d465e7153a1d37c1e82f1f77619cbad912156353901dc06304dc2a9a06a6e844

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42059b5679eac807aa558ccf8473c6f0N.exe
Size

90KB
MD5

42059b5679eac807aa558ccf8473c6f0
SHA1

5dc08664e5483479da4e330a565e02f4df50ece8
SHA256

d465e7153a1d37c1e82f1f77619cbad912156353901dc06304dc2a9a06a6e844
SHA512

9f92a333b715914c85cf81a5a10afcc7a532337d1b592146c04bac79edb73e9db43f4ab0e0c3aeef5a6d039ffb5ad9247eaef8f7fcc3893e2d9e9b0b2b621f0d
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glws:YEGh0o5l2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D04DF8-B84F-469b-B8D5-72731606C843}\stubpath = "C:\\Windows\\{76D04DF8-B84F-469b-B8D5-72731606C843}.exe"	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41889159-6CE0-429b-A108-B652EB506EDF}	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41889159-6CE0-429b-A108-B652EB506EDF}\stubpath = "C:\\Windows\\{41889159-6CE0-429b-A108-B652EB506EDF}.exe"	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}	{41889159-6CE0-429b-A108-B652EB506EDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E5619F-638B-48c2-B3FB-39D4529BDE07}	42059b5679eac807aa558ccf8473c6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFBD30D-6BAE-4540-B745-05823551B5E6}	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D04DF8-B84F-469b-B8D5-72731606C843}	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A731817-DA02-4cff-BD85-5AF289171AD5}	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}\stubpath = "C:\\Windows\\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe"	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}\stubpath = "C:\\Windows\\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe"	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A731817-DA02-4cff-BD85-5AF289171AD5}\stubpath = "C:\\Windows\\{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe"	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFBD30D-6BAE-4540-B745-05823551B5E6}\stubpath = "C:\\Windows\\{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe"	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}\stubpath = "C:\\Windows\\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe"	{41889159-6CE0-429b-A108-B652EB506EDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}\stubpath = "C:\\Windows\\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe"	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96E5619F-638B-48c2-B3FB-39D4529BDE07}\stubpath = "C:\\Windows\\{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe"	42059b5679eac807aa558ccf8473c6f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe
1768	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
2092	{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	42059b5679eac807aa558ccf8473c6f0N.exe
File created	C:\Windows\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
File created	C:\Windows\{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
File created	C:\Windows\{41889159-6CE0-429b-A108-B652EB506EDF}.exe	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
File created	C:\Windows\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
File created	C:\Windows\{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
File created	C:\Windows\{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
File created	C:\Windows\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
File created	C:\Windows\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe	{41889159-6CE0-429b-A108-B652EB506EDF}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42059b5679eac807aa558ccf8473c6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41889159-6CE0-429b-A108-B652EB506EDF}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	42059b5679eac807aa558ccf8473c6f0N.exe
Token: SeIncBasePriorityPrivilege	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
Token: SeIncBasePriorityPrivilege	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
Token: SeIncBasePriorityPrivilege	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
Token: SeIncBasePriorityPrivilege	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
Token: SeIncBasePriorityPrivilege	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
Token: SeIncBasePriorityPrivilege	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
Token: SeIncBasePriorityPrivilege	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe
Token: SeIncBasePriorityPrivilege	1768	{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2836	2932	42059b5679eac807aa558ccf8473c6f0N.exe	30
PID 2932 wrote to memory of 2836	2932	42059b5679eac807aa558ccf8473c6f0N.exe	30
PID 2932 wrote to memory of 2836	2932	42059b5679eac807aa558ccf8473c6f0N.exe	30
PID 2932 wrote to memory of 2836	2932	42059b5679eac807aa558ccf8473c6f0N.exe	30
PID 2932 wrote to memory of 2768	2932	42059b5679eac807aa558ccf8473c6f0N.exe	31
PID 2932 wrote to memory of 2768	2932	42059b5679eac807aa558ccf8473c6f0N.exe	31
PID 2932 wrote to memory of 2768	2932	42059b5679eac807aa558ccf8473c6f0N.exe	31
PID 2932 wrote to memory of 2768	2932	42059b5679eac807aa558ccf8473c6f0N.exe	31
PID 2836 wrote to memory of 2728	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	33
PID 2836 wrote to memory of 2728	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	33
PID 2836 wrote to memory of 2728	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	33
PID 2836 wrote to memory of 2728	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	33
PID 2836 wrote to memory of 1936	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	34
PID 2836 wrote to memory of 1936	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	34
PID 2836 wrote to memory of 1936	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	34
PID 2836 wrote to memory of 1936	2836	{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe	34
PID 2728 wrote to memory of 552	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	35
PID 2728 wrote to memory of 552	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	35
PID 2728 wrote to memory of 552	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	35
PID 2728 wrote to memory of 552	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	35
PID 2728 wrote to memory of 888	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	36
PID 2728 wrote to memory of 888	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	36
PID 2728 wrote to memory of 888	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	36
PID 2728 wrote to memory of 888	2728	{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe	36
PID 552 wrote to memory of 1684	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	37
PID 552 wrote to memory of 1684	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	37
PID 552 wrote to memory of 1684	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	37
PID 552 wrote to memory of 1684	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	37
PID 552 wrote to memory of 2648	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	38
PID 552 wrote to memory of 2648	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	38
PID 552 wrote to memory of 2648	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	38
PID 552 wrote to memory of 2648	552	{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe	38
PID 1684 wrote to memory of 2536	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	39
PID 1684 wrote to memory of 2536	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	39
PID 1684 wrote to memory of 2536	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	39
PID 1684 wrote to memory of 2536	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	39
PID 1684 wrote to memory of 2144	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	40
PID 1684 wrote to memory of 2144	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	40
PID 1684 wrote to memory of 2144	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	40
PID 1684 wrote to memory of 2144	1684	{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe	40
PID 2536 wrote to memory of 2596	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	41
PID 2536 wrote to memory of 2596	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	41
PID 2536 wrote to memory of 2596	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	41
PID 2536 wrote to memory of 2596	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	41
PID 2536 wrote to memory of 2900	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	42
PID 2536 wrote to memory of 2900	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	42
PID 2536 wrote to memory of 2900	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	42
PID 2536 wrote to memory of 2900	2536	{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe	42
PID 2596 wrote to memory of 1868	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	43
PID 2596 wrote to memory of 1868	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	43
PID 2596 wrote to memory of 1868	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	43
PID 2596 wrote to memory of 1868	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	43
PID 2596 wrote to memory of 2968	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	44
PID 2596 wrote to memory of 2968	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	44
PID 2596 wrote to memory of 2968	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	44
PID 2596 wrote to memory of 2968	2596	{76D04DF8-B84F-469b-B8D5-72731606C843}.exe	44
PID 1868 wrote to memory of 1768	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	45
PID 1868 wrote to memory of 1768	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	45
PID 1868 wrote to memory of 1768	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	45
PID 1868 wrote to memory of 1768	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	45
PID 1868 wrote to memory of 2008	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	46
PID 1868 wrote to memory of 2008	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	46
PID 1868 wrote to memory of 2008	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	46
PID 1868 wrote to memory of 2008	1868	{41889159-6CE0-429b-A108-B652EB506EDF}.exe	46

C:\Users\Admin\AppData\Local\Temp\42059b5679eac807aa558ccf8473c6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\42059b5679eac807aa558ccf8473c6f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
  C:\Windows\{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
    C:\Windows\{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
      C:\Windows\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
        
        C:\Windows\{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
        
        C:\Windows\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
        
        C:\Windows\{76D04DF8-B84F-469b-B8D5-72731606C843}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{41889159-6CE0-429b-A108-B652EB506EDF}.exe
        
        C:\Windows\{41889159-6CE0-429b-A108-B652EB506EDF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
        
        C:\Windows\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe
        
        C:\Windows\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95B2E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41889~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D04~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E76~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AFBD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F61~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A731~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{96E56~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\42059B~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A731817-DA02-4cff-BD85-5AF289171AD5}.exe

Filesize
90KB

MD5
0677ec9b9e5e681de5c70050525540f8

SHA1
f1bf63f8070b04f35378dacdd54503ffc4139f3d

SHA256
3d31ad11f88a5a2c9d96f49cf375d815281a2457327625229cd2ab92c139a2a7

SHA512
35412bb38df3dfcbc3530bcea51e1d0bdb44ba63cf2c157a6dc8b5f94b64213983c1e07af22fe899e152cd1dd914c5666da2874773aa2ce3c1a52d5b9f080439

Download Submit
C:\Windows\{2AFBD30D-6BAE-4540-B745-05823551B5E6}.exe

Filesize
90KB

MD5
59973b8ebd37f29e49faaf48a1eb1968

SHA1
d09a5caf7c4767de598d30e94ed9b5115ad5eee2

SHA256
337f5cd72fecbd6bace96e58501831fe9f9b30fb084af7b3509435961f169aec

SHA512
19da4a140e372f8780db8cde48bfac94f3e09647c2f149ff3463256bb6aefea533c52c559e774e933693d9e9c8584001f6a08efe9dc71c6147976a16cb589bb6

Download Submit
C:\Windows\{41889159-6CE0-429b-A108-B652EB506EDF}.exe

Filesize
90KB

MD5
9bad8b4b3b062bd4e8ca59160cf5c22b

SHA1
59e930b0b85878c8c11406e4d60bc12a7fdb0fd6

SHA256
ab184f4652d3cb7c389b32e1f3063ef74c17cd5958569284469d75d8cb3bd1d4

SHA512
2dee253a4ab1fc60e6630354295215e1a7244df28b5ec8fef0fdc7e19203232da84cfcc9239462ad3e5449bfeab36dbfc78e447f212ec5d30fbd0041e551f2a5

Download Submit
C:\Windows\{46E76E3F-3DC4-4b05-99C6-4772AFBF27EB}.exe

Filesize
90KB

MD5
8070210a0d878937e51eda4b310d100f

SHA1
7e3581d0c71921c84bef6c47338357433b085113

SHA256
ab5947f6179bbf55bcf5ad591593936a5d231db6a36f42104fa4d04cba721f75

SHA512
401e45bfde08c1efd997f958947f7fe2fe02ba19951a308aa59242966c825465970f26ae26b42f7616d5c3100322a67e4545249a08f49beba5bac1faf5766968

Download Submit
C:\Windows\{76D04DF8-B84F-469b-B8D5-72731606C843}.exe

Filesize
90KB

MD5
9a0e734c5e82423f741f39f63e39be5b

SHA1
e8c497659c5da8fb9ca7ff37033d4c17533ced5d

SHA256
97a7f13f65444b774997a60e775794f16a83ef913a23129b9709f05513d87a28

SHA512
b5b843141a39b1ffa641a7cc1e83d884c438c4b16c480932e8f0912d55546c71005115010c90c15e05243c123a5e8d259ac8872a3474b6ae76f52e4a86e4bef4

Download Submit
C:\Windows\{95B2E6F6-A2A1-46c5-8006-2FA8EE4BF28D}.exe

Filesize
90KB

MD5
4132bc672d96e57b5af21d90d53fab61

SHA1
57e5cc626e0f5f9b784039cbc0b431083a703603

SHA256
facebcba579639bc1f4c0fd7bfe42030d01d442b1d663bc4645fcb4d284775ac

SHA512
790c90f3ab2b3ce276ba14fbf1a9af74038121d3eb5a3b04aab55df80e341e3809440b09bf3c2e1d9f92be3b5de4c721e2ab5cfb6cb559be39ea20082dfbdb4a

Download Submit
C:\Windows\{96E5619F-638B-48c2-B3FB-39D4529BDE07}.exe

Filesize
90KB

MD5
47ae9adb4486f5255990b32b7d992392

SHA1
885de07dbdecae7723fc49cbeb31d8dd3828670e

SHA256
9cfb60ff7f1200509a18ff0561ddfdc59932d901789aa7e6a86eaa300f9f72cf

SHA512
b15e55e8c2b71fae0522677a14beb979b70d93bae2fcf0e101089ad5933f5cba42105bc3323eb082c88ee8ef389f312c91c62b654cd7174f3b63979b2248f007

Download Submit
C:\Windows\{9D9E1A6B-4D2F-4a82-B793-CB868688D305}.exe

Filesize
90KB

MD5
fe866abb51d4dc1145009518b30e08af

SHA1
9f3933330a8d29664b56276558bf3ece279cb008

SHA256
419b9a402d11e4fca274cc83268cf905ab8ffd4f35e9385486082058409d6ce0

SHA512
17aacbf15cea34b6b10bedf8311e7368d588fd6ad96f3a32f19821787c474d4b3e9791f87620fde0cb5830c65a17a031ecf184087a981a621339cf9bf6f122af

Download Submit
C:\Windows\{F7F61A1A-E4FA-4c3a-908F-3812E3554FFB}.exe

Filesize
90KB

MD5
42276d88b4ecd7b382c49fbf6897fcec

SHA1
c39129010488c27704215501f6cf42463b29b5e0

SHA256
a7c71ba5c092a6cc29901c274b89bd6697a01ba6ca9c77e30adb6fb6b5a8b4f2

SHA512
60e0e7bdbc309499edecbadba3f407e30fec7072ea7232b60d38c26b32378d8df97bebb8c0c5da42043f428bfd6b001fbb2859be7d889eb994af4d92beaacc47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads