731015f43c7f27e90928260025a5de730cf2e26c5e9b68479bcaf5350625b609

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40b15579d6bc74f709cadebf3d9af8e0N.exe
Size

89KB
MD5

40b15579d6bc74f709cadebf3d9af8e0
SHA1

a5670b35352bf55f3a528ea8dec3857f2f1596c4
SHA256

731015f43c7f27e90928260025a5de730cf2e26c5e9b68479bcaf5350625b609
SHA512

14b52f4c9526468ee7cde533965f15993fe267a77c78270afddd64cde4d6074e472ebb68bf7f3c840815a44f5d5277ab107719b25569b738a33c92e56a8e051a
SSDEEP

768:Qvw9816vhKQLroy4/wQRNrfrunMxVFA3b7glL:YEGh0oyl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}\stubpath = "C:\\Windows\\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe"	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}\stubpath = "C:\\Windows\\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe"	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}\stubpath = "C:\\Windows\\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe"	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{265EF856-0348-4d83-B0AD-277A387387BA}	40b15579d6bc74f709cadebf3d9af8e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC484278-61AB-4443-833D-2DE101CD2664}	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC484278-61AB-4443-833D-2DE101CD2664}\stubpath = "C:\\Windows\\{FC484278-61AB-4443-833D-2DE101CD2664}.exe"	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}\stubpath = "C:\\Windows\\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe"	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}\stubpath = "C:\\Windows\\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe"	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}\stubpath = "C:\\Windows\\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe"	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{265EF856-0348-4d83-B0AD-277A387387BA}\stubpath = "C:\\Windows\\{265EF856-0348-4d83-B0AD-277A387387BA}.exe"	40b15579d6bc74f709cadebf3d9af8e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}\stubpath = "C:\\Windows\\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe"	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
2108	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
596	{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FC484278-61AB-4443-833D-2DE101CD2664}.exe	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
File created	C:\Windows\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
File created	C:\Windows\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
File created	C:\Windows\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
File created	C:\Windows\{265EF856-0348-4d83-B0AD-277A387387BA}.exe	40b15579d6bc74f709cadebf3d9af8e0N.exe
File created	C:\Windows\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
File created	C:\Windows\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
File created	C:\Windows\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
File created	C:\Windows\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40b15579d6bc74f709cadebf3d9af8e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe
Token: SeIncBasePriorityPrivilege	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe
Token: SeIncBasePriorityPrivilege	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe
Token: SeIncBasePriorityPrivilege	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
Token: SeIncBasePriorityPrivilege	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
Token: SeIncBasePriorityPrivilege	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
Token: SeIncBasePriorityPrivilege	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
Token: SeIncBasePriorityPrivilege	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
Token: SeIncBasePriorityPrivilege	2108	{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2840	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	30
PID 3044 wrote to memory of 2840	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	30
PID 3044 wrote to memory of 2840	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	30
PID 3044 wrote to memory of 2840	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	30
PID 3044 wrote to memory of 2696	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	31
PID 3044 wrote to memory of 2696	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	31
PID 3044 wrote to memory of 2696	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	31
PID 3044 wrote to memory of 2696	3044	40b15579d6bc74f709cadebf3d9af8e0N.exe	31
PID 2840 wrote to memory of 2644	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	32
PID 2840 wrote to memory of 2644	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	32
PID 2840 wrote to memory of 2644	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	32
PID 2840 wrote to memory of 2644	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	32
PID 2840 wrote to memory of 2596	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	33
PID 2840 wrote to memory of 2596	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	33
PID 2840 wrote to memory of 2596	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	33
PID 2840 wrote to memory of 2596	2840	{265EF856-0348-4d83-B0AD-277A387387BA}.exe	33
PID 2644 wrote to memory of 2600	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	34
PID 2644 wrote to memory of 2600	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	34
PID 2644 wrote to memory of 2600	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	34
PID 2644 wrote to memory of 2600	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	34
PID 2644 wrote to memory of 2676	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	35
PID 2644 wrote to memory of 2676	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	35
PID 2644 wrote to memory of 2676	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	35
PID 2644 wrote to memory of 2676	2644	{FC484278-61AB-4443-833D-2DE101CD2664}.exe	35
PID 2600 wrote to memory of 1304	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	36
PID 2600 wrote to memory of 1304	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	36
PID 2600 wrote to memory of 1304	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	36
PID 2600 wrote to memory of 1304	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	36
PID 2600 wrote to memory of 2276	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	37
PID 2600 wrote to memory of 2276	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	37
PID 2600 wrote to memory of 2276	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	37
PID 2600 wrote to memory of 2276	2600	{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe	37
PID 1304 wrote to memory of 1036	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	38
PID 1304 wrote to memory of 1036	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	38
PID 1304 wrote to memory of 1036	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	38
PID 1304 wrote to memory of 1036	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	38
PID 1304 wrote to memory of 2240	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	39
PID 1304 wrote to memory of 2240	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	39
PID 1304 wrote to memory of 2240	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	39
PID 1304 wrote to memory of 2240	1304	{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe	39
PID 1036 wrote to memory of 1952	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	40
PID 1036 wrote to memory of 1952	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	40
PID 1036 wrote to memory of 1952	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	40
PID 1036 wrote to memory of 1952	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	40
PID 1036 wrote to memory of 1432	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	41
PID 1036 wrote to memory of 1432	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	41
PID 1036 wrote to memory of 1432	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	41
PID 1036 wrote to memory of 1432	1036	{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe	41
PID 1952 wrote to memory of 2828	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	42
PID 1952 wrote to memory of 2828	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	42
PID 1952 wrote to memory of 2828	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	42
PID 1952 wrote to memory of 2828	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	42
PID 1952 wrote to memory of 2196	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	43
PID 1952 wrote to memory of 2196	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	43
PID 1952 wrote to memory of 2196	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	43
PID 1952 wrote to memory of 2196	1952	{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe	43
PID 2828 wrote to memory of 2108	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	44
PID 2828 wrote to memory of 2108	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	44
PID 2828 wrote to memory of 2108	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	44
PID 2828 wrote to memory of 2108	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	44
PID 2828 wrote to memory of 2400	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	45
PID 2828 wrote to memory of 2400	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	45
PID 2828 wrote to memory of 2400	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	45
PID 2828 wrote to memory of 2400	2828	{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe	45

C:\Users\Admin\AppData\Local\Temp\40b15579d6bc74f709cadebf3d9af8e0N.exe
"C:\Users\Admin\AppData\Local\Temp\40b15579d6bc74f709cadebf3d9af8e0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\{265EF856-0348-4d83-B0AD-277A387387BA}.exe
  C:\Windows\{265EF856-0348-4d83-B0AD-277A387387BA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\{FC484278-61AB-4443-833D-2DE101CD2664}.exe
    C:\Windows\{FC484278-61AB-4443-833D-2DE101CD2664}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
      C:\Windows\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
        
        C:\Windows\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
        
        C:\Windows\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
        
        C:\Windows\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
        
        C:\Windows\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
        
        C:\Windows\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe
        
        C:\Windows\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91DDE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10702~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14EE1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{740E4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F2BD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F62~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC484~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{265EF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\40B155~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1070230D-D155-435b-B3CB-F2EFDCAC26CA}.exe

Filesize
89KB

MD5
4752aa07de93cf7eaf3094250f8d250c

SHA1
f7879a219fd0924d5fb8e3068060fa011c39042c

SHA256
7530e4ec9e2f818753bc976c0850fab4259c2992d62c7d851d00cb6ed4de0158

SHA512
771e45031234dc9647162a0faf9733283fd427518c0cc8bea787dc2eddd13ef73665210882b87554e8fd6773597afc3e5a82ce7dc04c83a600aa88c9e4c2d5a6

Download Submit
C:\Windows\{14EE1BBA-E1A6-4f9f-965A-49D4244BDA20}.exe

Filesize
89KB

MD5
9970298f948bd17c611a5cf4bb21944c

SHA1
f060812fa70980cf76cddef2c5e3c88605d966d4

SHA256
862201270703def4c8136ca8507d5ba3acc5175b62b7bc750519af6bf6d12695

SHA512
9240d7634c68d6533ab0b4be5ae5b892414e064103218c7bedf5ce0a0be68df746ace006d78d7da732803590c9fedd86f5adf68689c553f16e2a745e4111f54c

Download Submit
C:\Windows\{265EF856-0348-4d83-B0AD-277A387387BA}.exe

Filesize
89KB

MD5
dba7edc7f8df97ed2cb690affb4e827b

SHA1
30dc83164d1cfa19599a2df49a007dcdc58fffd7

SHA256
c983162f42437109204b0f6704c2085e46ed53da6991662057c38440d3719bc3

SHA512
669d67c8c61020ccff867da10ab14744c43163c01ee3a0b98e482a4ce86edd668832f82c936f66b4a6066142fced2a2dd53e8df9a3e8e4afefc701dd5a65ce9f

Download Submit
C:\Windows\{28F62D0C-4557-45aa-BE95-1EBB7FBF74AA}.exe

Filesize
89KB

MD5
157958fba4781ba83c2b2f9488823060

SHA1
65d7dc4c8f3d32b2e27b5764dcb0817d095dc267

SHA256
7b4fd2d27d1f03118ab56282f321e2b28baf551d2dc84ab70f438f37583ba1d2

SHA512
5440866e84302b97bf928dfe61d87a49dbf24282550584698775950ad64ad8e7c139814344d116c3fdf37e2b8739fa273924fac9e940a17970941274cafd365d

Download Submit
C:\Windows\{4607C0D3-A3D9-4b91-BB8E-5BCE7D3D9264}.exe

Filesize
89KB

MD5
6d9c9339ad2790d7b4475ce7abef18e5

SHA1
39bad5f85e47f7d55daf57c5455ede0c373d5e56

SHA256
135896047f8d6832fd9daa73c677f6ec6044f17b52f2d6d2368bffafeee1bff5

SHA512
23176dbf3eaca5ec758c0e8dd23d43a6356c48eb1a057979abffc6ffb80783a4b226352173c72076207373b04ad837628d324322c00127e7a0508a8c2c9f29f3

Download Submit
C:\Windows\{740E4237-B6D0-445c-BE46-F0213C7C4DD6}.exe

Filesize
89KB

MD5
77788361c37b3a571dae8d5967db7328

SHA1
ac55971e319bfe4e383725bb6afd954295c66d48

SHA256
57b44309e1eaca3cfd4416c208b30eddc4a95c677864233f5356ffafb4ec5509

SHA512
c540d6a54051403b06dfc71db3d982d360450e17ed71a574ae4f2c252583dec9173cf39b88062beff43b4f6f9f19b1fc2910178351955e2e76577495afedd6b9

Download Submit
C:\Windows\{91DDE78B-A703-4b7c-A39B-4EF8209114FF}.exe

Filesize
89KB

MD5
f3621e1c8c01b7c28a7ee2217d84cd64

SHA1
aee152fb416342226c7be15d87d9824281077aa7

SHA256
2d78f577d5f6cea75db026684b5b5b1537e7758871cdcddd00a4964174ed4fe4

SHA512
b27c80db34269f2e6cbd2bdc0d7e6e00ab4ec1439207025088507d9f5bc9951e0564815fc6647f3d50152f88f956c6296aefd515af28a510751f28fb3f96deab

Download Submit
C:\Windows\{9F2BDC63-497C-4166-A9A5-2E38FE70DB7F}.exe

Filesize
89KB

MD5
1ca8f8856f9a0d1c851dd508a90d7b60

SHA1
74c95b5bf35f0176a2d3ba84181e68dc928accd5

SHA256
b422fae049b569012ba27806c6d875ee191cde8e11c02dfed719adfc32c34a7d

SHA512
c7ca3b4c471ee6d54dd5e510e8a2a6fe319544157d8b50739dbe0e778738710d4e86d372a3f286b63c2b9bce42798a0ac602c75c7a74b4d51a513e56ca392756

Download Submit
C:\Windows\{FC484278-61AB-4443-833D-2DE101CD2664}.exe

Filesize
89KB

MD5
503579bb9d74c7d52496ca530545738a

SHA1
951277da1620ba5328f7d8d40df2c62701875435

SHA256
1b17b6b30364839f9d25885f4a4635578da073208a3c5cf80386a87f9ac031b5

SHA512
bc0358253b47b299a88214d2254bcbea094bf48e266ae1805f5710724a6848d6288d53c15498c574884077bc64ae1eb02044a95b31e25306e684fb3c7941a662

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads