d465e7153a1d37c1e82f1f77619cbad912156353901dc06304dc2a9a06a6e844

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42059b5679eac807aa558ccf8473c6f0N.exe
Size

90KB
MD5

42059b5679eac807aa558ccf8473c6f0
SHA1

5dc08664e5483479da4e330a565e02f4df50ece8
SHA256

d465e7153a1d37c1e82f1f77619cbad912156353901dc06304dc2a9a06a6e844
SHA512

9f92a333b715914c85cf81a5a10afcc7a532337d1b592146c04bac79edb73e9db43f4ab0e0c3aeef5a6d039ffb5ad9247eaef8f7fcc3893e2d9e9b0b2b621f0d
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glws:YEGh0o5l2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}	42059b5679eac807aa558ccf8473c6f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}\stubpath = "C:\\Windows\\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe"	42059b5679eac807aa558ccf8473c6f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}\stubpath = "C:\\Windows\\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe"	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECEA78C4-3AE2-4294-A468-915896EEB333}\stubpath = "C:\\Windows\\{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe"	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}\stubpath = "C:\\Windows\\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe"	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}\stubpath = "C:\\Windows\\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe"	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECEA78C4-3AE2-4294-A468-915896EEB333}	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00D138B-6E8A-45f1-89A0-19BD402246B7}	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}\stubpath = "C:\\Windows\\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe"	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7358D80-CC56-493b-9875-2113E9E5F359}\stubpath = "C:\\Windows\\{F7358D80-CC56-493b-9875-2113E9E5F359}.exe"	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B6E906-51C5-4894-9D0F-73EE0840988F}	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B6E906-51C5-4894-9D0F-73EE0840988F}\stubpath = "C:\\Windows\\{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe"	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00D138B-6E8A-45f1-89A0-19BD402246B7}\stubpath = "C:\\Windows\\{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe"	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7358D80-CC56-493b-9875-2113E9E5F359}	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe

Executes dropped EXE 9 IoCs

pid	Process
4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
4080	{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
File created	C:\Windows\{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
File created	C:\Windows\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
File created	C:\Windows\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
File created	C:\Windows\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	42059b5679eac807aa558ccf8473c6f0N.exe
File created	C:\Windows\{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
File created	C:\Windows\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
File created	C:\Windows\{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
File created	C:\Windows\{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42059b5679eac807aa558ccf8473c6f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4624	42059b5679eac807aa558ccf8473c6f0N.exe
Token: SeIncBasePriorityPrivilege	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
Token: SeIncBasePriorityPrivilege	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
Token: SeIncBasePriorityPrivilege	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
Token: SeIncBasePriorityPrivilege	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
Token: SeIncBasePriorityPrivilege	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
Token: SeIncBasePriorityPrivilege	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
Token: SeIncBasePriorityPrivilege	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
Token: SeIncBasePriorityPrivilege	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4292	4624	42059b5679eac807aa558ccf8473c6f0N.exe	86
PID 4624 wrote to memory of 4292	4624	42059b5679eac807aa558ccf8473c6f0N.exe	86
PID 4624 wrote to memory of 4292	4624	42059b5679eac807aa558ccf8473c6f0N.exe	86
PID 4624 wrote to memory of 4564	4624	42059b5679eac807aa558ccf8473c6f0N.exe	87
PID 4624 wrote to memory of 4564	4624	42059b5679eac807aa558ccf8473c6f0N.exe	87
PID 4624 wrote to memory of 4564	4624	42059b5679eac807aa558ccf8473c6f0N.exe	87
PID 4292 wrote to memory of 3224	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	88
PID 4292 wrote to memory of 3224	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	88
PID 4292 wrote to memory of 3224	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	88
PID 4292 wrote to memory of 4924	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	89
PID 4292 wrote to memory of 4924	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	89
PID 4292 wrote to memory of 4924	4292	{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe	89
PID 3224 wrote to memory of 1228	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	92
PID 3224 wrote to memory of 1228	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	92
PID 3224 wrote to memory of 1228	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	92
PID 3224 wrote to memory of 4084	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	93
PID 3224 wrote to memory of 4084	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	93
PID 3224 wrote to memory of 4084	3224	{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe	93
PID 1228 wrote to memory of 4884	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	95
PID 1228 wrote to memory of 4884	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	95
PID 1228 wrote to memory of 4884	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	95
PID 1228 wrote to memory of 3040	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	96
PID 1228 wrote to memory of 3040	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	96
PID 1228 wrote to memory of 3040	1228	{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe	96
PID 4884 wrote to memory of 4708	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	97
PID 4884 wrote to memory of 4708	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	97
PID 4884 wrote to memory of 4708	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	97
PID 4884 wrote to memory of 1684	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	98
PID 4884 wrote to memory of 1684	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	98
PID 4884 wrote to memory of 1684	4884	{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe	98
PID 4708 wrote to memory of 4416	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	99
PID 4708 wrote to memory of 4416	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	99
PID 4708 wrote to memory of 4416	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	99
PID 4708 wrote to memory of 4032	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	100
PID 4708 wrote to memory of 4032	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	100
PID 4708 wrote to memory of 4032	4708	{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe	100
PID 4416 wrote to memory of 2032	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	101
PID 4416 wrote to memory of 2032	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	101
PID 4416 wrote to memory of 2032	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	101
PID 4416 wrote to memory of 1020	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	102
PID 4416 wrote to memory of 1020	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	102
PID 4416 wrote to memory of 1020	4416	{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe	102
PID 2032 wrote to memory of 1588	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	103
PID 2032 wrote to memory of 1588	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	103
PID 2032 wrote to memory of 1588	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	103
PID 2032 wrote to memory of 4120	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	104
PID 2032 wrote to memory of 4120	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	104
PID 2032 wrote to memory of 4120	2032	{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe	104
PID 1588 wrote to memory of 4080	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	105
PID 1588 wrote to memory of 4080	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	105
PID 1588 wrote to memory of 4080	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	105
PID 1588 wrote to memory of 2460	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	106
PID 1588 wrote to memory of 2460	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	106
PID 1588 wrote to memory of 2460	1588	{F7358D80-CC56-493b-9875-2113E9E5F359}.exe	106

C:\Users\Admin\AppData\Local\Temp\42059b5679eac807aa558ccf8473c6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\42059b5679eac807aa558ccf8473c6f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
  C:\Windows\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
    C:\Windows\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
      C:\Windows\{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
        
        C:\Windows\{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
        
        C:\Windows\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
        
        C:\Windows\{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
        
        C:\Windows\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
        
        C:\Windows\{F7358D80-CC56-493b-9875-2113E9E5F359}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe
        
        C:\Windows\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7358~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E142~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C00D1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB87F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B6E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECEA7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FBB4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E1BC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\42059B~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E1BC0AD-8871-4af9-BDC0-BEA126BD6D03}.exe

Filesize
90KB

MD5
120aeb8f19949d6b65448c635a490547

SHA1
62d3eb00d2aebe5c94236660c7be7dd7c14843c5

SHA256
ca4d33c374158f25675e3b381d3fa2e2830639d7e07827a996942a063d4c07bf

SHA512
ce220fcea3ff9b724c7ccf14675e95f7b9a83aee121d610b924bf347ab048453af9dc01693786ca211dc33b9626a3d59655718a79fc7785c6a805a1259f5dc4d

Download Submit
C:\Windows\{1E1428CF-4FE5-47d3-A3C0-6A5220E47DDD}.exe

Filesize
90KB

MD5
59d1ce2f383bec6dff8ce5599ac1b40b

SHA1
cf1f790e96b36ba4a10f609a20e98da78d9f8cc1

SHA256
82ba78c2ce17bdbc8edb53cc87c6b1249c291a2743a60b5cd425ba03ca1ab8a8

SHA512
80bf3793e06a2999825ce5a20176aba5429f7ceecf360a83263f63cd4945dd34ea3beeb2c507509f73e0c41257e6f3769d432ec9aa050c3d0d78b6119ccc836a

Download Submit
C:\Windows\{76B6E906-51C5-4894-9D0F-73EE0840988F}.exe

Filesize
90KB

MD5
b0bc8885c7c1cf51b6d78fc8b955c9f3

SHA1
fd5e3fca7f35f03281bb596528252ca026443939

SHA256
98cec08eedf8e9325985fb1136ab82462288e29478c5b09c879cead3bdda3e32

SHA512
8e911c2b2cbe7757722bf2d2acd992f539881c1b5faa85f2b54812b3127104a7b159c7e772a643ec2d10cea791a152ae7ab3b0c79ae4c250300ca39bf1dac332

Download Submit
C:\Windows\{7FBB4F51-F54C-462d-A4CD-5EEF8046209A}.exe

Filesize
90KB

MD5
1d10773d400b175eab0e8656fe95554f

SHA1
98683b99bc7213d8e2ea0fadd40a8a1c3c4ac1e5

SHA256
fbc960e8f8d2cf730befa4c7c267ff8056dbc811a454b79972b87f973e087386

SHA512
ec2dc7b1a031aecd7ef48ad9b35774dd7ecb4ae6ddd865e7514f23bd921d14b7cbbe6334ce30ffe9c7a7d99125701b347857c0259bd733aa28cf03d812da3ffa

Download Submit
C:\Windows\{C00D138B-6E8A-45f1-89A0-19BD402246B7}.exe

Filesize
90KB

MD5
5084d14f1c3b7a2791f4b8b46133ff1c

SHA1
459a577c78a8c535cef4d40361dc3246cd63b27b

SHA256
595da7bec70f7708342f2f34e357e618ea9ae0ad80ac840cd2ecf594a52587f3

SHA512
1d7eb23c20afd94e1e1bed09378a0339bafe50c0fbfbef6ab0ea6823b299d38eb0561daff2ffe8e47b6646d8b129be2e4e64d4c94fff4715956811ca82f13585

Download Submit
C:\Windows\{C5714819-CDDC-45e7-ACF5-DF7F1A452E4D}.exe

Filesize
90KB

MD5
c7c9f1ca0119aac660b751f6fb4175ff

SHA1
e089b0b40e4a0c80c3beb88a050b6385685f6616

SHA256
7c6b1cb2e9bb6413f323e1cb3f5832aa6e676d2d2290fff694358167fb5d9a87

SHA512
ed3213758d25e2b66d23ba2941a8f9b8dbc4c30a695df926f414c6891fc87a20e35a1f997f416c2c4dea6ea6049d6803731d26e8b1345624f2e0e59e7c8a16ec

Download Submit
C:\Windows\{ECEA78C4-3AE2-4294-A468-915896EEB333}.exe

Filesize
90KB

MD5
ee6e04b065745da574a9db5caa419507

SHA1
c7e1fdf8afebe6518123556f499c79e9f92ff2a1

SHA256
6fbb2e9819234e9209f2a0642e8c7adbb29d63d61674b9e8edfa717c809d2074

SHA512
d2235e2abca07360f91168e0a740d6a087042f5ec3d9cca5e9dc54ed66f2c1937568d88fb2543a81f31d879e664bfe84a65e01b0ae909860b2320d53c74fd18c

Download Submit
C:\Windows\{F7358D80-CC56-493b-9875-2113E9E5F359}.exe

Filesize
90KB

MD5
d654251e81b4fcf3c8e3a12d0cd4eeb8

SHA1
ca290aba412a67137d7d1f10140635c70115e329

SHA256
b220243169ea809fb1204c9e83c3eb4f512b0ad79e380b34546eab4b83edc1ac

SHA512
179e2bd9a85a41fca28291447018fcc6e6d1418a194cbf7137585c3fc9f94a3b0e3096f2e5b6c47675c8d1ec81ddc7e6f68b6b33ff4bc27504f204a1f8edf616

Download Submit
C:\Windows\{FB87F253-6D3C-40ee-91F2-1CD691071FAE}.exe

Filesize
90KB

MD5
3d97936178999ecdffd0c51541f7ff2c

SHA1
e54c8c38d981c852ffcea19cef84a47a7f438c61

SHA256
6362ff320a492ba517c10d3ea4c59425ae08f2e990c3f30138f0276cf6466081

SHA512
acdc8e50130512cd347e645ff13a25a1995bd4c0e95bf174f83da435a439d7d0768da03ca0e79ce532c4a9d36036af259d5aad3e0bdfde49002a6ddea15580a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads