694e64fb1031e2

Download Submit
C:\Windows\{FDAD4C2A-E413-4747-8F2D-DBD1DC96D8A6}.exe

Filesize
89KB

MD5
adecddf7e520356f608a76a32d60990f

SHA1
c4aaf9b03b14566dd42d97cfb71c88daf458e0b8

SHA256
fbec61700ac0bd68c66a01bba8b28ae2d455d6cc9dd41e0be30d9f31487b68c5

SHA512
470752bdc0622064f18e94212e5a54abb34674b84d763b3331da79c906d419eb605f72a75304206a86474376766ded393a879b654f9c989477e8138d38530c8b

Download Submit
memory/376-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1620-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2456-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2736-45-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2736-44-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2736-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2892-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2892-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2968-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2968-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3048-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3048-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3048-7-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/3048-8-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads