1faae5c7ee5283f37e43d06a8b874e2d24d1ffa16d2aa0fdc7382a9cdd66bc30

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
Size

76KB
MD5

9867d77a67e0ae7cd4ac603d8ab24ee0
SHA1

22cb9c6ac175fe31aaf2286d6b75644bd10a2e9d
SHA256

1faae5c7ee5283f37e43d06a8b874e2d24d1ffa16d2aa0fdc7382a9cdd66bc30
SHA512

0649f3c1a9ed973de7a33953462eed943c1775b1543539f2af11905d2faea6b252676d35d2f9c67154dab87ef294a06a1ead59ba3db062ef90eb77345373847e
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrop4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLrop4/wQRNrfrunMxVD

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA44805C-14C7-4525-966D-614DB9E30007}	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132EB10A-EE46-488e-95AA-A878C39A5AA5}\stubpath = "C:\\Windows\\{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe"	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}\stubpath = "C:\\Windows\\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe"	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132EB10A-EE46-488e-95AA-A878C39A5AA5}	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3045C5C-2976-4953-A158-2E75BE13BEA7}	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3045C5C-2976-4953-A158-2E75BE13BEA7}\stubpath = "C:\\Windows\\{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe"	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}\stubpath = "C:\\Windows\\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe"	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934041C9-0D07-4122-A50F-356B4F5E8A85}\stubpath = "C:\\Windows\\{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe"	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}\stubpath = "C:\\Windows\\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe"	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA44805C-14C7-4525-966D-614DB9E30007}\stubpath = "C:\\Windows\\{EA44805C-14C7-4525-966D-614DB9E30007}.exe"	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FFD1A08-47F4-4470-A8E4-998900D85A92}	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FFD1A08-47F4-4470-A8E4-998900D85A92}\stubpath = "C:\\Windows\\{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe"	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934041C9-0D07-4122-A50F-356B4F5E8A85}	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19541291-06C0-4ec0-8B2D-A505E07C9466}	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19541291-06C0-4ec0-8B2D-A505E07C9466}\stubpath = "C:\\Windows\\{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe"	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe

Executes dropped EXE 9 IoCs

pid	Process
2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
3880	{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
File created	C:\Windows\{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
File created	C:\Windows\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
File created	C:\Windows\{EA44805C-14C7-4525-966D-614DB9E30007}.exe	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
File created	C:\Windows\{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
File created	C:\Windows\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
File created	C:\Windows\{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
File created	C:\Windows\{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
File created	C:\Windows\{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
Token: SeIncBasePriorityPrivilege	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe
Token: SeIncBasePriorityPrivilege	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
Token: SeIncBasePriorityPrivilege	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
Token: SeIncBasePriorityPrivilege	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
Token: SeIncBasePriorityPrivilege	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
Token: SeIncBasePriorityPrivilege	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
Token: SeIncBasePriorityPrivilege	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
Token: SeIncBasePriorityPrivilege	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2424	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	95
PID 2372 wrote to memory of 2424	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	95
PID 2372 wrote to memory of 2424	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	95
PID 2372 wrote to memory of 5108	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	96
PID 2372 wrote to memory of 5108	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	96
PID 2372 wrote to memory of 5108	2372	9867d77a67e0ae7cd4ac603d8ab24ee0N.exe	96
PID 2424 wrote to memory of 4856	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	97
PID 2424 wrote to memory of 4856	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	97
PID 2424 wrote to memory of 4856	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	97
PID 2424 wrote to memory of 3028	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	98
PID 2424 wrote to memory of 3028	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	98
PID 2424 wrote to memory of 3028	2424	{EA44805C-14C7-4525-966D-614DB9E30007}.exe	98
PID 4856 wrote to memory of 2528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	109
PID 4856 wrote to memory of 2528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	109
PID 4856 wrote to memory of 2528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	109
PID 4856 wrote to memory of 1528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	110
PID 4856 wrote to memory of 1528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	110
PID 4856 wrote to memory of 1528	4856	{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe	110
PID 2528 wrote to memory of 2752	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	111
PID 2528 wrote to memory of 2752	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	111
PID 2528 wrote to memory of 2752	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	111
PID 2528 wrote to memory of 4236	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	112
PID 2528 wrote to memory of 4236	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	112
PID 2528 wrote to memory of 4236	2528	{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe	112
PID 2752 wrote to memory of 924	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	113
PID 2752 wrote to memory of 924	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	113
PID 2752 wrote to memory of 924	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	113
PID 2752 wrote to memory of 1944	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	114
PID 2752 wrote to memory of 1944	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	114
PID 2752 wrote to memory of 1944	2752	{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe	114
PID 924 wrote to memory of 4728	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	116
PID 924 wrote to memory of 4728	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	116
PID 924 wrote to memory of 4728	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	116
PID 924 wrote to memory of 1380	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	117
PID 924 wrote to memory of 1380	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	117
PID 924 wrote to memory of 1380	924	{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe	117
PID 4728 wrote to memory of 2280	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	118
PID 4728 wrote to memory of 2280	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	118
PID 4728 wrote to memory of 2280	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	118
PID 4728 wrote to memory of 432	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	119
PID 4728 wrote to memory of 432	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	119
PID 4728 wrote to memory of 432	4728	{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe	119
PID 2280 wrote to memory of 2684	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	120
PID 2280 wrote to memory of 2684	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	120
PID 2280 wrote to memory of 2684	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	120
PID 2280 wrote to memory of 1952	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	121
PID 2280 wrote to memory of 1952	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	121
PID 2280 wrote to memory of 1952	2280	{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe	121
PID 2684 wrote to memory of 3880	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	122
PID 2684 wrote to memory of 3880	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	122
PID 2684 wrote to memory of 3880	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	122
PID 2684 wrote to memory of 3964	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	123
PID 2684 wrote to memory of 3964	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	123
PID 2684 wrote to memory of 3964	2684	{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe	123

C:\Users\Admin\AppData\Local\Temp\9867d77a67e0ae7cd4ac603d8ab24ee0N.exe
"C:\Users\Admin\AppData\Local\Temp\9867d77a67e0ae7cd4ac603d8ab24ee0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{EA44805C-14C7-4525-966D-614DB9E30007}.exe
  C:\Windows\{EA44805C-14C7-4525-966D-614DB9E30007}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
    C:\Windows\{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
      C:\Windows\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
        
        C:\Windows\{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
        
        C:\Windows\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
        
        C:\Windows\{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
        
        C:\Windows\{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
        
        C:\Windows\{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe
        
        C:\Windows\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19541~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{132EB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93404~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4CFC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3045~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF058~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7FFD1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA448~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9867D7~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{132EB10A-EE46-488e-95AA-A878C39A5AA5}.exe

Filesize
76KB

MD5
5cfe9b7537b6e47e88dc886b7d143921

SHA1
12988f71d5d01610caa5d24bbbe28e2957868c00

SHA256
2cf8afeabe9bcae38556666dd1cb09c649f01f50231d2783449b4bce8b7fcae2

SHA512
3b709600f8b673b8341c46fba10919f915936a0f6c005ead1031277164b3b100d8a6f66b4bf7bd993131ef0ff545bf64d7359ab509313bf686be995bf19a5aa6

Download Submit
C:\Windows\{19541291-06C0-4ec0-8B2D-A505E07C9466}.exe

Filesize
76KB

MD5
3325fdd14e4931e98323dedbdbd6dbd9

SHA1
84f75419accd10b32c57334dd0e4c665f04e2c8c

SHA256
9dd10164bdb38c51316db67b5a8939a06b6856b5f5301b110889b705e0c1a750

SHA512
8c0d78c7a91c8290165ae8d909b87def0f60fb45b11cd97d989de306a1d70e288cc77f1804103bf4252ba87f2826895913235c3be05ce38a14ff09e3657596eb

Download Submit
C:\Windows\{7FFD1A08-47F4-4470-A8E4-998900D85A92}.exe

Filesize
76KB

MD5
bb42206968aad5bb18f38abc6ec1e43c

SHA1
e131b396ab89b8a87fce0cfb680d1c593c211cf4

SHA256
c3c3f8ca4a224129511e0ae837d8ea86b03b9fdd171fc7f9d4da3782c25b3f2a

SHA512
fa237471e27c698d816ae02d5f01f26415882cf55d32bdb753d2e06952d37e0c7249b60c574963eb1c2cb0e9cb32df09c330b3c47f2ee441dba3a3086b690026

Download Submit
C:\Windows\{934041C9-0D07-4122-A50F-356B4F5E8A85}.exe

Filesize
76KB

MD5
170f9333d08d160886eb93ce3cc60599

SHA1
44ddb6434ce490a36fe84cddbc8f46b3d6ad7a31

SHA256
89981a67aba65aa3892a5385650f95513016c8c948cce61ddaadf3f08185899d

SHA512
6d8f5efd3a4de86cf65bb3e5feef742594271b176ae307dbe0a6577dc7f3b890f5693898bc3ad9e241491aa5ad5af690b8f5e62e50a0de9e4de1a6d921e3fd62

Download Submit
C:\Windows\{C3045C5C-2976-4953-A158-2E75BE13BEA7}.exe

Filesize
76KB

MD5
4745042f1ddff6589b1e02df9b270695

SHA1
e140bde558cbb1855033e88bae189a00c18d8cea

SHA256
40536b0d236815c824c2698aca8c5f014d2d4ed3619f07a0f0824f2e7b8614ff

SHA512
cfc4551378d0e9e49958e9857d77126d86261bdbf2c0621e06d7a8d5e2d76c6c91622230bfc4c305b44eefe31215eb3037b2068f460b88a27e1dd18ae0309376

Download Submit
C:\Windows\{C4CFC204-A6AA-4464-A273-D83ABBBA42A1}.exe

Filesize
76KB

MD5
7751811883ec8ebfec21e57fac71686c

SHA1
4620834ace3ce68ec78d7b6285059a5e4981a77a

SHA256
d79336024b8ad8a761a4b4305a6ef81775b0964048ec8b581da254a04548b766

SHA512
c2d3867ffb51bcf491be9550c27b44fe5e25033458cda1316f5813843e85f27bade4272b6880479aaa10936972c55a9e062dfc4ada8ba29e5f99b57b36f17f4d

Download Submit
C:\Windows\{CF0582F0-F7C4-48b8-93A3-E401000A4A26}.exe

Filesize
76KB

MD5
f1c5d4bf5164ee12c5f64e768dfe4947

SHA1
046c513d7dc37c6d5aa0dfc619dc014ae4ce0295

SHA256
e79b197dfdb78d134104ff42cb3752b15f5a32608d348588752bb3d9eaeba643

SHA512
72a4497b196ddd4275fdf2ce538f99dc58008f71ebbeaf683999c76815f48bc09612085afed42bd22e9e208ec78744bc509d4264d0a2730ebf83d97af520268b

Download Submit
C:\Windows\{DC3FA9A8-AD60-49f7-801F-BF6315F4BA1A}.exe

Filesize
76KB

MD5
4f67fae8a29e64ab0bc06b30e8c2c6ce

SHA1
30269df482a53a2aca9cdb76a4376b9509560af9

SHA256
daa30cfff966155730c54280f02f21ffbbe253b154aa62e4c7a97a4a59123b51

SHA512
51c1c639aa86849fb8c8983485c2b8c9bb6ffa28c8509571153cbb7ae2e01cbf7150808a80b31239ec0418832334ea84fc3fa4eae7a19d38d1829a0e3aef46a4

Download Submit
C:\Windows\{EA44805C-14C7-4525-966D-614DB9E30007}.exe

Filesize
76KB

MD5
502778c76a793e82a31846536e1ea61a

SHA1
d6eea02bba05ec8d71d87ab529c0017bcffb7625

SHA256
b8643d967fa95298c83adde38e2aed3758063218c33fca86fdda9cd28cb4f778

SHA512
9fe139f72177ec98219256f0a7aef7fce48bf7dfa749137039e7a031f07f6e22f95a82f4437c3cbb0aa6941a9ea3717ba024ffddaa000ac56fbfd2325afe34eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads