ab14494d6aed50306cdd6b13c2a10a783ec894b7b5ff18b087624b12d0eb3a01

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 12:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd239ab9a7128679c38f68cf418b1210N.exe
Size

89KB
MD5

bd239ab9a7128679c38f68cf418b1210
SHA1

283942c24db9b37b4516b7703273dc38a981610c
SHA256

ab14494d6aed50306cdd6b13c2a10a783ec894b7b5ff18b087624b12d0eb3a01
SHA512

6a780aec630a67ca646c832441b49634fad3e1ebf73941c2ef4af67cccb892c9a1780c452d9b25b19d03d1ca7db08d36026aceb3b9cbc6e7449d3d86117c6da7
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3k:lEG/0onlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}\stubpath = "C:\\Windows\\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe"	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2D0966-157E-4fc1-9CDA-A4D939480567}	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5530F218-F159-423c-B84B-79731B82D72C}	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}\stubpath = "C:\\Windows\\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe"	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396449A6-5C32-46b7-AC6C-50891CA6A35F}	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}\stubpath = "C:\\Windows\\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe"	{5530F218-F159-423c-B84B-79731B82D72C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F4B111D-6882-400f-8366-BC6277FEB010}	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2D0966-157E-4fc1-9CDA-A4D939480567}\stubpath = "C:\\Windows\\{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe"	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}	bd239ab9a7128679c38f68cf418b1210N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}\stubpath = "C:\\Windows\\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe"	bd239ab9a7128679c38f68cf418b1210N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8EED83-E723-4905-912B-62F5E65B6843}	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F4B111D-6882-400f-8366-BC6277FEB010}\stubpath = "C:\\Windows\\{4F4B111D-6882-400f-8366-BC6277FEB010}.exe"	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8EED83-E723-4905-912B-62F5E65B6843}\stubpath = "C:\\Windows\\{8B8EED83-E723-4905-912B-62F5E65B6843}.exe"	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396449A6-5C32-46b7-AC6C-50891CA6A35F}\stubpath = "C:\\Windows\\{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe"	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5530F218-F159-423c-B84B-79731B82D72C}\stubpath = "C:\\Windows\\{5530F218-F159-423c-B84B-79731B82D72C}.exe"	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}	{5530F218-F159-423c-B84B-79731B82D72C}.exe

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe
2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
3044	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
2236	{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
File created	C:\Windows\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
File created	C:\Windows\{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
File created	C:\Windows\{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
File created	C:\Windows\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	bd239ab9a7128679c38f68cf418b1210N.exe
File created	C:\Windows\{5530F218-F159-423c-B84B-79731B82D72C}.exe	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
File created	C:\Windows\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	{5530F218-F159-423c-B84B-79731B82D72C}.exe
File created	C:\Windows\{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
File created	C:\Windows\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd239ab9a7128679c38f68cf418b1210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5530F218-F159-423c-B84B-79731B82D72C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1540	bd239ab9a7128679c38f68cf418b1210N.exe
Token: SeIncBasePriorityPrivilege	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
Token: SeIncBasePriorityPrivilege	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
Token: SeIncBasePriorityPrivilege	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe
Token: SeIncBasePriorityPrivilege	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
Token: SeIncBasePriorityPrivilege	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
Token: SeIncBasePriorityPrivilege	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
Token: SeIncBasePriorityPrivilege	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
Token: SeIncBasePriorityPrivilege	3044	{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1692	1540	bd239ab9a7128679c38f68cf418b1210N.exe	30
PID 1540 wrote to memory of 1692	1540	bd239ab9a7128679c38f68cf418b1210N.exe	30
PID 1540 wrote to memory of 1692	1540	bd239ab9a7128679c38f68cf418b1210N.exe	30
PID 1540 wrote to memory of 1692	1540	bd239ab9a7128679c38f68cf418b1210N.exe	30
PID 1540 wrote to memory of 2240	1540	bd239ab9a7128679c38f68cf418b1210N.exe	31
PID 1540 wrote to memory of 2240	1540	bd239ab9a7128679c38f68cf418b1210N.exe	31
PID 1540 wrote to memory of 2240	1540	bd239ab9a7128679c38f68cf418b1210N.exe	31
PID 1540 wrote to memory of 2240	1540	bd239ab9a7128679c38f68cf418b1210N.exe	31
PID 1692 wrote to memory of 2748	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	32
PID 1692 wrote to memory of 2748	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	32
PID 1692 wrote to memory of 2748	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	32
PID 1692 wrote to memory of 2748	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	32
PID 1692 wrote to memory of 2756	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	33
PID 1692 wrote to memory of 2756	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	33
PID 1692 wrote to memory of 2756	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	33
PID 1692 wrote to memory of 2756	1692	{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe	33
PID 2748 wrote to memory of 2264	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	34
PID 2748 wrote to memory of 2264	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	34
PID 2748 wrote to memory of 2264	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	34
PID 2748 wrote to memory of 2264	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	34
PID 2748 wrote to memory of 2664	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	35
PID 2748 wrote to memory of 2664	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	35
PID 2748 wrote to memory of 2664	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	35
PID 2748 wrote to memory of 2664	2748	{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe	35
PID 2264 wrote to memory of 2700	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	36
PID 2264 wrote to memory of 2700	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	36
PID 2264 wrote to memory of 2700	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	36
PID 2264 wrote to memory of 2700	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	36
PID 2264 wrote to memory of 1892	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	37
PID 2264 wrote to memory of 1892	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	37
PID 2264 wrote to memory of 1892	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	37
PID 2264 wrote to memory of 1892	2264	{5530F218-F159-423c-B84B-79731B82D72C}.exe	37
PID 2700 wrote to memory of 1808	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	38
PID 2700 wrote to memory of 1808	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	38
PID 2700 wrote to memory of 1808	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	38
PID 2700 wrote to memory of 1808	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	38
PID 2700 wrote to memory of 1880	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	39
PID 2700 wrote to memory of 1880	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	39
PID 2700 wrote to memory of 1880	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	39
PID 2700 wrote to memory of 1880	2700	{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe	39
PID 1808 wrote to memory of 2604	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	40
PID 1808 wrote to memory of 2604	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	40
PID 1808 wrote to memory of 2604	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	40
PID 1808 wrote to memory of 2604	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	40
PID 1808 wrote to memory of 2952	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	41
PID 1808 wrote to memory of 2952	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	41
PID 1808 wrote to memory of 2952	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	41
PID 1808 wrote to memory of 2952	1808	{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe	41
PID 2604 wrote to memory of 2836	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	42
PID 2604 wrote to memory of 2836	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	42
PID 2604 wrote to memory of 2836	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	42
PID 2604 wrote to memory of 2836	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	42
PID 2604 wrote to memory of 740	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	43
PID 2604 wrote to memory of 740	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	43
PID 2604 wrote to memory of 740	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	43
PID 2604 wrote to memory of 740	2604	{4F4B111D-6882-400f-8366-BC6277FEB010}.exe	43
PID 2836 wrote to memory of 3044	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	44
PID 2836 wrote to memory of 3044	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	44
PID 2836 wrote to memory of 3044	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	44
PID 2836 wrote to memory of 3044	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	44
PID 2836 wrote to memory of 2020	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	45
PID 2836 wrote to memory of 2020	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	45
PID 2836 wrote to memory of 2020	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	45
PID 2836 wrote to memory of 2020	2836	{8B8EED83-E723-4905-912B-62F5E65B6843}.exe	45

C:\Users\Admin\AppData\Local\Temp\bd239ab9a7128679c38f68cf418b1210N.exe
"C:\Users\Admin\AppData\Local\Temp\bd239ab9a7128679c38f68cf418b1210N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
  C:\Windows\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
    C:\Windows\{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{5530F218-F159-423c-B84B-79731B82D72C}.exe
      C:\Windows\{5530F218-F159-423c-B84B-79731B82D72C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
        
        C:\Windows\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
        
        C:\Windows\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
        
        C:\Windows\{4F4B111D-6882-400f-8366-BC6277FEB010}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
        
        C:\Windows\{8B8EED83-E723-4905-912B-62F5E65B6843}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
        
        C:\Windows\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe
        
        C:\Windows\{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A29A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8EE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F4B1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F2B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C62~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5530F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39644~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18C3B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BD239A~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18C3BF78-40B2-447c-BDA0-FDE5ECDE5742}.exe

Filesize
89KB

MD5
d851be1770bb9149b7722f992ae92048

SHA1
3f5cdcb40def34f202af650b7e491a1cf97e6cde

SHA256
d669a5cb20cd9e167ce5ae5b5d4ff2b70a213da006ec62fde994986ce080bdd9

SHA512
5e2a7800965281ea5a2c396384bf0e1b757d308d9b6030a65dd7748b4127147706dd9741819980128753e153fc95931f074c1a34e767d38725c177bb74caf409

Download Submit
C:\Windows\{2F2B846D-4813-4850-B8FF-31EBABEA2C43}.exe

Filesize
89KB

MD5
51bdca7c193f2d3e7dfdfcaa37c395f3

SHA1
1267e8cae3d119f7f683649f78f6939480e2f6be

SHA256
c0a66052fb1afb224d0e73833c4651f3fc505df38f339209089e9e828367fd8a

SHA512
311b4268f812a1f9076c8e9bf44a8ff843320fe2071885fd5a8ae60d64af09b78d57ebbfdcc223e08c87979ffb099b67d26f65d43fcd0c4fe670a9033a79e9bf

Download Submit
C:\Windows\{396449A6-5C32-46b7-AC6C-50891CA6A35F}.exe

Filesize
89KB

MD5
6ddfaa1dd68035d93d6fbe2d4a71f702

SHA1
d125738a20e668f1e11a17bceb06c8b2445e76a2

SHA256
d4d74ef43b0d6c183b7fb05d790a1947ccb6762077e2e5528def0f1cb85ee6d7

SHA512
cf978363d604792bf334190d2413c5c20e8dd2bac1b9cdfe137b105bcd57e227cbdaaebe9dd8479e5664577e21dee1d1332952656e99e4bfcaa2661397542b32

Download Submit
C:\Windows\{4F4B111D-6882-400f-8366-BC6277FEB010}.exe

Filesize
89KB

MD5
a35803057f1e9b8458ad372e0a64fd0a

SHA1
7f9b4129444c2d26175c3a0a2e5fa96931ee8cc8

SHA256
12b7db54699da6bd22f3aa2f909f4b3693b4d490f25a1c1f6989d42870f30dd5

SHA512
51b00bb74c0573cfe3d43615d5283ab160c685de499e016f4a886c0a630578b6171c381135e68b1756d759c802f4c4e397b80ccea85a5f50f46778257ec1fed9

Download Submit
C:\Windows\{53C62FE6-7C41-4fe0-BACF-F56C431B4090}.exe

Filesize
89KB

MD5
9432a694e8807eacdc95298c7c069a18

SHA1
2b0f23b01c83ecab21b04f9c791ba423ab488d31

SHA256
0d0a79469fb4dfc5c9a34fabb5ffa02dbe6fdcf3795bc6c0b84a413b990401b7

SHA512
709c606202cb2244dfd4af2e1e8c57ca09e82b1ff92ee4ed41d486d13dde754c482dbc014710c158119ebd7dc3335a6237bf95abc29ac7fb8100bc2b1f6c6779

Download Submit
C:\Windows\{5530F218-F159-423c-B84B-79731B82D72C}.exe

Filesize
89KB

MD5
9cac1ddce897bce7ef032249d49007c8

SHA1
549d365f016f1ff0223ac13f7cf7d46c46e6b469

SHA256
f2c1be66c019233d1c6225fd22c8c27478687b725de194dc739da7703b4f5117

SHA512
4e744814644b55e2f5735698e21733868bb7ec7f75afb98a73b94947e2a3e6d5f5fe2cdf852b03bd79a340eac4911d016596f539fef7903e8f54a60a0ea54674

Download Submit
C:\Windows\{8B8EED83-E723-4905-912B-62F5E65B6843}.exe

Filesize
89KB

MD5
bdad036ca44a0d425480ca48a0dfba2d

SHA1
8108615524f88c83cb18edbe0a5b14037e970588

SHA256
9b4ddba3b349235f52ab08590fca9de42c26015d4733ba5181e980a50dd1ec63

SHA512
b0e246f0fc1c8fd614d2a18dbcd090b457b75a0f2e8bdefdc712032d93b539d783f74c00cd8cb6b59a55af75e1bec8e047b18f9373b83ccf6228b4deaf9f3525

Download Submit
C:\Windows\{9A29AA6E-15E5-4279-81BE-A6CEDCCD2088}.exe

Filesize
89KB

MD5
b48ce42f6f85a9a61bce386625fca650

SHA1
8d766fff83305ae5a442fbb686b0980a30772705

SHA256
7929e10556849ed137047e18bacec9562b375e475b1ddc24a45e5b81d4f3f424

SHA512
b8286f1e006dbb666ca33f4f4e335e7be3566276c983f384bd6645eb44df1f112b3ce5d3930ed3a72ae808fd4f9266d56ad5d6204fd92e1ce7f9ceb45f8dae38

Download Submit
C:\Windows\{FA2D0966-157E-4fc1-9CDA-A4D939480567}.exe

Filesize
89KB

MD5
b42504346d5e2ef2df82e91a41a7d539

SHA1
73fbfda84360a3ed0cec5ffa8e1a06004ed6e2bb

SHA256
d39f7cc985a574b019e10d10c15ad6fc7a5b2a922b74e11a489b8a3038fb05b4

SHA512
1fe802b3b3886bae75b86196dd2948f4ffd3d6fea885f6d52fde7fe6817f2617e640d0f6fd5b9c610c43f143d96cc79aafc07414b94c8c83ff81f496e509a9e7

Download Submit
memory/1540-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1540-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-50-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2264-33-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2264-32-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2264-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2604-64-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2604-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2604-75-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2700-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-41-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2700-44-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2700-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-83-0x0000000001C30000-0x0000000001C41000-memory.dmp

Filesize
68KB

Download
memory/3044-82-0x0000000001C30000-0x0000000001C41000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads