9a2663820e0e42ce022adc32509f54b000d97d05d83afc929ff2787eca71d9dd

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fac50eb911c461bc08ecef1579ee400N.exe
Size

89KB
MD5

7fac50eb911c461bc08ecef1579ee400
SHA1

6617df2ae49f88bb7de8cff3c9c96b962c1c71c0
SHA256

9a2663820e0e42ce022adc32509f54b000d97d05d83afc929ff2787eca71d9dd
SHA512

225e298e4004a26bb54c38de8d9abde90977ad15f3ea0e93601c0b9b6965a05f7de24c6e17b1e0fe904c1180193334653da87e86e9af6fbae4195480fd37bc7f
SSDEEP

768:Qvw9816vhKQLroC4/wQRNrfrunMxVFA3b7glL:YEGh0oCl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}\stubpath = "C:\\Windows\\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe"	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}\stubpath = "C:\\Windows\\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe"	7fac50eb911c461bc08ecef1579ee400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}	7fac50eb911c461bc08ecef1579ee400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ACC54D5-BE0B-4271-B644-66F851224674}\stubpath = "C:\\Windows\\{8ACC54D5-BE0B-4271-B644-66F851224674}.exe"	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}\stubpath = "C:\\Windows\\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe"	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}\stubpath = "C:\\Windows\\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe"	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}\stubpath = "C:\\Windows\\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe"	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8ACC54D5-BE0B-4271-B644-66F851224674}	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}\stubpath = "C:\\Windows\\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe"	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}\stubpath = "C:\\Windows\\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe"	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A954B327-BEE3-4996-B769-725B3AC2D1E2}	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A954B327-BEE3-4996-B769-725B3AC2D1E2}\stubpath = "C:\\Windows\\{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe"	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe

Deletes itself 1 IoCs

pid	Process
1992	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
2032	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
2140	{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
File created	C:\Windows\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
File created	C:\Windows\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	7fac50eb911c461bc08ecef1579ee400N.exe
File created	C:\Windows\{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
File created	C:\Windows\{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
File created	C:\Windows\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
File created	C:\Windows\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
File created	C:\Windows\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
File created	C:\Windows\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fac50eb911c461bc08ecef1579ee400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2328	7fac50eb911c461bc08ecef1579ee400N.exe
Token: SeIncBasePriorityPrivilege	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
Token: SeIncBasePriorityPrivilege	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
Token: SeIncBasePriorityPrivilege	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
Token: SeIncBasePriorityPrivilege	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
Token: SeIncBasePriorityPrivilege	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
Token: SeIncBasePriorityPrivilege	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
Token: SeIncBasePriorityPrivilege	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
Token: SeIncBasePriorityPrivilege	2032	{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2308	2328	7fac50eb911c461bc08ecef1579ee400N.exe	30
PID 2328 wrote to memory of 2308	2328	7fac50eb911c461bc08ecef1579ee400N.exe	30
PID 2328 wrote to memory of 2308	2328	7fac50eb911c461bc08ecef1579ee400N.exe	30
PID 2328 wrote to memory of 2308	2328	7fac50eb911c461bc08ecef1579ee400N.exe	30
PID 2328 wrote to memory of 1992	2328	7fac50eb911c461bc08ecef1579ee400N.exe	31
PID 2328 wrote to memory of 1992	2328	7fac50eb911c461bc08ecef1579ee400N.exe	31
PID 2328 wrote to memory of 1992	2328	7fac50eb911c461bc08ecef1579ee400N.exe	31
PID 2328 wrote to memory of 1992	2328	7fac50eb911c461bc08ecef1579ee400N.exe	31
PID 2308 wrote to memory of 2836	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	33
PID 2308 wrote to memory of 2836	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	33
PID 2308 wrote to memory of 2836	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	33
PID 2308 wrote to memory of 2836	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	33
PID 2308 wrote to memory of 2616	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	34
PID 2308 wrote to memory of 2616	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	34
PID 2308 wrote to memory of 2616	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	34
PID 2308 wrote to memory of 2616	2308	{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe	34
PID 2836 wrote to memory of 2588	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	35
PID 2836 wrote to memory of 2588	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	35
PID 2836 wrote to memory of 2588	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	35
PID 2836 wrote to memory of 2588	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	35
PID 2836 wrote to memory of 2620	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	36
PID 2836 wrote to memory of 2620	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	36
PID 2836 wrote to memory of 2620	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	36
PID 2836 wrote to memory of 2620	2836	{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe	36
PID 2588 wrote to memory of 2304	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	37
PID 2588 wrote to memory of 2304	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	37
PID 2588 wrote to memory of 2304	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	37
PID 2588 wrote to memory of 2304	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	37
PID 2588 wrote to memory of 1900	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	38
PID 2588 wrote to memory of 1900	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	38
PID 2588 wrote to memory of 1900	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	38
PID 2588 wrote to memory of 1900	2588	{8ACC54D5-BE0B-4271-B644-66F851224674}.exe	38
PID 2304 wrote to memory of 784	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	39
PID 2304 wrote to memory of 784	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	39
PID 2304 wrote to memory of 784	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	39
PID 2304 wrote to memory of 784	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	39
PID 2304 wrote to memory of 2476	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	40
PID 2304 wrote to memory of 2476	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	40
PID 2304 wrote to memory of 2476	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	40
PID 2304 wrote to memory of 2476	2304	{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe	40
PID 784 wrote to memory of 2132	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	41
PID 784 wrote to memory of 2132	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	41
PID 784 wrote to memory of 2132	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	41
PID 784 wrote to memory of 2132	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	41
PID 784 wrote to memory of 2136	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	42
PID 784 wrote to memory of 2136	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	42
PID 784 wrote to memory of 2136	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	42
PID 784 wrote to memory of 2136	784	{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe	42
PID 2132 wrote to memory of 1460	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	43
PID 2132 wrote to memory of 1460	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	43
PID 2132 wrote to memory of 1460	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	43
PID 2132 wrote to memory of 1460	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	43
PID 2132 wrote to memory of 2960	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	44
PID 2132 wrote to memory of 2960	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	44
PID 2132 wrote to memory of 2960	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	44
PID 2132 wrote to memory of 2960	2132	{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe	44
PID 1460 wrote to memory of 2032	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	45
PID 1460 wrote to memory of 2032	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	45
PID 1460 wrote to memory of 2032	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	45
PID 1460 wrote to memory of 2032	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	45
PID 1460 wrote to memory of 1936	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	46
PID 1460 wrote to memory of 1936	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	46
PID 1460 wrote to memory of 1936	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	46
PID 1460 wrote to memory of 1936	1460	{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe	46

C:\Users\Admin\AppData\Local\Temp\7fac50eb911c461bc08ecef1579ee400N.exe
"C:\Users\Admin\AppData\Local\Temp\7fac50eb911c461bc08ecef1579ee400N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
  C:\Windows\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
    C:\Windows\{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
      C:\Windows\{8ACC54D5-BE0B-4271-B644-66F851224674}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
        
        C:\Windows\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
        
        C:\Windows\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
        
        C:\Windows\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
        
        C:\Windows\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
        
        C:\Windows\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe
        
        C:\Windows\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B4C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C24A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DACD7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F234~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FA6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ACC5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A954B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2D73~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7FAC50~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5C24A2DB-C01B-411b-A549-F3F58187DBD3}.exe

Filesize
89KB

MD5
5823b8c4cf8af9bf258adab5eb1ed0f8

SHA1
ef4a9b9f7f5a24c51450641559820449477922ea

SHA256
8e9a33a405d787973613a0c9cfad6a5db838233b50eb0301d7d94a8868d0660f

SHA512
b868bd4f5a9a02b80c59e6bd58bbeb61461e866d869b1cb6353e2664859b2d22b18c58c19774d48023f8dd624d39eaf194ed63e55d731715fd74f4cfc1fe28b3

Download Submit
C:\Windows\{7F2348BB-0DBD-485c-A4C3-75BCEC78C749}.exe

Filesize
89KB

MD5
6951f140620be4752110580ce4f6ea61

SHA1
55c359a9c24f2474e23c77eaf5b15e4d424e8b62

SHA256
add195c8500ef8127707df1dbab7d270264751a9493535ed50ce2e699d7f04a5

SHA512
46cb779fff595e2e49d471d656e669199fe1c9b64fb3551069cfbc8cb7b795f7f9cbb54f35363a601d964cdda61224989ad6d7c4ef2f25c0536d23ccc47540a7

Download Submit
C:\Windows\{8ACC54D5-BE0B-4271-B644-66F851224674}.exe

Filesize
89KB

MD5
60ad321493a127bc23a732a7997182de

SHA1
02ca998e01705ac18836663f46a0e169b3bc4431

SHA256
2983a7687cda0346f2cf2d125ed39905a2542c78283f5d7be915fc2b04b7488a

SHA512
00725ed9894433536df22d8fd7227eb033d58367d63674a10a67c74a463bcb56dbbed6ab7474d7c65e7046050e75c3c9fa1fbdaa925320a3b31fc5e4453d2abc

Download Submit
C:\Windows\{A954B327-BEE3-4996-B769-725B3AC2D1E2}.exe

Filesize
89KB

MD5
129a6d81636ac50b8abb2c7ee86196b8

SHA1
2bb6dbc2499340c4c7c1e3906e7d76a63a2b0da9

SHA256
00898f7e25c0768322dd5bc917f46d466ba27442c01164d8bc42bf3f8bbce0b0

SHA512
d606e536512f68059ed20495c4091d115166d64ae811244a03f917235e2d8bf919a9d7d1ed76c1088385b06d5c2eb40048cb93cecf5b59d78689959c83d8001b

Download Submit
C:\Windows\{B6B4C1C0-A5A0-4435-9298-9D51027BF6E9}.exe

Filesize
89KB

MD5
b337750084164bc76ffdbbed4defb655

SHA1
afc296f7b603317f2bda0303c421bc7bbd92b71f

SHA256
1d2797ac9cb962c767f5fc5e500b0ed16f8877112a579e06180365d281271217

SHA512
ab910ac11519929a731bbcc8a05ad28b301278aa682ac2b0df3f3798bd3ef933ac9e6ad21e2ab5a7da5e4c2cbd042582d37836aa1fddbe0571da24c1c03d638d

Download Submit
C:\Windows\{C1FA6ADA-CAE5-457b-8E78-819C34F29EC3}.exe

Filesize
89KB

MD5
88d411af1c6e9c66543ab3e908fda039

SHA1
a3ab8346c57320920491f9c1d69ae8f18a287fed

SHA256
4dc2ec05e6c80a5b68aa791fb678acf01458db2707b066879dd80814ae31422a

SHA512
fbaa0038a163a5bb6f8ac441a42715fa8348e9c8fbbe3788803663367744e9446bb6e15029355e5d561fd0559767c7679b670724bd0898a34ecfd4f4ed3821aa

Download Submit
C:\Windows\{D2D73342-8F7B-40c0-B96F-9C1DEB69BE5B}.exe

Filesize
89KB

MD5
4c0367eb35225da8d87fc2e2f031ea2f

SHA1
4737d5b9a24dc5406d8ca69fb92a76151fa13e75

SHA256
675b55145b7725a9abc03299b048c1c7520093cb7a8439c7f2a4522864f202de

SHA512
ce343b44e33bbd566ffd207a29844722b0fff08a14734308a8e7a4c1b84516a90c9e067d54257f3b84b5fb55df7b3295f1d64d162677e5100425b9cd028786e6

Download Submit
C:\Windows\{DACD7F1F-F7CE-4234-A8FB-F68FBA9D9549}.exe

Filesize
89KB

MD5
b34f97a0a78126f6996f591a51ede67d

SHA1
3c05d2b283f129b959732fa28632e43c74346ea3

SHA256
9c51ce2197118bae395c1257f4bad20263eb60626f9795955ff025ca194cbb99

SHA512
cbc5d73a7718667f312260c471365d022bc6b37381c835c62d944ee2ad0b14281c1cc4a20d73204d9425a6776110b07f9ad727f36e4e96a371b746ff11b7bce2

Download Submit
C:\Windows\{E64D7951-D82D-4ee5-99FE-0057DE5DF923}.exe

Filesize
89KB

MD5
839877190065024b5783cbab1963ac84

SHA1
e838cd60ad7187076804a537221090d6df7f8a56

SHA256
2afcb0f820c5d4c1b883b77058dc45e562428928da0dc33b5a208e8ecc4e7a70

SHA512
7dbf1f756d68c365efe6c49a3e9b2995813823f982e9e7a83607b8d23a3f08828b04e4c302e64a72528c4b064a338ffbd42eb28464914521dc6c113ef0690d6c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads