8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
Size

90KB
MD5

9ea33e1a12daa3b4bd2b3fdc4a1bd724
SHA1

2c69ef11400df584d2dc0ac72249ecaf231182d0
SHA256

8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43
SHA512

74c29941a030805730a77025e92776c927a9a3c4dba082159101af92ab639a82c5ce31955853469632dccbbcb26806335b674e66c678a178e821ecec6e07e41d
SSDEEP

768:5vw9816thKQLroP4/wQkNrfrunMxVFA3bA:lEG/0oPlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864DA38B-EBCB-4109-9684-48F231584D6A}	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56273703-CCE2-4af2-B707-ADE047EDC509}\stubpath = "C:\\Windows\\{56273703-CCE2-4af2-B707-ADE047EDC509}.exe"	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}\stubpath = "C:\\Windows\\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe"	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0863335-575D-47e1-BF69-CB847CCBE607}\stubpath = "C:\\Windows\\{C0863335-575D-47e1-BF69-CB847CCBE607}.exe"	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}\stubpath = "C:\\Windows\\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe"	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864DA38B-EBCB-4109-9684-48F231584D6A}\stubpath = "C:\\Windows\\{864DA38B-EBCB-4109-9684-48F231584D6A}.exe"	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}\stubpath = "C:\\Windows\\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe"	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}\stubpath = "C:\\Windows\\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe"	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56273703-CCE2-4af2-B707-ADE047EDC509}	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0863335-575D-47e1-BF69-CB847CCBE607}	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}\stubpath = "C:\\Windows\\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe"	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}\stubpath = "C:\\Windows\\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe"	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}\stubpath = "C:\\Windows\\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe"	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B158E11-1124-4461-AB5C-E4D8C1D15215}	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B158E11-1124-4461-AB5C-E4D8C1D15215}\stubpath = "C:\\Windows\\{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe"	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
1616	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
2948	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
2592	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
1928	{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C0863335-575D-47e1-BF69-CB847CCBE607}.exe	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
File created	C:\Windows\{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
File created	C:\Windows\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
File created	C:\Windows\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
File created	C:\Windows\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
File created	C:\Windows\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
File created	C:\Windows\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
File created	C:\Windows\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
File created	C:\Windows\{56273703-CCE2-4af2-B707-ADE047EDC509}.exe	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
File created	C:\Windows\{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
File created	C:\Windows\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
Token: SeIncBasePriorityPrivilege	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
Token: SeIncBasePriorityPrivilege	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
Token: SeIncBasePriorityPrivilege	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
Token: SeIncBasePriorityPrivilege	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
Token: SeIncBasePriorityPrivilege	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
Token: SeIncBasePriorityPrivilege	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
Token: SeIncBasePriorityPrivilege	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
Token: SeIncBasePriorityPrivilege	1616	{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
Token: SeIncBasePriorityPrivilege	2948	{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
Token: SeIncBasePriorityPrivilege	2592	{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2296	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	31
PID 2360 wrote to memory of 2296	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	31
PID 2360 wrote to memory of 2296	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	31
PID 2360 wrote to memory of 2296	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	31
PID 2360 wrote to memory of 2996	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	32
PID 2360 wrote to memory of 2996	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	32
PID 2360 wrote to memory of 2996	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	32
PID 2360 wrote to memory of 2996	2360	8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe	32
PID 2296 wrote to memory of 2832	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	33
PID 2296 wrote to memory of 2832	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	33
PID 2296 wrote to memory of 2832	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	33
PID 2296 wrote to memory of 2832	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	33
PID 2296 wrote to memory of 2824	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	34
PID 2296 wrote to memory of 2824	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	34
PID 2296 wrote to memory of 2824	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	34
PID 2296 wrote to memory of 2824	2296	{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe	34
PID 2832 wrote to memory of 2808	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	35
PID 2832 wrote to memory of 2808	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	35
PID 2832 wrote to memory of 2808	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	35
PID 2832 wrote to memory of 2808	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	35
PID 2832 wrote to memory of 2812	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	36
PID 2832 wrote to memory of 2812	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	36
PID 2832 wrote to memory of 2812	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	36
PID 2832 wrote to memory of 2812	2832	{864DA38B-EBCB-4109-9684-48F231584D6A}.exe	36
PID 2808 wrote to memory of 2604	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	37
PID 2808 wrote to memory of 2604	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	37
PID 2808 wrote to memory of 2604	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	37
PID 2808 wrote to memory of 2604	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	37
PID 2808 wrote to memory of 2672	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	38
PID 2808 wrote to memory of 2672	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	38
PID 2808 wrote to memory of 2672	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	38
PID 2808 wrote to memory of 2672	2808	{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe	38
PID 2604 wrote to memory of 1364	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	39
PID 2604 wrote to memory of 1364	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	39
PID 2604 wrote to memory of 1364	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	39
PID 2604 wrote to memory of 1364	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	39
PID 2604 wrote to memory of 1744	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	40
PID 2604 wrote to memory of 1744	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	40
PID 2604 wrote to memory of 1744	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	40
PID 2604 wrote to memory of 1744	2604	{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe	40
PID 1364 wrote to memory of 1072	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	41
PID 1364 wrote to memory of 1072	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	41
PID 1364 wrote to memory of 1072	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	41
PID 1364 wrote to memory of 1072	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	41
PID 1364 wrote to memory of 1760	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	42
PID 1364 wrote to memory of 1760	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	42
PID 1364 wrote to memory of 1760	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	42
PID 1364 wrote to memory of 1760	1364	{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe	42
PID 1072 wrote to memory of 2028	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	43
PID 1072 wrote to memory of 2028	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	43
PID 1072 wrote to memory of 2028	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	43
PID 1072 wrote to memory of 2028	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	43
PID 1072 wrote to memory of 1328	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	44
PID 1072 wrote to memory of 1328	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	44
PID 1072 wrote to memory of 1328	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	44
PID 1072 wrote to memory of 1328	1072	{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe	44
PID 2028 wrote to memory of 1616	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	45
PID 2028 wrote to memory of 1616	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	45
PID 2028 wrote to memory of 1616	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	45
PID 2028 wrote to memory of 1616	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	45
PID 2028 wrote to memory of 2924	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	46
PID 2028 wrote to memory of 2924	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	46
PID 2028 wrote to memory of 2924	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	46
PID 2028 wrote to memory of 2924	2028	{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe	46

C:\Users\Admin\AppData\Local\Temp\8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe
"C:\Users\Admin\AppData\Local\Temp\8ceac5ad8c79013a988059b461f227d937f51d48c3956965f2b0837828fd5e43.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
  C:\Windows\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
    C:\Windows\{864DA38B-EBCB-4109-9684-48F231584D6A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
      C:\Windows\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
        
        C:\Windows\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
        
        C:\Windows\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
        
        C:\Windows\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
        
        C:\Windows\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
        
        C:\Windows\{56273703-CCE2-4af2-B707-ADE047EDC509}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
        
        C:\Windows\{C0863335-575D-47e1-BF69-CB847CCBE607}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
        
        C:\Windows\{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe
        
        C:\Windows\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B158~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0863~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56273~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{324A4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80394~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17DB4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50F2C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAE36~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{864DA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E0F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8CEAC5~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17DB457A-17C4-4e08-9CAB-40B23FE764A5}.exe

Filesize
90KB

MD5
ec5d52539c9978724a2eb0b10d5b299c

SHA1
62ef88951a92f54c13449059262c14e83788dd05

SHA256
79d80aa27aee2e088df1dd77d53611ff8fb23b783d566f9d93b07dd688efd14b

SHA512
31f86772af248b896a558b0865b7fe8e489fc756b623f9131ced7f7f1d8e7f5f29b0a3f1377d038d702b870bdb837a34293ac2c8f406c2fc4e2d9dc52e8367db

Download Submit
C:\Windows\{324A470A-CCA5-4306-9C8F-2A1B4659E8C3}.exe

Filesize
90KB

MD5
9855abe9575f3bc557f218d1e5d1986a

SHA1
0f1a1b5e20ba1a6d65f97cc20bbe0eda8aec7e04

SHA256
cd723706dcd2f0e00ffb05867c51def0bd43c0e076f0adf452e89a9149b7347e

SHA512
81356c0c80ce9b7d4bb452ffd24da8dec792395644ea8343a92f232494aaf8ff7080e2b1e76ab2ed51244b628bb219df7a069e97148d6992edebb3d82ebfb27b

Download Submit
C:\Windows\{4B158E11-1124-4461-AB5C-E4D8C1D15215}.exe

Filesize
90KB

MD5
58d11f0a82e6559652a3c5f50107b14d

SHA1
b9b3dd440f5ff85587fb845f7aa14cdcb493347b

SHA256
ae8950ccea0fe073f0621353d6d8d31c977fc3c1f99a2b3387e1b0fc5052c8e2

SHA512
16122569b7d9280d281067e090de81a5463717233e436c11fbfddb40e7968708c469afe74a510d0d480788d19f0b13596e89c487c149d63aadd1f409c671ad76

Download Submit
C:\Windows\{50F2C9F3-7E9F-43a9-9958-00652B8BE526}.exe

Filesize
90KB

MD5
fcd9fc6fca0294ed73aed243e35c52c8

SHA1
2c8c624f396e3c20be184e12fe65e608dda334e1

SHA256
fbe74b27d108c57bf6e7b520e0e7b9cd3afbd0cbc7732a4d2dd191237e5459b3

SHA512
c4eb7aaa08d41cfbad80da2a76d428766460081b5ca751fec13e548664abf05e53b4a9d3b066e83715e6ed1da555f89ee15fb47d161ff3a849fdd43b472c1c87

Download Submit
C:\Windows\{56273703-CCE2-4af2-B707-ADE047EDC509}.exe

Filesize
90KB

MD5
f0ff3eff0bf41ae24dcccd8a4a484741

SHA1
65d1d6b05fcacde18de9af31492596d6c8ff4279

SHA256
9be65497de0176244055bff3b8b5c217769d72b7b2609f903b5daa5f279595d9

SHA512
f0f99ec5c2074ed51b724004747b8118dc928cdd0b984b56dc8bb81881018707f829eb06a64b2457e63c4e35b2758b84fbeb0fa42cb63408866dae10573ee083

Download Submit
C:\Windows\{80394E62-E65A-45a0-ABA6-4CD201BD2BD7}.exe

Filesize
90KB

MD5
7fe1a93ab15e8f65f37a553f8d8865a9

SHA1
d38b9e675f7aa715f0749b75e66ee644b1cc8bbb

SHA256
702362e89b49e5ba207deb69912ee53415b174036a39bdfebc65348e1a972f70

SHA512
c5b730ef55b5e37c40e4c4bb882b8fd9837aeb807ee82a0e63d6cf2b488a3a46b812fc9b15932f9c71337b1c840656fdc6c1b9795a36f9c2377d9a1aef1b39d8

Download Submit
C:\Windows\{864DA38B-EBCB-4109-9684-48F231584D6A}.exe

Filesize
90KB

MD5
66f8e6bb97cb9d93ec9e99a383f8f1fa

SHA1
f380ee211467262eaa51bc6ac500a97da93e6544

SHA256
8ed7a5d63c8b01f3a7d9c57fecaeb66d9d0ef5b1d5707dc1874cf60aa054f29a

SHA512
e4c093e08254e2493e39481f9d03f52435638cb265f70104868307b46fcc9808b3267884c18929739bc6cde3fcfd5b16a86758a5fdc58958117f0408cfffa294

Download Submit
C:\Windows\{B2E0FD7B-C9C0-4067-BFF5-50B4D9E55E9B}.exe

Filesize
90KB

MD5
9268ccdfc28aef830dd820f2cc1a20e2

SHA1
fb92a1727d287d1fbff200f431401108989cb919

SHA256
b67639a97ded7c5c47c93f2fe1de7d7dc289c2071dc901e372041c4401d75bed

SHA512
671641af2e490bdd04e252c8beb999c07d49973377655ced93ca487939cd0440a7bd129d6a18db91f3fbf93a99c1d794159d3c11e5dc126295f65697a298c314

Download Submit
C:\Windows\{C0863335-575D-47e1-BF69-CB847CCBE607}.exe

Filesize
90KB

MD5
75cace0b68286c72258797bb0e44fed8

SHA1
7df19066d99ad748d9b7dcc4a8b505971fc15b3c

SHA256
6d9a7e6166cdb836343d1c9f0a0aceca8aa7f916b7d0780748aa7ba70472f039

SHA512
262d61f0ccbfc8a8ab7b0b3131c9edae535dc0e97eb85534f7d67eaeb304e65f5562bdf3d9f5faa788cf77044a1d4bd3920e4b6c25d5dc670487750582e281e5

Download Submit
C:\Windows\{DF3F5FA1-181D-4b70-9E35-17481BA2840F}.exe

Filesize
90KB

MD5
cdf0495616c81f3eb149a596f1bd4141

SHA1
da7fe5a20451e503eb20947bfaa67b05e37443ed

SHA256
d881e06ec5cdaca70379ebd04683b84f56c8d28f581add513767f1132c10a2df

SHA512
6f239a6561cfb1517dd9fa9afe8809d9e53fa13e49c65b523bcf3010cca61aab6b7910192114962656eac77a2e66cbc19d9ebeaf5d5947139e721e531d3949d8

Download Submit
C:\Windows\{FAE36BEC-8031-4966-8F75-239E4CD7BCFB}.exe

Filesize
90KB

MD5
f18c5d928be93ef6e073198de089a5e2

SHA1
aea842a25937c8f60fdff1bed9e44d582e645bf7

SHA256
fc3b39b6629188d20fa01ff0870f3336b94c5f81e9dc4186ce6ef4374cc2ba10

SHA512
36148856710625506ffa114b14664db19c32c917a6e2b9f3d458def1539ca3cb9743db53693b7ec2aa32ffc2fad0e892b57071477580265e96e9e0051db5ff94

Download Submit
memory/1072-67-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/1072-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1072-66-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/1364-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1364-54-0x0000000001BF0000-0x0000000001C01000-memory.dmp

Filesize
68KB

Download
memory/1616-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1616-83-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1616-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1928-108-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-72-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2296-13-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2296-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-3-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2360-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-106-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-102-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2604-45-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2604-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2604-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-34-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2808-38-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2808-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-27-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2832-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-23-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2948-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-92-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2948-98-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads