986cbc7693ed7551e343a984408bf4aa7b1b1dde47901eebcad9d8d877a55412

Analysis

max time kernel
118s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aaaf0bc41226ecb2216e54587ceaa50N.exe
Size

64KB
MD5

5aaaf0bc41226ecb2216e54587ceaa50
SHA1

2bd0918395191e194a6ad128b7f4e9a4b5347d06
SHA256

986cbc7693ed7551e343a984408bf4aa7b1b1dde47901eebcad9d8d877a55412
SHA512

ccb9e8a2f75ce34a159df2e9f343acb606f1780817eb2fc133cca1b2c6d490a5c2d68b9bbf34bd75687cad4162df2a2805495979347b3332c639f0d10021ccfd
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwPuY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLro84/CFsrdF

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A701B053-5308-42df-960B-DCF4DBB5CC39}	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D04D841-15B4-42df-91E9-4741275B34C9}	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D04D841-15B4-42df-91E9-4741275B34C9}\stubpath = "C:\\Windows\\{2D04D841-15B4-42df-91E9-4741275B34C9}.exe"	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A701B053-5308-42df-960B-DCF4DBB5CC39}\stubpath = "C:\\Windows\\{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe"	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}\stubpath = "C:\\Windows\\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe"	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}\stubpath = "C:\\Windows\\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe"	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}\stubpath = "C:\\Windows\\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe"	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF8BB73E-6058-478e-BB4B-C02A4D361394}	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}\stubpath = "C:\\Windows\\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe"	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}\stubpath = "C:\\Windows\\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe"	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}\stubpath = "C:\\Windows\\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe"	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF8BB73E-6058-478e-BB4B-C02A4D361394}\stubpath = "C:\\Windows\\{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe"	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe

Executes dropped EXE 9 IoCs

pid	Process
3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
2052	{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
File created	C:\Windows\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
File created	C:\Windows\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
File created	C:\Windows\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
File created	C:\Windows\{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
File created	C:\Windows\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
File created	C:\Windows\{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
File created	C:\Windows\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
File created	C:\Windows\{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	5aaaf0bc41226ecb2216e54587ceaa50N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe
Token: SeIncBasePriorityPrivilege	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
Token: SeIncBasePriorityPrivilege	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
Token: SeIncBasePriorityPrivilege	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
Token: SeIncBasePriorityPrivilege	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
Token: SeIncBasePriorityPrivilege	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
Token: SeIncBasePriorityPrivilege	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
Token: SeIncBasePriorityPrivilege	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
Token: SeIncBasePriorityPrivilege	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 3132	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	94
PID 3336 wrote to memory of 3132	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	94
PID 3336 wrote to memory of 3132	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	94
PID 3336 wrote to memory of 756	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	95
PID 3336 wrote to memory of 756	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	95
PID 3336 wrote to memory of 756	3336	5aaaf0bc41226ecb2216e54587ceaa50N.exe	95
PID 3132 wrote to memory of 4220	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	96
PID 3132 wrote to memory of 4220	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	96
PID 3132 wrote to memory of 4220	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	96
PID 3132 wrote to memory of 2192	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	97
PID 3132 wrote to memory of 2192	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	97
PID 3132 wrote to memory of 2192	3132	{2D04D841-15B4-42df-91E9-4741275B34C9}.exe	97
PID 4220 wrote to memory of 540	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	101
PID 4220 wrote to memory of 540	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	101
PID 4220 wrote to memory of 540	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	101
PID 4220 wrote to memory of 2648	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	102
PID 4220 wrote to memory of 2648	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	102
PID 4220 wrote to memory of 2648	4220	{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe	102
PID 540 wrote to memory of 4208	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	103
PID 540 wrote to memory of 4208	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	103
PID 540 wrote to memory of 4208	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	103
PID 540 wrote to memory of 1680	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	104
PID 540 wrote to memory of 1680	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	104
PID 540 wrote to memory of 1680	540	{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe	104
PID 4208 wrote to memory of 440	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	105
PID 4208 wrote to memory of 440	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	105
PID 4208 wrote to memory of 440	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	105
PID 4208 wrote to memory of 4236	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	106
PID 4208 wrote to memory of 4236	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	106
PID 4208 wrote to memory of 4236	4208	{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe	106
PID 440 wrote to memory of 2448	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	109
PID 440 wrote to memory of 2448	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	109
PID 440 wrote to memory of 2448	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	109
PID 440 wrote to memory of 1724	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	110
PID 440 wrote to memory of 1724	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	110
PID 440 wrote to memory of 1724	440	{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe	110
PID 2448 wrote to memory of 2332	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	111
PID 2448 wrote to memory of 2332	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	111
PID 2448 wrote to memory of 2332	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	111
PID 2448 wrote to memory of 4920	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	112
PID 2448 wrote to memory of 4920	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	112
PID 2448 wrote to memory of 4920	2448	{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe	112
PID 2332 wrote to memory of 2092	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	117
PID 2332 wrote to memory of 2092	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	117
PID 2332 wrote to memory of 2092	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	117
PID 2332 wrote to memory of 240	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	118
PID 2332 wrote to memory of 240	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	118
PID 2332 wrote to memory of 240	2332	{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe	118
PID 2092 wrote to memory of 2052	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	122
PID 2092 wrote to memory of 2052	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	122
PID 2092 wrote to memory of 2052	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	122
PID 2092 wrote to memory of 4112	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	123
PID 2092 wrote to memory of 4112	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	123
PID 2092 wrote to memory of 4112	2092	{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe	123

C:\Users\Admin\AppData\Local\Temp\5aaaf0bc41226ecb2216e54587ceaa50N.exe
"C:\Users\Admin\AppData\Local\Temp\5aaaf0bc41226ecb2216e54587ceaa50N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
  C:\Windows\{2D04D841-15B4-42df-91E9-4741275B34C9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
    C:\Windows\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
      C:\Windows\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
        
        C:\Windows\{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
        
        C:\Windows\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
        
        C:\Windows\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
        
        C:\Windows\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
        
        C:\Windows\{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe
        
        C:\Windows\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF8BB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E7F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BB8F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB228~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A701B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A077~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{797CB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D04D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5AAAF0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BB8F933-38B6-4afe-8A0D-BD3F6A51B72B}.exe

Filesize
64KB

MD5
9e76da80ff5d5cac1dbf1fefc53f69f1

SHA1
5caae66e03c77c2c5b0fb8d60e68a46fdf63d8d4

SHA256
3d85d835db3811ad36ab4840fd503a6d7f486fcaf4d3f308021c638d0444c1bf

SHA512
5012c78b4470dac407c3c6b59e8381f2b4908a7acf9baab70b599d6f31230d73469ce868287a4ee5722f0ce45a9f999739de36a0f0b6dd987b1b7896078198ce

Download Submit
C:\Windows\{2D04D841-15B4-42df-91E9-4741275B34C9}.exe

Filesize
64KB

MD5
766f8391b3811fa8e1e089e0193f3565

SHA1
3d4b142b47e4212cb3575728c43dd0326a903631

SHA256
e5c8e507984b2cf2444a2aa5287f08e95e8d93e5edc2b6c9489d3c920cf65e19

SHA512
7feff60748ba2eccf7b2a0a996eb81d57317dbab79397a3050134c146f76cfa70119967e6a9fa00d721e0ecbd5984e8f577cb8df7bcdaaa68c48f7c7a4f8cbfd

Download Submit
C:\Windows\{797CBE6E-DF0B-4755-8EB5-7162BB39EF25}.exe

Filesize
64KB

MD5
43f58f0e5de718635b5956a6c280d711

SHA1
a3bc7fb61b8757dd9edecd71f5b090b396d17e07

SHA256
617c8561c1323cb67454def08f28c8acbf1e9a6ebddf67a3117f8c5a574a1be8

SHA512
ad2439afb07e397aea1b6526b37f88554bb4cb260dccd2df87600fb21c08947b94aeb3005260830e6ccdc51f9f2933907e9c75634a11a75bfc94362fe4959b4e

Download Submit
C:\Windows\{8A0778E7-6C72-4cb7-9AB6-D4F55DFA91A7}.exe

Filesize
64KB

MD5
53005144e1cd21c91b1770447675dea0

SHA1
c2157f01119aab9c280aed4a5a2fd0ceb0416aee

SHA256
b3fdd9ba992bdaace014eea147971bf99e07b3d9b5a4ac1cc1281a4fb4605b8d

SHA512
16b8eb0a7b05801886c551495a757375afe8b59d4c8af8759a7f82d00414086b8d0c649277eed0d8b6e6d5d9bc1b3a9944b167e1eff8e84885baead09e88c915

Download Submit
C:\Windows\{A701B053-5308-42df-960B-DCF4DBB5CC39}.exe

Filesize
64KB

MD5
7217fea2c2a2793b95e31fe705d0199f

SHA1
95f25b3fdb83773a8d67b614f3d6631528f5e524

SHA256
e39b9015efdc6ca41e71903b72aac51dda4e801c5177e9a9e9b0bfb245666a4b

SHA512
e269c4b63490b5dc22f331e1f1eb2bad5f333609baaa85cd3a840d29063162f11cb74c061e3c924a56acfeb05982d6f52805fb26ae391c48551d9f19e94e3764

Download Submit
C:\Windows\{C667D3BD-F2AF-4fe1-8CF7-C9C5365BBF56}.exe

Filesize
64KB

MD5
0a81bc7fa68addee45dd6b1bd853b324

SHA1
5f1eac7c5fe2a223957bd9efada75c0910c85cc1

SHA256
e983bcc4195f2456b84405f133a27300c4792e319f423e26912340f810752c8c

SHA512
cb057ba87a947d0e727c0e4ccf57a4f01d25b3c2ddb977194827987952d7a7cae5ba1e7d32ef4b9c61edef39c73e6b02c26eda7caa52ea8e14682b57bb47b66f

Download Submit
C:\Windows\{D0E7F89B-6F5C-4d66-AA08-A3088801FC96}.exe

Filesize
64KB

MD5
8e18d12a9367ecf97a430e445209ebd3

SHA1
4e325e97750bd63a17f83e7a74e38af979730877

SHA256
c6a56637d6c606dd22fde562b03561e2805df98a8439ee3c6c9ff8bce79cd1d7

SHA512
ca088e2877b4aed9593ceeba77644ea290f9196202afbce2fc8434e995548fb1bb26c971ab71ad7a987c2c84d5695a1495ae6882164c1e94804658a3436d15b8

Download Submit
C:\Windows\{DB228C91-D61D-4b9a-BE9B-61F0306768FB}.exe

Filesize
64KB

MD5
994a27a498d2fba29300c60c865307f1

SHA1
52490bfb1a010eb0b7e1788f6c3186f82906f8be

SHA256
fb9fe3fa21d8cc83e953f470a2771f537ae7d925cb20ef7a573f45d20d0fa7ca

SHA512
2dc9b8639d687f1213cc419372e80704a1bbc878e1585e982960fcb55b5d22a58b640e128518a256d55d86992292c349df127d0c684db7943767c5e9b86111ee

Download Submit
C:\Windows\{EF8BB73E-6058-478e-BB4B-C02A4D361394}.exe

Filesize
64KB

MD5
3a2e123359b4bdf7d5d4ab3ba296fb28

SHA1
00e3f00316c7f64e18b4e8d2163d629b0ca4963d

SHA256
0869abe5e6126f674b3748799bf83fbe44112ec98657ca1c68b3abb92af6f5ad

SHA512
2170fab535424e2e87f79f213a6e2ac708361b1fbdb0d453a22553c27c91e813ae3db157b434ac62c86c23595e70a8cc6df3bf764d614677e06b99b37e30fe78

Download Submit
memory/440-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/440-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/540-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/540-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2332-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2332-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2448-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2448-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3132-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3132-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3132-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4208-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4208-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4220-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads