c31ff250271e6a3c72a7d7b689ab4aaedd94b38354f38e4fc667506b8332cb3b

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

846781ee84e4b5c1b5efab7d5c1bb570N.exe
Size

89KB
MD5

846781ee84e4b5c1b5efab7d5c1bb570
SHA1

17900d3d822ab790a535f75b573829ef606ac15b
SHA256

c31ff250271e6a3c72a7d7b689ab4aaedd94b38354f38e4fc667506b8332cb3b
SHA512

94b50793dc8197204c62a9b0d49640141c3430c98a09a6cc4e85b6965f57fe6f9ee18181de8ad322bc0fdb100aad991e90d8b430815f6889bb3c05ecb6c37569
SSDEEP

768:5vw9816thKQLroI04/wQkNrfrunMxVFA3k:lEG/0oDlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F38EA638-9F84-474e-9B60-DBE43D779ADD}	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F38EA638-9F84-474e-9B60-DBE43D779ADD}\stubpath = "C:\\Windows\\{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe"	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78BB6802-F750-4808-B8C4-AFE670388B60}	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78BB6802-F750-4808-B8C4-AFE670388B60}\stubpath = "C:\\Windows\\{78BB6802-F750-4808-B8C4-AFE670388B60}.exe"	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}\stubpath = "C:\\Windows\\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe"	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E45659-AFE4-479f-8738-0F45BE0291BE}\stubpath = "C:\\Windows\\{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe"	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}	846781ee84e4b5c1b5efab7d5c1bb570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}\stubpath = "C:\\Windows\\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe"	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}\stubpath = "C:\\Windows\\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe"	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E45659-AFE4-479f-8738-0F45BE0291BE}	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}\stubpath = "C:\\Windows\\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe"	846781ee84e4b5c1b5efab7d5c1bb570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}\stubpath = "C:\\Windows\\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe"	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}\stubpath = "C:\\Windows\\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe"	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
696	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
2240	{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
File created	C:\Windows\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
File created	C:\Windows\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
File created	C:\Windows\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
File created	C:\Windows\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
File created	C:\Windows\{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
File created	C:\Windows\{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
File created	C:\Windows\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	846781ee84e4b5c1b5efab7d5c1bb570N.exe
File created	C:\Windows\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	846781ee84e4b5c1b5efab7d5c1bb570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe
Token: SeIncBasePriorityPrivilege	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
Token: SeIncBasePriorityPrivilege	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
Token: SeIncBasePriorityPrivilege	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
Token: SeIncBasePriorityPrivilege	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
Token: SeIncBasePriorityPrivilege	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
Token: SeIncBasePriorityPrivilege	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
Token: SeIncBasePriorityPrivilege	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
Token: SeIncBasePriorityPrivilege	696	{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2068	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	30
PID 1064 wrote to memory of 2068	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	30
PID 1064 wrote to memory of 2068	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	30
PID 1064 wrote to memory of 2068	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	30
PID 1064 wrote to memory of 2812	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	31
PID 1064 wrote to memory of 2812	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	31
PID 1064 wrote to memory of 2812	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	31
PID 1064 wrote to memory of 2812	1064	846781ee84e4b5c1b5efab7d5c1bb570N.exe	31
PID 2068 wrote to memory of 2880	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	32
PID 2068 wrote to memory of 2880	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	32
PID 2068 wrote to memory of 2880	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	32
PID 2068 wrote to memory of 2880	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	32
PID 2068 wrote to memory of 1652	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	33
PID 2068 wrote to memory of 1652	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	33
PID 2068 wrote to memory of 1652	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	33
PID 2068 wrote to memory of 1652	2068	{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe	33
PID 2880 wrote to memory of 2608	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	34
PID 2880 wrote to memory of 2608	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	34
PID 2880 wrote to memory of 2608	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	34
PID 2880 wrote to memory of 2608	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	34
PID 2880 wrote to memory of 2640	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	35
PID 2880 wrote to memory of 2640	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	35
PID 2880 wrote to memory of 2640	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	35
PID 2880 wrote to memory of 2640	2880	{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe	35
PID 2608 wrote to memory of 3036	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	36
PID 2608 wrote to memory of 3036	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	36
PID 2608 wrote to memory of 3036	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	36
PID 2608 wrote to memory of 3036	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	36
PID 2608 wrote to memory of 2708	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	37
PID 2608 wrote to memory of 2708	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	37
PID 2608 wrote to memory of 2708	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	37
PID 2608 wrote to memory of 2708	2608	{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe	37
PID 3036 wrote to memory of 876	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	38
PID 3036 wrote to memory of 876	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	38
PID 3036 wrote to memory of 876	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	38
PID 3036 wrote to memory of 876	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	38
PID 3036 wrote to memory of 316	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	39
PID 3036 wrote to memory of 316	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	39
PID 3036 wrote to memory of 316	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	39
PID 3036 wrote to memory of 316	3036	{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe	39
PID 876 wrote to memory of 3040	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	40
PID 876 wrote to memory of 3040	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	40
PID 876 wrote to memory of 3040	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	40
PID 876 wrote to memory of 3040	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	40
PID 876 wrote to memory of 2580	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	41
PID 876 wrote to memory of 2580	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	41
PID 876 wrote to memory of 2580	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	41
PID 876 wrote to memory of 2580	876	{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe	41
PID 3040 wrote to memory of 2848	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	42
PID 3040 wrote to memory of 2848	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	42
PID 3040 wrote to memory of 2848	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	42
PID 3040 wrote to memory of 2848	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	42
PID 3040 wrote to memory of 2956	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	43
PID 3040 wrote to memory of 2956	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	43
PID 3040 wrote to memory of 2956	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	43
PID 3040 wrote to memory of 2956	3040	{78BB6802-F750-4808-B8C4-AFE670388B60}.exe	43
PID 2848 wrote to memory of 696	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	44
PID 2848 wrote to memory of 696	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	44
PID 2848 wrote to memory of 696	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	44
PID 2848 wrote to memory of 696	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	44
PID 2848 wrote to memory of 640	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	45
PID 2848 wrote to memory of 640	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	45
PID 2848 wrote to memory of 640	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	45
PID 2848 wrote to memory of 640	2848	{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe	45

C:\Users\Admin\AppData\Local\Temp\846781ee84e4b5c1b5efab7d5c1bb570N.exe
"C:\Users\Admin\AppData\Local\Temp\846781ee84e4b5c1b5efab7d5c1bb570N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
  C:\Windows\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
    C:\Windows\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
      C:\Windows\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
        
        C:\Windows\{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
        
        C:\Windows\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
        
        C:\Windows\{78BB6802-F750-4808-B8C4-AFE670388B60}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
        
        C:\Windows\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
        
        C:\Windows\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe
        
        C:\Windows\{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA2C5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BAB8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78BB6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B29~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F38EA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98757~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2100B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7968~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\846781~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2100B7CE-C36A-4e18-985A-6DBDF96AA0AD}.exe

Filesize
89KB

MD5
a767580e5e4ab4779d64a6033cb8bf98

SHA1
9e9f5de589c927bfbd8baa3901dfc707aafbdb82

SHA256
65a499a6c58daa572ea75913243dd0707b6e7b3432f6d7b07ade93cd77e07014

SHA512
9c3e83ee96160cc2a816415cf09cd5635c06ba985b838087c25fa7dc4efe939bd9983ef22c276461548286a2cd45b184fb1b4553fb5f09e120e61b6095b38a80

Download Submit
C:\Windows\{4BAB8EA1-4CE1-4a83-AC4D-BDCB11C6F93C}.exe

Filesize
89KB

MD5
bc002d873fd49b734f80e0a2e6458f9b

SHA1
5d38106607eec04d89ac32eea3c3a6ec0b048ed5

SHA256
5d48c081bc3c469e1c5ef1e0589f18bd227dc4757ffc947ce61eb1541240b3e5

SHA512
ff18b28268168b8d3ad2b7fdb0b9dc321565af089e916708fb196f902bf4542f52e856b197d04afde4de61d5bd538e6010e9b3018de0a1ded3b587601a2ef52e

Download Submit
C:\Windows\{78BB6802-F750-4808-B8C4-AFE670388B60}.exe

Filesize
89KB

MD5
f5e8306b0d8d4d0f169fca3fbbfeb606

SHA1
ea239e77bba71a4564ff23a5d481c6ed51453f01

SHA256
6186b179ec79d2a5326229079051e57911328b665f799938ca58ae65a9632a15

SHA512
2c692aa6ecc18ce9f865d39e5d51d02c17828faaa008467986f06d9564f8a9c1d5ce281806e5befaca28724ddd63882628a408ba1580b1490d7e31fb8d544943

Download Submit
C:\Windows\{987573CE-F348-4bf9-80A9-BDEE77C1C2E3}.exe

Filesize
89KB

MD5
fb4ebd5f701ce6f8e34c37e5e2ea58de

SHA1
63c0a50ff51eb1f7173fc9b114032fd1af097a69

SHA256
0338268d394edb6d2ff7ab267202822406b022217edfe7dce60645a96fb48036

SHA512
9daf3b906697aafef42e0f43db9bbc5aca8fe8c83fe75df4ee5d2e05c0b5e74310866443b9aa5930483d9fd6250dc41a20434a846781a4d10bc1e9dff00b6683

Download Submit
C:\Windows\{A9E45659-AFE4-479f-8738-0F45BE0291BE}.exe

Filesize
89KB

MD5
a3c953357db82c1c7dfe5ca2beb60a00

SHA1
3ce767ed6c24e63b64b62d41e30dbb61c022c564

SHA256
6a7848ff169230bcff7a3c7606879babc04b4e3b519f4dd17cc3e17835c5a85f

SHA512
8fe41ed963b74619fd3a8fb1e37aa2682014033040c3ee917a7bd76049669ac69e4b82e11f5bfe9197006e58bb10878474ea2e95c1612b0c1e1b3e848ce142de

Download Submit
C:\Windows\{D0B291CE-E337-4106-BDE4-92B4A142F4E9}.exe

Filesize
89KB

MD5
5dd7e57c17c674a7032b3ee030a9ad56

SHA1
9f665449a4bc5f7bce1f5a49211ec0420b45e674

SHA256
c71859ffdee1b26b091a247d27cc0409ac4ba20b61871ec0c7898c8956f63ecf

SHA512
78b1085e28e2befe894429e0e7a57122e8bf96d5a2f3f1d98c09dba797606d95c8155365753243204e77f056705c9547cf4d4f7959bd81170801b7a96dea825c

Download Submit
C:\Windows\{DA2C5AB7-5EEA-4d2c-BFB0-972AF552B172}.exe

Filesize
89KB

MD5
56d21957268646a29109cb37bc4af324

SHA1
d9e1b60f0c51b9a0764de2c6cfe153d9d4ec68bb

SHA256
a26d4226846c3d1bceeee4948484ac12c2f5d299ce2c3343a3389f98e1a57e22

SHA512
1d1eaf2dc76d4af2e431424d165625787e8e0300a3ec64007ace9045c9b320066b01f8c325ccdcba1fecda1fb475a02163c3ded75d48fa4b8d5e2f9eeb0211b0

Download Submit
C:\Windows\{E79688F3-39CF-4bfd-A1F4-403CB1EBD4FC}.exe

Filesize
89KB

MD5
c2d92a5bc49891454e2512f9f031fc88

SHA1
31922b3239b14f36b41d82c1f31bc85ee0be2aa8

SHA256
055bf62c0712c19a684cf1bc01521d1f51b4ef77e76ceb1541fc850bf1a8910b

SHA512
e1901185ec5c2df6aea3a6a01cd5667e0639a64612f9983edf9b7c8896434a09ed6c471967f4e132abb452945f04f32f05ab6476ab125ee2f82e0dd92ed1d9e9

Download Submit
C:\Windows\{F38EA638-9F84-474e-9B60-DBE43D779ADD}.exe

Filesize
89KB

MD5
4a6da64f8f765c33f3339f93b58d3458

SHA1
2c3c5bd86a74356a94e3b8cae20874991c1eed54

SHA256
f87d2c91c2f7912064630135ecb1c5254e7818560b35dd4efcc17d82ded5d166

SHA512
3e11e07b265a2cd3736e5e749eba3a5acc9c996d057a0a465deff3031f42b739899c5944a3a7d3dcbe653b0a20b1d928b62f8bda43595e76f6fe260f493e223c

Download Submit
memory/696-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/876-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/876-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1064-8-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1064-7-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1064-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1064-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2848-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2848-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads