986cbc7693ed7551e343a984408bf4aa7b1b1dde47901eebcad9d8d877a55412

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aaaf0bc41226ecb2216e54587ceaa50N.exe
Size

64KB
MD5

5aaaf0bc41226ecb2216e54587ceaa50
SHA1

2bd0918395191e194a6ad128b7f4e9a4b5347d06
SHA256

986cbc7693ed7551e343a984408bf4aa7b1b1dde47901eebcad9d8d877a55412
SHA512

ccb9e8a2f75ce34a159df2e9f343acb606f1780817eb2fc133cca1b2c6d490a5c2d68b9bbf34bd75687cad4162df2a2805495979347b3332c639f0d10021ccfd
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwPuY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLro84/CFsrdF

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}\stubpath = "C:\\Windows\\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe"	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E02CB9-B98B-4248-B217-5384A19CE279}\stubpath = "C:\\Windows\\{64E02CB9-B98B-4248-B217-5384A19CE279}.exe"	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3200AED-12A2-4917-B62E-C4229475B689}\stubpath = "C:\\Windows\\{B3200AED-12A2-4917-B62E-C4229475B689}.exe"	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}\stubpath = "C:\\Windows\\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe"	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD95E94-2E1B-4677-9D03-98E062F6C725}	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}\stubpath = "C:\\Windows\\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe"	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E02CB9-B98B-4248-B217-5384A19CE279}	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}\stubpath = "C:\\Windows\\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe"	{B3200AED-12A2-4917-B62E-C4229475B689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA941C51-6415-48cf-8F7D-B995279B10DA}	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA941C51-6415-48cf-8F7D-B995279B10DA}\stubpath = "C:\\Windows\\{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe"	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD95E94-2E1B-4677-9D03-98E062F6C725}\stubpath = "C:\\Windows\\{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe"	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3200AED-12A2-4917-B62E-C4229475B689}	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}	{B3200AED-12A2-4917-B62E-C4229475B689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16BD791-1D29-4c46-9430-F46A1A93865C}	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16BD791-1D29-4c46-9430-F46A1A93865C}\stubpath = "C:\\Windows\\{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe"	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe
2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
1728	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
1572	{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
File created	C:\Windows\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
File created	C:\Windows\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
File created	C:\Windows\{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
File created	C:\Windows\{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
File created	C:\Windows\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	5aaaf0bc41226ecb2216e54587ceaa50N.exe
File created	C:\Windows\{B3200AED-12A2-4917-B62E-C4229475B689}.exe	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
File created	C:\Windows\{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
File created	C:\Windows\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	{B3200AED-12A2-4917-B62E-C4229475B689}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3200AED-12A2-4917-B62E-C4229475B689}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Token: SeIncBasePriorityPrivilege	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
Token: SeIncBasePriorityPrivilege	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
Token: SeIncBasePriorityPrivilege	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe
Token: SeIncBasePriorityPrivilege	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
Token: SeIncBasePriorityPrivilege	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
Token: SeIncBasePriorityPrivilege	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
Token: SeIncBasePriorityPrivilege	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
Token: SeIncBasePriorityPrivilege	1728	{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3020	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	31
PID 2124 wrote to memory of 3020	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	31
PID 2124 wrote to memory of 3020	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	31
PID 2124 wrote to memory of 3020	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	31
PID 2124 wrote to memory of 2224	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	32
PID 2124 wrote to memory of 2224	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	32
PID 2124 wrote to memory of 2224	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	32
PID 2124 wrote to memory of 2224	2124	5aaaf0bc41226ecb2216e54587ceaa50N.exe	32
PID 3020 wrote to memory of 2720	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	33
PID 3020 wrote to memory of 2720	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	33
PID 3020 wrote to memory of 2720	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	33
PID 3020 wrote to memory of 2720	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	33
PID 3020 wrote to memory of 2712	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	34
PID 3020 wrote to memory of 2712	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	34
PID 3020 wrote to memory of 2712	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	34
PID 3020 wrote to memory of 2712	3020	{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe	34
PID 2720 wrote to memory of 2836	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	35
PID 2720 wrote to memory of 2836	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	35
PID 2720 wrote to memory of 2836	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	35
PID 2720 wrote to memory of 2836	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	35
PID 2720 wrote to memory of 2692	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	36
PID 2720 wrote to memory of 2692	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	36
PID 2720 wrote to memory of 2692	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	36
PID 2720 wrote to memory of 2692	2720	{64E02CB9-B98B-4248-B217-5384A19CE279}.exe	36
PID 2836 wrote to memory of 2568	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	37
PID 2836 wrote to memory of 2568	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	37
PID 2836 wrote to memory of 2568	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	37
PID 2836 wrote to memory of 2568	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	37
PID 2836 wrote to memory of 2528	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	38
PID 2836 wrote to memory of 2528	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	38
PID 2836 wrote to memory of 2528	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	38
PID 2836 wrote to memory of 2528	2836	{B3200AED-12A2-4917-B62E-C4229475B689}.exe	38
PID 2568 wrote to memory of 2936	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	39
PID 2568 wrote to memory of 2936	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	39
PID 2568 wrote to memory of 2936	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	39
PID 2568 wrote to memory of 2936	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	39
PID 2568 wrote to memory of 1316	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	40
PID 2568 wrote to memory of 1316	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	40
PID 2568 wrote to memory of 1316	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	40
PID 2568 wrote to memory of 1316	2568	{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe	40
PID 2936 wrote to memory of 1440	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	41
PID 2936 wrote to memory of 1440	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	41
PID 2936 wrote to memory of 1440	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	41
PID 2936 wrote to memory of 1440	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	41
PID 2936 wrote to memory of 2288	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	42
PID 2936 wrote to memory of 2288	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	42
PID 2936 wrote to memory of 2288	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	42
PID 2936 wrote to memory of 2288	2936	{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe	42
PID 1440 wrote to memory of 2052	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	43
PID 1440 wrote to memory of 2052	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	43
PID 1440 wrote to memory of 2052	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	43
PID 1440 wrote to memory of 2052	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	43
PID 1440 wrote to memory of 2416	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	44
PID 1440 wrote to memory of 2416	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	44
PID 1440 wrote to memory of 2416	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	44
PID 1440 wrote to memory of 2416	1440	{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe	44
PID 2052 wrote to memory of 1728	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	45
PID 2052 wrote to memory of 1728	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	45
PID 2052 wrote to memory of 1728	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	45
PID 2052 wrote to memory of 1728	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	45
PID 2052 wrote to memory of 1216	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	46
PID 2052 wrote to memory of 1216	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	46
PID 2052 wrote to memory of 1216	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	46
PID 2052 wrote to memory of 1216	2052	{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe	46

C:\Users\Admin\AppData\Local\Temp\5aaaf0bc41226ecb2216e54587ceaa50N.exe
"C:\Users\Admin\AppData\Local\Temp\5aaaf0bc41226ecb2216e54587ceaa50N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
  C:\Windows\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
    C:\Windows\{64E02CB9-B98B-4248-B217-5384A19CE279}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{B3200AED-12A2-4917-B62E-C4229475B689}.exe
      C:\Windows\{B3200AED-12A2-4917-B62E-C4229475B689}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
        
        C:\Windows\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
        
        C:\Windows\{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
        
        C:\Windows\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
        
        C:\Windows\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
        
        C:\Windows\{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe
        
        C:\Windows\{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA941~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54BCA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ABAD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C16BD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D840~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3200~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64E02~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6925E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5AAAF0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D840D50-067A-4bdc-ADAA-CC81DF9D222E}.exe

Filesize
64KB

MD5
31c32521186da14f7054006ec8a1fb80

SHA1
9ac5ee9bc30745f18b203e56855ba488a435848d

SHA256
ab115cdee2dc8b849efd33dd5a577d06bccdf05971c5fe3aae4368254eb5fc12

SHA512
6b62d2b850827a84c8b94401bf6f18f8e6ced3ba97f31ce8750f97578e180be6030241960894ae1a8c6059caee75e5ca13e17dcdd2db5fa11b35537c4815e38c

Download Submit
C:\Windows\{2ABAD9EF-7B3D-4b2c-A9F0-4289BFEDBEA9}.exe

Filesize
64KB

MD5
1c80fabb4439ae0acfafe933f9a2423d

SHA1
4ee26a45bcd03ab3d89dc557fab4801b04aae41d

SHA256
4d5959940bcc96cd35cb6e89db1ac530cf375acbe4d0198a630ee785b58ce2db

SHA512
2ddb1df1f8ddd8bd3e8fb5f831b90dc41b6c8e671f70502f5905f2004baaac343a0fffd3b074219b1eceaee022eb7e3f4ee6dc805a7ef28fbc8dfa71df78736b

Download Submit
C:\Windows\{54BCAC8A-B150-4cf8-BBB5-62289C2BFA16}.exe

Filesize
64KB

MD5
79079f72f38be83bd5bbbdc22c916f72

SHA1
79a3daedca2a1e445755777e557077267787504f

SHA256
0f4b05415534d80bb5f01009047e60ed2c443723a8eee3ef561e3f04ef706bcb

SHA512
4a980716fa844a48deeec183c326af6643f5a418070219f1aa025f9c60c1a569a472008a36054462cc498a9d1ee2082a131d0656558b3e0a520af66d88e37593

Download Submit
C:\Windows\{5DD95E94-2E1B-4677-9D03-98E062F6C725}.exe

Filesize
64KB

MD5
ec546bb1b949e53a4bf8df11cd1dc1a7

SHA1
e9b110c5a55d66a04c9f69074ac1ffd4748f94d6

SHA256
3790e444378fea4474de0d69680f453341adfb4fcbdc826b71182ce83aa318f1

SHA512
cdacb8132de7860478544bdea9bc99dbef03cd13747fc243703d054ce7b0a779c55311e263a1cd4df561cc9ba9ee75339fb18d841536efba5e88d6176d41b45c

Download Submit
C:\Windows\{64E02CB9-B98B-4248-B217-5384A19CE279}.exe

Filesize
64KB

MD5
c9d5ff6a2da5dc917c72d85b72183f7f

SHA1
7c87c06a6a26134908a5d189e22609d6b8eb72ef

SHA256
eaa3e2da884f36454b41ba3efee0822b0db79e34fd16c19c0b16f452f9a3aed9

SHA512
b52491bf3c161152f23683457e63db6110f1f012d3f354f91f469c02422fee0e445b6780d4a450055cac8f670becf029de159bbfec9239cb5a9e474dafb93d8f

Download Submit
C:\Windows\{6925E702-7C9D-4056-8DA2-7F5F50AB4DA0}.exe

Filesize
64KB

MD5
cb0f14f8e1cdb465918df2af5b55222f

SHA1
e64bc5e51572f730c1abbe333de409453e4b049d

SHA256
3bfe36d6e2871a683e0a09dc8ff04d2330abab424d997ef07a22e020538504f1

SHA512
ae204754e946d44a9e7642027d1224f6a62df0cc532c8008b1da5a11471c588f6ead07d8773935f78f522bb9ce3524dff7befa72e1a7dcd5a6494a12cb96365a

Download Submit
C:\Windows\{B3200AED-12A2-4917-B62E-C4229475B689}.exe

Filesize
64KB

MD5
1fc3a07cd47f01e098224c2beb6cd53a

SHA1
8b65cd5bf5bef0b2764d0031f0a39dc20689bc2d

SHA256
c0e0197928d2ee08bb3b8fede52a9762ab9430a1987e66d42910f2649e740353

SHA512
876602f6bd9fc47559e4754593b112fad554d9bb370a8c3de96e87fc0700099d997d36d76886ab0f51b712dbdda20a342edf227081e87844b86a8f078b86c091

Download Submit
C:\Windows\{C16BD791-1D29-4c46-9430-F46A1A93865C}.exe

Filesize
64KB

MD5
e496b652b38eee1a9d1f183cb39e7dc6

SHA1
cc7a72a5f0c37a5a1eed6aa6ce1cfcd74aff5807

SHA256
220c39aaca6eef3e4d2cc6f788c9632041c6a4cb59e635c3331234d4192e8357

SHA512
f78b104f2145c022457cfb0ed432d89d025208aa33c47cc1999b0115a094659b06bf7075f28e42a001a396293042295f1329543c4bbc0a94f55283406db256b9

Download Submit
C:\Windows\{EA941C51-6415-48cf-8F7D-B995279B10DA}.exe

Filesize
64KB

MD5
3a48fcae19df59556a5451529394e218

SHA1
492ef4a7f6850a4d387d6f337015cf21c4a53aee

SHA256
16049665c82ea651e376eb0754d322f6ec0099f48315a17bd7ad13a1f5ae7126

SHA512
6d0e0e2a3c8de7080c0c1d85ec8972bb3afd131b487dcc2f3258e2fc340f7d0f56bb14cad022686520c217c8af00241662a09b3e481379ad67f57fc4fff6d7a5

Download Submit
memory/1440-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1440-59-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1440-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1572-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1728-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-69-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2052-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2124-3-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2124-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2124-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2124-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-41-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2720-23-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2720-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2720-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2836-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2836-32-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2936-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-49-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/3020-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-13-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads