62658f5d962eddf14d948b431d182db04eed10768f573eda239dbbeaff9c75af

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc2813934e8ac0e1c668f59471123b90N.exe
Size

213KB
MD5

fc2813934e8ac0e1c668f59471123b90
SHA1

2d04662dccafc7a766edbefc4932337fe1275360
SHA256

62658f5d962eddf14d948b431d182db04eed10768f573eda239dbbeaff9c75af
SHA512

1420233ae06b5e727b1cfb60495907fbab3c0d1ff32bfbc3e70c9011052c4a8efc158a0b0c234636dd78591a59bbe5607bb64ff36428e0b143365943dc21fd90
SSDEEP

1536:YEGh0oll2unMxVS3HgdoKjhLJhzrryLPAneS3DquFSS4efk6kF/y+Ic7e/FtPt+A:YEGh0ollvMUyNjhLJhXrhnJ3D4IF

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3278D457-ABA6-4ee9-BF9E-FFA979654300}\stubpath = "C:\\Windows\\{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe"	fc2813934e8ac0e1c668f59471123b90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}\stubpath = "C:\\Windows\\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe"	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A25577-7884-41fb-A831-5D500E3338D0}	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A25577-7884-41fb-A831-5D500E3338D0}\stubpath = "C:\\Windows\\{09A25577-7884-41fb-A831-5D500E3338D0}.exe"	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3278D457-ABA6-4ee9-BF9E-FFA979654300}	fc2813934e8ac0e1c668f59471123b90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}\stubpath = "C:\\Windows\\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe"	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{404DF19B-3D90-420f-BA77-47F3F47863E0}\stubpath = "C:\\Windows\\{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe"	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CB9D69-FCA9-4280-A639-B8962862DC98}	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949629AC-E67F-4625-9E2C-6B81937A6181}	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}\stubpath = "C:\\Windows\\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe"	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{404DF19B-3D90-420f-BA77-47F3F47863E0}	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3CB9D69-FCA9-4280-A639-B8962862DC98}\stubpath = "C:\\Windows\\{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe"	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}\stubpath = "C:\\Windows\\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe"	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949629AC-E67F-4625-9E2C-6B81937A6181}\stubpath = "C:\\Windows\\{949629AC-E67F-4625-9E2C-6B81937A6181}.exe"	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
1804	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
616	{09A25577-7884-41fb-A831-5D500E3338D0}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	fc2813934e8ac0e1c668f59471123b90N.exe
File created	C:\Windows\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
File created	C:\Windows\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
File created	C:\Windows\{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
File created	C:\Windows\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
File created	C:\Windows\{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
File created	C:\Windows\{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
File created	C:\Windows\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
File created	C:\Windows\{09A25577-7884-41fb-A831-5D500E3338D0}.exe	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09A25577-7884-41fb-A831-5D500E3338D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc2813934e8ac0e1c668f59471123b90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2780	fc2813934e8ac0e1c668f59471123b90N.exe
Token: SeIncBasePriorityPrivilege	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
Token: SeIncBasePriorityPrivilege	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
Token: SeIncBasePriorityPrivilege	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
Token: SeIncBasePriorityPrivilege	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
Token: SeIncBasePriorityPrivilege	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
Token: SeIncBasePriorityPrivilege	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
Token: SeIncBasePriorityPrivilege	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
Token: SeIncBasePriorityPrivilege	1804	{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2228	2780	fc2813934e8ac0e1c668f59471123b90N.exe	30
PID 2780 wrote to memory of 2228	2780	fc2813934e8ac0e1c668f59471123b90N.exe	30
PID 2780 wrote to memory of 2228	2780	fc2813934e8ac0e1c668f59471123b90N.exe	30
PID 2780 wrote to memory of 2228	2780	fc2813934e8ac0e1c668f59471123b90N.exe	30
PID 2780 wrote to memory of 2852	2780	fc2813934e8ac0e1c668f59471123b90N.exe	31
PID 2780 wrote to memory of 2852	2780	fc2813934e8ac0e1c668f59471123b90N.exe	31
PID 2780 wrote to memory of 2852	2780	fc2813934e8ac0e1c668f59471123b90N.exe	31
PID 2780 wrote to memory of 2852	2780	fc2813934e8ac0e1c668f59471123b90N.exe	31
PID 2228 wrote to memory of 2704	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	32
PID 2228 wrote to memory of 2704	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	32
PID 2228 wrote to memory of 2704	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	32
PID 2228 wrote to memory of 2704	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	32
PID 2228 wrote to memory of 2972	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	33
PID 2228 wrote to memory of 2972	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	33
PID 2228 wrote to memory of 2972	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	33
PID 2228 wrote to memory of 2972	2228	{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe	33
PID 2704 wrote to memory of 2832	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	34
PID 2704 wrote to memory of 2832	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	34
PID 2704 wrote to memory of 2832	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	34
PID 2704 wrote to memory of 2832	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	34
PID 2704 wrote to memory of 1636	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	35
PID 2704 wrote to memory of 1636	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	35
PID 2704 wrote to memory of 1636	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	35
PID 2704 wrote to memory of 1636	2704	{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe	35
PID 2832 wrote to memory of 1648	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	36
PID 2832 wrote to memory of 1648	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	36
PID 2832 wrote to memory of 1648	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	36
PID 2832 wrote to memory of 1648	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	36
PID 2832 wrote to memory of 2224	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	37
PID 2832 wrote to memory of 2224	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	37
PID 2832 wrote to memory of 2224	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	37
PID 2832 wrote to memory of 2224	2832	{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe	37
PID 1648 wrote to memory of 3052	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	38
PID 1648 wrote to memory of 3052	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	38
PID 1648 wrote to memory of 3052	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	38
PID 1648 wrote to memory of 3052	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	38
PID 1648 wrote to memory of 2100	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	39
PID 1648 wrote to memory of 2100	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	39
PID 1648 wrote to memory of 2100	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	39
PID 1648 wrote to memory of 2100	1648	{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe	39
PID 3052 wrote to memory of 2764	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	40
PID 3052 wrote to memory of 2764	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	40
PID 3052 wrote to memory of 2764	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	40
PID 3052 wrote to memory of 2764	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	40
PID 3052 wrote to memory of 2340	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	41
PID 3052 wrote to memory of 2340	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	41
PID 3052 wrote to memory of 2340	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	41
PID 3052 wrote to memory of 2340	3052	{949629AC-E67F-4625-9E2C-6B81937A6181}.exe	41
PID 2764 wrote to memory of 2044	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	42
PID 2764 wrote to memory of 2044	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	42
PID 2764 wrote to memory of 2044	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	42
PID 2764 wrote to memory of 2044	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	42
PID 2764 wrote to memory of 1152	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	43
PID 2764 wrote to memory of 1152	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	43
PID 2764 wrote to memory of 1152	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	43
PID 2764 wrote to memory of 1152	2764	{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe	43
PID 2044 wrote to memory of 1804	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	44
PID 2044 wrote to memory of 1804	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	44
PID 2044 wrote to memory of 1804	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	44
PID 2044 wrote to memory of 1804	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	44
PID 2044 wrote to memory of 3044	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	45
PID 2044 wrote to memory of 3044	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	45
PID 2044 wrote to memory of 3044	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	45
PID 2044 wrote to memory of 3044	2044	{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe	45

C:\Users\Admin\AppData\Local\Temp\fc2813934e8ac0e1c668f59471123b90N.exe
"C:\Users\Admin\AppData\Local\Temp\fc2813934e8ac0e1c668f59471123b90N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
  C:\Windows\{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
    C:\Windows\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
      C:\Windows\{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
        
        C:\Windows\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
        
        C:\Windows\{949629AC-E67F-4625-9E2C-6B81937A6181}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
        
        C:\Windows\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
        
        C:\Windows\{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
        
        C:\Windows\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\{09A25577-7884-41fb-A831-5D500E3338D0}.exe
        
        C:\Windows\{09A25577-7884-41fb-A831-5D500E3338D0}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C9AA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{404DF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F0AE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94962~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8F2D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CB9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CDEAF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3278D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC2813~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A25577-7884-41fb-A831-5D500E3338D0}.exe

Filesize
213KB

MD5
b688b721865a28d6b5b276ece8ac34a5

SHA1
d561d2894ba0e8ea166ea229ba1c45ceb2205298

SHA256
1fd19240d5fd2d97cbb7c20804271dfd08dc9fde119a95f476d8b07b0fc91370

SHA512
91e77682152d08ff90a4889fcdd0ad2d1476e23db6c53b09200df2b28ac4b083f6b5a2dd03df9b46c2a7fc2ce84d74ae368423abbb467e519b9b3731247dd65b

Download Submit
C:\Windows\{0F0AE187-2D74-4bff-AE7C-2FE1B05AE26B}.exe

Filesize
213KB

MD5
48d7280762ab0418161ec26fd64dcf9d

SHA1
ff9c1425d8ab42d6fa3dda2d45c17f5910184193

SHA256
be1e68594a3f0c90b442458b140bff3eebd2098db7bca3490fd9ea766264e7f1

SHA512
0836de033c26b1b41e8409e0bfe035e77a34ebf05554cf0b2369de205547b53b22d1ba3bba04b986fdd6a96d9c7054b22a4308bab1946fc4b6ead6e2681cee01

Download Submit
C:\Windows\{2C9AAB9F-1D27-4c95-8AE3-358BE7B3D305}.exe

Filesize
213KB

MD5
22b5943b1ba0ab29685c74a3ec2b0a38

SHA1
9a261323e9a878b57bd4b086948c650a27cab69d

SHA256
bb6990136b286dfae1899e681485e0a0217d5d6640c0578b7da6e9fc675c0443

SHA512
874abe487d93e42d92e384a1bb53598c539021d322707dca6251d36aaf7d4d170b0babba7831c67ec3dfe5fa80cda6b6357adc08b995059ad914bd6ee1cb8a0f

Download Submit
C:\Windows\{3278D457-ABA6-4ee9-BF9E-FFA979654300}.exe

Filesize
213KB

MD5
e68e91a8cb6dc7aa6df4bf3240b33583

SHA1
b7e894cb7e0eb0e6ddcd6c51e377e73e30a0d762

SHA256
c1c65bb70a3a8b83ab4e3d2200a5bb4c6b21a61536dd4b9f1b997cd8af89cce1

SHA512
61a424965e3126f036bb94a494a9c72c8f59313c85e4dcf281cde454faa7596c411fb4e260aa7e94a5f4f699d4563df11f2b051056b8b57a0320f83c552ee968

Download Submit
C:\Windows\{404DF19B-3D90-420f-BA77-47F3F47863E0}.exe

Filesize
213KB

MD5
4a98ed02b05cc21e6b2e0a6fbbdfcaf1

SHA1
d62fa3aadaedc4c5be71bbf97b075fdf0751b646

SHA256
f998c04a8b21044a1770b291afc1b18dc2d8713aa5ef44138cca2681aed24c65

SHA512
dc360a1f40277afcfe34787888b2f23fb6515c43aa6b1599e286e8b025a60b56c157bfba4a420160d0c380d3542327945dac41cc2dcc3996778453216762f2c5

Download Submit
C:\Windows\{949629AC-E67F-4625-9E2C-6B81937A6181}.exe

Filesize
213KB

MD5
fb58a315ae04a592fc91be1951a1aee6

SHA1
ddc57dc824fae52348cc6820c1816161ac09b2b6

SHA256
8724e004f035034b027be8fc6b9f76c5f5e96d248f5d9d45559cdcb6f0eb176e

SHA512
e838bb83c5733b69c40da239ef2cbe8d6f55f7dd0a838bf0e7117d5e0be91241799f5e38920f4bd1a3520949f70c0049defb50ec4acdfe74b0ec5db4f74c89a5

Download Submit
C:\Windows\{CDEAFC2A-E913-48ff-B0BD-A8C742CF43C5}.exe

Filesize
213KB

MD5
0d6879115d6eae9bf7101c58a4e9e50a

SHA1
96d1dc026e42e5077fb82b6d1c0a6d9a8e58be37

SHA256
aadce367242a81c4960e61f899a8e7681b56483e0920e2962f2a6901f847bf0d

SHA512
b40e420fc51abd5fea4102e7e64b048e2bd3c28fcb75d344e37fe8849792653e71aa2d0d158499a9ca9f091ecc697aa46b92b83a38d8f08057bdf2bfdff4567a

Download Submit
C:\Windows\{D3CB9D69-FCA9-4280-A639-B8962862DC98}.exe

Filesize
213KB

MD5
cb7b9555f3f15a815e82f0b3ba2e262f

SHA1
4933ca9258520dabbb5dd9054be33eed87e19396

SHA256
2bef7e09f162740e5affee9fa6f2e4bfc27d32ceabf7054bb38f436d7a86dc5a

SHA512
c00b375b307f149eba1238250b0414045e787c6e38423ccaa8369f2a2e79f642423d363778035db8eb864096c9baf102bc9b7c67c8b4a62e842ceb15d45cfa9d

Download Submit
C:\Windows\{D8F2DD37-1E66-40d1-9BDD-BB1FCEAE6806}.exe

Filesize
213KB

MD5
2ff44415a01d0fddbeec39d59222eb3d

SHA1
5027625532c253fc8b39c7e45056a688e98aa71d

SHA256
4baca8c398485d5bd10a096d9c6553d853f50f780dc805f057d29e1005f52ec9

SHA512
ef0971ffd3f137fcd789fe1a7fe86392e13a0a02bacd28bf7303633aa9a06cec6eae88251db88a0374af9046a35d1aa4b9dfa35c633341a6dc250d59ac309b15

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads