3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Size

89KB
MD5

2aef6586334840096ed23ceb9fab1320
SHA1

48bc4b2663a531b88565fbf7edee55acf7ce99c0
SHA256

3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f
SHA512

5cde108e2b2f220cc9dafa11dfaa99b2ec4710b4d9aa864fc4a4da2b482290cea2b413d6a246bef73bfb800b18d8f5a44a29984b49468f965bfd8e562d7c4813
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glL:YEGh0ovl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84815771-4490-4538-8ED8-D7CA5A0B2320}	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}\stubpath = "C:\\Windows\\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe"	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}\stubpath = "C:\\Windows\\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe"	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}\stubpath = "C:\\Windows\\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe"	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C52CB52-3D46-4b89-B31F-CBC131194724}\stubpath = "C:\\Windows\\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe"	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84815771-4490-4538-8ED8-D7CA5A0B2320}\stubpath = "C:\\Windows\\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe"	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C8D77E1-B571-4cf2-A720-7B401C636E89}	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C8D77E1-B571-4cf2-A720-7B401C636E89}\stubpath = "C:\\Windows\\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe"	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95EF687-F30F-477f-A7FC-098CBB1A390C}\stubpath = "C:\\Windows\\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe"	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C52CB52-3D46-4b89-B31F-CBC131194724}	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15C682F5-6D80-4d74-9E3D-4326F65439CF}\stubpath = "C:\\Windows\\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe"	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}\stubpath = "C:\\Windows\\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe"	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}\stubpath = "C:\\Windows\\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe"	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}\stubpath = "C:\\Windows\\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe"	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15C682F5-6D80-4d74-9E3D-4326F65439CF}	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95EF687-F30F-477f-A7FC-098CBB1A390C}	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
1536	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
1588	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
1700	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
3068	{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
File created	C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
File created	C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
File created	C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
File created	C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
File created	C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
File created	C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
File created	C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
File created	C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
File created	C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
File created	C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Token: SeIncBasePriorityPrivilege	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
Token: SeIncBasePriorityPrivilege	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
Token: SeIncBasePriorityPrivilege	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
Token: SeIncBasePriorityPrivilege	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
Token: SeIncBasePriorityPrivilege	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
Token: SeIncBasePriorityPrivilege	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
Token: SeIncBasePriorityPrivilege	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
Token: SeIncBasePriorityPrivilege	1536	{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
Token: SeIncBasePriorityPrivilege	1588	{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
Token: SeIncBasePriorityPrivilege	1700	{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2440	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	30
PID 2104 wrote to memory of 2440	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	30
PID 2104 wrote to memory of 2440	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	30
PID 2104 wrote to memory of 2440	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	30
PID 2104 wrote to memory of 2584	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	31
PID 2104 wrote to memory of 2584	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	31
PID 2104 wrote to memory of 2584	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	31
PID 2104 wrote to memory of 2584	2104	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	31
PID 2440 wrote to memory of 2208	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	33
PID 2440 wrote to memory of 2208	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	33
PID 2440 wrote to memory of 2208	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	33
PID 2440 wrote to memory of 2208	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	33
PID 2440 wrote to memory of 2796	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	34
PID 2440 wrote to memory of 2796	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	34
PID 2440 wrote to memory of 2796	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	34
PID 2440 wrote to memory of 2796	2440	{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe	34
PID 2208 wrote to memory of 3028	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	35
PID 2208 wrote to memory of 3028	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	35
PID 2208 wrote to memory of 3028	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	35
PID 2208 wrote to memory of 3028	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	35
PID 2208 wrote to memory of 1708	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	36
PID 2208 wrote to memory of 1708	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	36
PID 2208 wrote to memory of 1708	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	36
PID 2208 wrote to memory of 1708	2208	{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe	36
PID 3028 wrote to memory of 2712	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	37
PID 3028 wrote to memory of 2712	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	37
PID 3028 wrote to memory of 2712	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	37
PID 3028 wrote to memory of 2712	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	37
PID 3028 wrote to memory of 1996	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	38
PID 3028 wrote to memory of 1996	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	38
PID 3028 wrote to memory of 1996	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	38
PID 3028 wrote to memory of 1996	3028	{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe	38
PID 2712 wrote to memory of 1300	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	39
PID 2712 wrote to memory of 1300	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	39
PID 2712 wrote to memory of 1300	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	39
PID 2712 wrote to memory of 1300	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	39
PID 2712 wrote to memory of 2888	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	40
PID 2712 wrote to memory of 2888	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	40
PID 2712 wrote to memory of 2888	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	40
PID 2712 wrote to memory of 2888	2712	{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe	40
PID 1300 wrote to memory of 2732	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	41
PID 1300 wrote to memory of 2732	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	41
PID 1300 wrote to memory of 2732	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	41
PID 1300 wrote to memory of 2732	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	41
PID 1300 wrote to memory of 2900	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	42
PID 1300 wrote to memory of 2900	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	42
PID 1300 wrote to memory of 2900	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	42
PID 1300 wrote to memory of 2900	1300	{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe	42
PID 2732 wrote to memory of 2992	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	43
PID 2732 wrote to memory of 2992	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	43
PID 2732 wrote to memory of 2992	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	43
PID 2732 wrote to memory of 2992	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	43
PID 2732 wrote to memory of 2148	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	44
PID 2732 wrote to memory of 2148	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	44
PID 2732 wrote to memory of 2148	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	44
PID 2732 wrote to memory of 2148	2732	{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe	44
PID 2992 wrote to memory of 1536	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	45
PID 2992 wrote to memory of 1536	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	45
PID 2992 wrote to memory of 1536	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	45
PID 2992 wrote to memory of 1536	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	45
PID 2992 wrote to memory of 2760	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	46
PID 2992 wrote to memory of 2760	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	46
PID 2992 wrote to memory of 2760	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	46
PID 2992 wrote to memory of 2760	2992	{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe	46

C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
"C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
  C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
    C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
      C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
        
        C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
        
        C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
        
        C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
        
        C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
        
        C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
        
        C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
        
        C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe
        
        C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F95EF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C8D7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B920A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BF9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86ECF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0CA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84815~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C68~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C52C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{092A9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3ADACA~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{092A98F8-41A5-4df9-8272-3C6853ABB9A8}.exe

Filesize
89KB

MD5
baa694f8d60dd0bf75aaff974f3c780b

SHA1
4665b18e89c0e46ea7a0ada8eae840bf3fa1174e

SHA256
d606a67f2b236268cfda5a17c6b33ba655fe9b868ce8334c660502ca6c66fd81

SHA512
caeed2714844af64b28a07d088a8348a210b78c4efc96df6d57e54cc220185a7ab6a6a5c6c830d4d4eff98f2a46cea42d9e5cdb2d1666649764ed378e3e94a45

Download Submit
C:\Windows\{15C682F5-6D80-4d74-9E3D-4326F65439CF}.exe

Filesize
89KB

MD5
7a27a5c18f1521ea7a061ca67b0acfc9

SHA1
2cbb3534689e54f9146bd2c85426b401f6451a0c

SHA256
f77e6b2049fa7c54fc1f478913e6069ea76c19968275baec9cfa679976ad4439

SHA512
9c7d642075d3dd22e76670169f41eddc02f7f1cd2855acf90e1ca488588add7745a749b62c2638e24e1e3b47ba76386e5f37c3cb5975a37db3d4ad0d1ea7987a

Download Submit
C:\Windows\{2C52CB52-3D46-4b89-B31F-CBC131194724}.exe

Filesize
89KB

MD5
63620f343788272f8c98097a05c18178

SHA1
5c0c640f4d00c21dd2ff3e8ff455a629f1bd4fa4

SHA256
76d905244df700ffc962cf2c07af6aee3fde17c4f4c11440aa3fd14b7818792b

SHA512
9e25a5480b60db9741d1a1cc2e9e53fbde74fc88d38b02726de7d6bdf4d598dd7698e3219f53ff5f395d44f2c4d438a619c57e2f6167b07be46a543290ed0ac0

Download Submit
C:\Windows\{84815771-4490-4538-8ED8-D7CA5A0B2320}.exe

Filesize
89KB

MD5
46897cdf65a5c3c8c6d6228c2bf4ec9a

SHA1
390a5d0d52530a4fc7ac5dfffaa6ee8802d50050

SHA256
2652f6b6da469a916d046181a42e7e1b8a670b81d493204063091c9256238af5

SHA512
db17cc861995b3c6d9ebf8f19025dd8796ed25c28bf493b4e57c6128aeed09f353c4f3a0e0dc570733fe88775f045a440a933e42f90fb11e2cfd68e638d6e991

Download Submit
C:\Windows\{86ECFBAA-5B65-43cf-A603-7C54E6AA1AD8}.exe

Filesize
89KB

MD5
1a27baa590f7034ee73fdc9fc98bee50

SHA1
b3a26dcfb4bf5b1adafcd9411469cd0433e735e6

SHA256
49d8d12186b7a6bfd693dd35f38ce64dfb865a7296809a3dfe9ba4b75fa46acf

SHA512
52c269722899084f83245867ff06838d8107d60873870cf45314cf1f8729352f5b7fa64ce1eda1b8263e142cb0d4774ec67d42e6e541b3bef00d1210fdb2fdc7

Download Submit
C:\Windows\{8C8D77E1-B571-4cf2-A720-7B401C636E89}.exe

Filesize
89KB

MD5
40c3799322ee2eef52ace83da2698d5b

SHA1
fa96e40911a9f7a032a29e313c5f780f1c4182e9

SHA256
810606eeb1f981f6a12b7e6baae52bdead6cb29e89c318cd5367d186842f800f

SHA512
27363a7f866e8791809d562a0711a7dae43c8fa31a18ef20138b92f09f7defac8f0b76647695881ff4520ccbefc374556c13aede2d63ce59dbe292638b427db3

Download Submit
C:\Windows\{B920A500-D5F1-49de-9ED8-F0F2CA5FC34F}.exe

Filesize
89KB

MD5
07935c96ee82622e5b4257f3a92d34bb

SHA1
bbc815e697a802c4295d776a7df78d495dfd3e8e

SHA256
321fa391bea952ee8aaea69f28980e505412b5dc7c9c0fa0e6ef9ba87e012194

SHA512
f759988d98adcf8cb70edaf39501bb37299b6247ff39d4fce6b702157bcbfd3f3eb1ef0eb84d08c2b6f09a78a24869e496195a4b9f5787dcf708ea21a47d9a54

Download Submit
C:\Windows\{C5BF9436-4BB4-4338-AC16-F932CB4CCB8F}.exe

Filesize
89KB

MD5
3f55504149d2ac0d4519e394b58aad48

SHA1
9fd42b2d03f4c6e8733a01c775682dff0b7141a2

SHA256
ff36e9e74b95f0a45e86455a30b0db3c86eda5fa28605dc11f7d64f3a1c3206d

SHA512
bce53302f9fb63638b02b333ebe0c63724dbf72cdbfac6bce704c0dfde9ae11c7a29ceb64b739d9be449368be6b25c387c4625f90a11ec617f098be2905efced

Download Submit
C:\Windows\{C78B686B-3E55-4702-8CD7-76F424DFCFC9}.exe

Filesize
89KB

MD5
4780a0faac470a9b09d8d82af63bb25b

SHA1
d44178b4d4030d3bf5f2deb32ae0a967b8aee151

SHA256
4722177e2091b33ae8d668a05a4caf182c51971117f7826a0898c8988a5638a9

SHA512
afc28cb524a8651a739ff42b80703ed9eca1eaf8efd8f3bfd45cd240dd7c53d588dc38ef45db84e5e97233f611b60fab9a200d55e7b87e54db7a2e8c037ced29

Download Submit
C:\Windows\{DA0CA60A-1A9B-44fa-BDF0-5B7BF7393E14}.exe

Filesize
89KB

MD5
c296a3dc135496747f6a565e4b198e38

SHA1
d4c8359f4ad9fd0a8d8b50f5087410eff8a768fd

SHA256
e5f924fe1f3a197b9e42da26d105e9a4de970da0b2a9a2f395ae42942e19c076

SHA512
a164c232b2916fbb3a4d101767a5b390b1e7bd01137aa1b230b828dcaef3f6489b1da7f23ddcf200a658691b3886632b0b125266580e8174a563e61e9b2c3ceb

Download Submit
C:\Windows\{F95EF687-F30F-477f-A7FC-098CBB1A390C}.exe

Filesize
89KB

MD5
f6df24dabcfc787da72772b48dc0b410

SHA1
4d2e9a543fe4e19df1a06b6559638fdba7813449

SHA256
d04f3e024a07e4c0abdd99be0fb6194c72c106a7a3e7c100f937675351902c87

SHA512
d7a236f5a5c78de76ec645758b324ce7979fbc7e76ebc2100a91c50549db58bcf3ef336c0de2ccfc57969346503fb19553e5b12c5d16f43a570d0832df9632c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads