76f64b757c8a4fcb578fde5af1714cfe48e142d53441d17430f2a64621239bbe

Analysis

max time kernel
118s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85f6cd80d3af0a2d2fa7725c3166eae0N.exe
Size

83KB
MD5

85f6cd80d3af0a2d2fa7725c3166eae0
SHA1

95f527b4b0fb981c33541bb08c3e754a8be915e9
SHA256

76f64b757c8a4fcb578fde5af1714cfe48e142d53441d17430f2a64621239bbe
SHA512

aa9638bf4b07102eacb27d00758886ebaadd8327d7658bccb52a275ae274fbbd14be5f4fd6da2bcb8b4603e35a68ace0e53c8f457f7914bc2ac2eea20f10272c
SSDEEP

1536:q4Gh0o4v0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4v05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}\stubpath = "C:\\Windows\\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe"	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}\stubpath = "C:\\Windows\\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe"	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23D18528-A69A-4845-AC8D-E13B9ED09A07}\stubpath = "C:\\Windows\\{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe"	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}\stubpath = "C:\\Windows\\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe"	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15279A1F-B292-4f57-BDAE-C63BFC51F344}	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}	85f6cd80d3af0a2d2fa7725c3166eae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}\stubpath = "C:\\Windows\\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe"	85f6cd80d3af0a2d2fa7725c3166eae0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}\stubpath = "C:\\Windows\\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe"	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23D18528-A69A-4845-AC8D-E13B9ED09A07}	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}\stubpath = "C:\\Windows\\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe"	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}\stubpath = "C:\\Windows\\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe"	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15279A1F-B292-4f57-BDAE-C63BFC51F344}\stubpath = "C:\\Windows\\{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe"	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe

Executes dropped EXE 9 IoCs

pid	Process
1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
3540	{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/912-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/912-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000a00000002337d-4.dat	upx
behavioral2/memory/1060-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/912-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1060-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1060-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00090000000233a6-12.dat	upx
behavioral2/memory/1160-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1160-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000700000002344d-16.dat	upx
behavioral2/memory/1160-18-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4652-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4652-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000800000002344f-27.dat	upx
behavioral2/memory/4652-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1156-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1156-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1156-32-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000c00000002336c-33.dat	upx
behavioral2/memory/5076-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4072-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/5076-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000900000002339a-38.dat	upx
behavioral2/memory/4072-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000d00000002336c-45.dat	upx
behavioral2/memory/4072-46-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4248-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4248-49-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000700000002346b-52.dat	upx
behavioral2/memory/4248-53-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2896-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2896-56-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2896-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3540-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000f00000002336c-60.dat	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
File created	C:\Windows\{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
File created	C:\Windows\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
File created	C:\Windows\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
File created	C:\Windows\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
File created	C:\Windows\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
File created	C:\Windows\{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
File created	C:\Windows\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	85f6cd80d3af0a2d2fa7725c3166eae0N.exe
File created	C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f6cd80d3af0a2d2fa7725c3166eae0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe
Token: SeIncBasePriorityPrivilege	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
Token: SeIncBasePriorityPrivilege	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Token: SeIncBasePriorityPrivilege	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
Token: SeIncBasePriorityPrivilege	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
Token: SeIncBasePriorityPrivilege	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
Token: SeIncBasePriorityPrivilege	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
Token: SeIncBasePriorityPrivilege	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
Token: SeIncBasePriorityPrivilege	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1060	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	92
PID 912 wrote to memory of 1060	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	92
PID 912 wrote to memory of 1060	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	92
PID 912 wrote to memory of 4040	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	93
PID 912 wrote to memory of 4040	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	93
PID 912 wrote to memory of 4040	912	85f6cd80d3af0a2d2fa7725c3166eae0N.exe	93
PID 1060 wrote to memory of 1160	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	97
PID 1060 wrote to memory of 1160	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	97
PID 1060 wrote to memory of 1160	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	97
PID 1060 wrote to memory of 1228	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	98
PID 1060 wrote to memory of 1228	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	98
PID 1060 wrote to memory of 1228	1060	{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe	98
PID 1160 wrote to memory of 4652	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	100
PID 1160 wrote to memory of 4652	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	100
PID 1160 wrote to memory of 4652	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	100
PID 1160 wrote to memory of 1296	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	101
PID 1160 wrote to memory of 1296	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	101
PID 1160 wrote to memory of 1296	1160	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	101
PID 4652 wrote to memory of 1156	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	103
PID 4652 wrote to memory of 1156	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	103
PID 4652 wrote to memory of 1156	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	103
PID 4652 wrote to memory of 4752	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	104
PID 4652 wrote to memory of 4752	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	104
PID 4652 wrote to memory of 4752	4652	{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe	104
PID 1156 wrote to memory of 5076	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	108
PID 1156 wrote to memory of 5076	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	108
PID 1156 wrote to memory of 5076	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	108
PID 1156 wrote to memory of 3696	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	109
PID 1156 wrote to memory of 3696	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	109
PID 1156 wrote to memory of 3696	1156	{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe	109
PID 5076 wrote to memory of 4072	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	110
PID 5076 wrote to memory of 4072	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	110
PID 5076 wrote to memory of 4072	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	110
PID 5076 wrote to memory of 2848	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	111
PID 5076 wrote to memory of 2848	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	111
PID 5076 wrote to memory of 2848	5076	{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe	111
PID 4072 wrote to memory of 4248	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	112
PID 4072 wrote to memory of 4248	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	112
PID 4072 wrote to memory of 4248	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	112
PID 4072 wrote to memory of 4768	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	113
PID 4072 wrote to memory of 4768	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	113
PID 4072 wrote to memory of 4768	4072	{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe	113
PID 4248 wrote to memory of 2896	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	118
PID 4248 wrote to memory of 2896	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	118
PID 4248 wrote to memory of 2896	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	118
PID 4248 wrote to memory of 4332	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	119
PID 4248 wrote to memory of 4332	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	119
PID 4248 wrote to memory of 4332	4248	{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe	119
PID 2896 wrote to memory of 3540	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	124
PID 2896 wrote to memory of 3540	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	124
PID 2896 wrote to memory of 3540	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	124
PID 2896 wrote to memory of 3320	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	125
PID 2896 wrote to memory of 3320	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	125
PID 2896 wrote to memory of 3320	2896	{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe	125

C:\Users\Admin\AppData\Local\Temp\85f6cd80d3af0a2d2fa7725c3166eae0N.exe
"C:\Users\Admin\AppData\Local\Temp\85f6cd80d3af0a2d2fa7725c3166eae0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
  C:\Windows\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
    C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
      C:\Windows\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
        
        C:\Windows\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
        
        C:\Windows\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
        
        C:\Windows\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
        
        C:\Windows\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
        
        C:\Windows\{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe
        
        C:\Windows\{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15279~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD37E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{316CD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EF34~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB8C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4FAB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AAC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA5E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\85F6CD~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EF34492-6BB0-483b-9C9E-E2539D75A40E}.exe

Filesize
83KB

MD5
8a74fea04e12b70660b41dff9270f07e

SHA1
92161717f1c32578bd32e52d104cb37320955607

SHA256
2827e80a3fae32a4fc591f0343b2dcb89ee81e333ab3535c8f237850cedf1fb6

SHA512
c0886213b08e83b1bffbfafb1bc4d245b44decb6ba6edeaae374d7a77f95e8b0f02582f214ef44867e6ac516a7faa3923241826f8eff7d442567cfa50638a841

Download Submit
C:\Windows\{15279A1F-B292-4f57-BDAE-C63BFC51F344}.exe

Filesize
83KB

MD5
f32b975e94e3fc5ac44f19d4360e0d1a

SHA1
7fe9c59cb076a20ae0ffb855e731b9bdbdb63cd4

SHA256
3303aac804fd76aad18a8eb6fa2111b42dc4d08dd6ef92afa647fc6f0d9d716b

SHA512
8bd3052e2a80cc3a9ba6bcfff170885a07b0a00adf871569689d65c2eb003dd52284bbf2691386411a5e0decc534d789328c438a3d42087e62f74d6712f3be61

Download Submit
C:\Windows\{23D18528-A69A-4845-AC8D-E13B9ED09A07}.exe

Filesize
83KB

MD5
9367c6bd2a40601f69c1439a161122a1

SHA1
69c90323d65213d1a646cd4ce2e545339c9b969a

SHA256
02fe347efb629e1c9848899b96e90427c7adff17118a19871795df8ae13b9c18

SHA512
7cf474205b050a094ee0bac15b864e0b8b0db7c072f45f2943744b66d188b2d1ad8cba339dc5f6dfcdb3ac7ac82d7cb8cb29b81d7ce5e1d5510b97dab5d2822f

Download Submit
C:\Windows\{316CD1ED-F4D2-44e6-8C95-1A1003FE37F0}.exe

Filesize
83KB

MD5
9209322a0cc96d8ef755682646d56c40

SHA1
f6848096e8deaa40bb2dd0ba0cea66c8b4fe0c13

SHA256
86762070a17f9532a243481a40773ecb5ba2d68637f7c81cd336dfdd650e3a2f

SHA512
0c3728a50ac9e23fb309f542a15ba0bf3bea0b09fbe164896cd256346937a0b0df48e6667793b10fe90a7cc0e5ac1f07523617a1d756ede74097102ffcc109db

Download Submit
C:\Windows\{8BB8CBEB-F59B-4eb3-A6E5-02F53E987219}.exe

Filesize
83KB

MD5
074fc7439a3cd12a5b180fc5ea8ea5a6

SHA1
945fcd672934e6a85c8ac964ba306673ba632a11

SHA256
b901e55469e4680fbaf60e510e3ce9965bdaa3eae4cbfec1fcdc3b80259548bd

SHA512
2cbfb14a0f50daa39d10fa9a165642393f1a5821fa7ad706e943486ceb6af0302b11f8920aff2ff9065d28c6e03f961937e3de9438e65b8a6130b11719f03447

Download Submit
C:\Windows\{AD37EF03-7654-45a2-BBAD-8C85BBA6D29B}.exe

Filesize
83KB

MD5
3c28d6d3ea530433304b84c01496bca1

SHA1
d8e5162d1a7ac98e661504a93d3d1bd7ed7d9dea

SHA256
6e13a86bb2c9f0fcc5b15951a999645a9e2b4f50ae1495af9159f85c53e2ace0

SHA512
fb392480dddf4f504a1ccd5e6daf257ae24dd6653bad49a70b072abb7a8dbe749c16f097f9a2bf35daff1ccd5ac9efd4e3c9701692a7ab8b5fe01e77414c9f9c

Download Submit
C:\Windows\{C4FABA40-5C10-4c7d-84A8-CE9D73C5E5B3}.exe

Filesize
83KB

MD5
c32aa0dde7a6df31aedc2f8d0aa6fea5

SHA1
618f3bad88e065aa8a1f6f1d7806b369505b4435

SHA256
47216a380858a2ad476a5f56f2fb953152e991724c5007e730a1abf8ecdda0bc

SHA512
ceee287629b5001161c9362520cabfa4cebbaedcdc4a8a0d992139baac86712eb9fc0bac8f4e0e9d31a5f9e095b6c324b8d602032531bce1de5959a489caaa06

Download Submit
C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe

Filesize
83KB

MD5
e53f37b92e3fbc0c6a3b7ab23520ba17

SHA1
fca424f7697d3f8c7a92e359424e94187976b89b

SHA256
607e786e17f9b9e0cf60dabd474aacda68518d010d26b4576e37bb2673df501d

SHA512
007994b94c958ac15c5749b10bf260b4eae0c91fbc98d8618001ed127a9a1cf86131b37da725ac8fca0dcc537e036f24af9c1bbd95a794c0e1a0b34cfcee0b3c

Download Submit
C:\Windows\{FBA5E475-22F5-4b78-A6AF-9F248C49D4D2}.exe

Filesize
83KB

MD5
7044f0c54681ae391d6967f37155f62d

SHA1
6b9dfdeb1c6e1d3bcf5ea0f9fbfc24dfe6f5e5ad

SHA256
a361fbecddb7f6dcaefe4b44bfa3bac72a5b0d3bceb497cca53263bd80139476

SHA512
254ae4522acff2bfa5b025d0bf1a211d24ebd9d33dd3aad41d7e59b798c3eb7ab622a648de33dc2dbff58167611843d1dc95b94ae2ece5776334ac231c200884

Download Submit
memory/912-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/912-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/912-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1060-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1060-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1060-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1156-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1156-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1156-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1160-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1160-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1160-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2896-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2896-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2896-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3540-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4072-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4072-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4072-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4652-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4652-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4652-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5076-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5076-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads