2eaf34cb92269f6b509f88b156a2ed547e01dfbe06c5e96c0a2f31b22e095c27

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab212332e34ee7fbea0dd19dcabc25d0N.exe
Size

79KB
MD5

ab212332e34ee7fbea0dd19dcabc25d0
SHA1

d951ceda1c2b6fe7c4bd11f1c20ba5ecca17de79
SHA256

2eaf34cb92269f6b509f88b156a2ed547e01dfbe06c5e96c0a2f31b22e095c27
SHA512

e9f4ee211bb5b10ace0d0edf79769197418d017971bbf2579c7e94ab8c27cf6af97d5957063c2d748d4845f6dcdb066119d0d665cfcc76495efc4e8c34297b6c
SSDEEP

768:4vw9816vhKQLroR4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oRloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}\stubpath = "C:\\Windows\\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe"	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA18F3-DD85-4842-841C-C8A792984222}	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2524BE6-4D4C-4162-857D-B22806135C3B}	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73459440-1EC3-45f9-8F35-1977B203DE75}	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73459440-1EC3-45f9-8F35-1977B203DE75}\stubpath = "C:\\Windows\\{73459440-1EC3-45f9-8F35-1977B203DE75}.exe"	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C84207-6582-4ce4-9748-77DD12AA09BA}	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}\stubpath = "C:\\Windows\\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe"	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2524BE6-4D4C-4162-857D-B22806135C3B}\stubpath = "C:\\Windows\\{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe"	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}\stubpath = "C:\\Windows\\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe"	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}\stubpath = "C:\\Windows\\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe"	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27C84207-6582-4ce4-9748-77DD12AA09BA}\stubpath = "C:\\Windows\\{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe"	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4AA18F3-DD85-4842-841C-C8A792984222}\stubpath = "C:\\Windows\\{A4AA18F3-DD85-4842-841C-C8A792984222}.exe"	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}\stubpath = "C:\\Windows\\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe"	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}\stubpath = "C:\\Windows\\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe"	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}\stubpath = "C:\\Windows\\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe"	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
1196	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
2936	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
3032	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
2644	{73459440-1EC3-45f9-8F35-1977B203DE75}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
File created	C:\Windows\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	ab212332e34ee7fbea0dd19dcabc25d0N.exe
File created	C:\Windows\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
File created	C:\Windows\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
File created	C:\Windows\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
File created	C:\Windows\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
File created	C:\Windows\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
File created	C:\Windows\{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
File created	C:\Windows\{A4AA18F3-DD85-4842-841C-C8A792984222}.exe	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
File created	C:\Windows\{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
File created	C:\Windows\{73459440-1EC3-45f9-8F35-1977B203DE75}.exe	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73459440-1EC3-45f9-8F35-1977B203DE75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Token: SeIncBasePriorityPrivilege	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
Token: SeIncBasePriorityPrivilege	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
Token: SeIncBasePriorityPrivilege	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
Token: SeIncBasePriorityPrivilege	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
Token: SeIncBasePriorityPrivilege	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
Token: SeIncBasePriorityPrivilege	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
Token: SeIncBasePriorityPrivilege	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
Token: SeIncBasePriorityPrivilege	1196	{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
Token: SeIncBasePriorityPrivilege	2936	{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
Token: SeIncBasePriorityPrivilege	3032	{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2808	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	30
PID 2240 wrote to memory of 2808	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	30
PID 2240 wrote to memory of 2808	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	30
PID 2240 wrote to memory of 2808	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	30
PID 2240 wrote to memory of 2708	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	31
PID 2240 wrote to memory of 2708	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	31
PID 2240 wrote to memory of 2708	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	31
PID 2240 wrote to memory of 2708	2240	ab212332e34ee7fbea0dd19dcabc25d0N.exe	31
PID 2808 wrote to memory of 2720	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	33
PID 2808 wrote to memory of 2556	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe	34
PID 2720 wrote to memory of 2600	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	35
PID 2720 wrote to memory of 2600	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	35
PID 2720 wrote to memory of 2600	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	35
PID 2720 wrote to memory of 2600	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	35
PID 2720 wrote to memory of 2112	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	36
PID 2720 wrote to memory of 2112	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	36
PID 2720 wrote to memory of 2112	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	36
PID 2720 wrote to memory of 2112	2720	{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe	36
PID 2600 wrote to memory of 1456	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	37
PID 2600 wrote to memory of 1456	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	37
PID 2600 wrote to memory of 1456	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	37
PID 2600 wrote to memory of 1456	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	37
PID 2600 wrote to memory of 640	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	38
PID 2600 wrote to memory of 640	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	38
PID 2600 wrote to memory of 640	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	38
PID 2600 wrote to memory of 640	2600	{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe	38
PID 1456 wrote to memory of 2884	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	39
PID 1456 wrote to memory of 2884	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	39
PID 1456 wrote to memory of 2884	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	39
PID 1456 wrote to memory of 2884	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	39
PID 1456 wrote to memory of 2020	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	40
PID 1456 wrote to memory of 2020	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	40
PID 1456 wrote to memory of 2020	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	40
PID 1456 wrote to memory of 2020	1456	{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe	40
PID 2884 wrote to memory of 1544	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	41
PID 2884 wrote to memory of 1544	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	41
PID 2884 wrote to memory of 1544	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	41
PID 2884 wrote to memory of 1544	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	41
PID 2884 wrote to memory of 1684	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	42
PID 2884 wrote to memory of 1684	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	42
PID 2884 wrote to memory of 1684	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	42
PID 2884 wrote to memory of 1684	2884	{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe	42
PID 1544 wrote to memory of 2152	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	43
PID 1544 wrote to memory of 2152	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	43
PID 1544 wrote to memory of 2152	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	43
PID 1544 wrote to memory of 2152	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	43
PID 1544 wrote to memory of 2084	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	44
PID 1544 wrote to memory of 2084	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	44
PID 1544 wrote to memory of 2084	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	44
PID 1544 wrote to memory of 2084	1544	{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe	44
PID 2152 wrote to memory of 1196	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	45
PID 2152 wrote to memory of 1196	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	45
PID 2152 wrote to memory of 1196	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	45
PID 2152 wrote to memory of 1196	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	45
PID 2152 wrote to memory of 2108	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	46
PID 2152 wrote to memory of 2108	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	46
PID 2152 wrote to memory of 2108	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	46
PID 2152 wrote to memory of 2108	2152	{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe	46

C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe
"C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
  C:\Windows\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
    C:\Windows\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
      C:\Windows\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
        
        C:\Windows\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
        
        C:\Windows\{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
        
        C:\Windows\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
        
        C:\Windows\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
        
        C:\Windows\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
        
        C:\Windows\{A4AA18F3-DD85-4842-841C-C8A792984222}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
        
        C:\Windows\{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{73459440-1EC3-45f9-8F35-1977B203DE75}.exe
        
        C:\Windows\{73459440-1EC3-45f9-8F35-1977B203DE75}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2524~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4AA1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BAB7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A11C8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD9F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27C84~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E19D3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF7CB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46AD8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9556A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB2123~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27C84207-6582-4ce4-9748-77DD12AA09BA}.exe

Filesize
79KB

MD5
3a0a5030537cad22beffd93218514ab6

SHA1
0177e6125b015055ee0332ac906771f52249849e

SHA256
a806b408159049665981e11e11e690c5f983fc551510424bbb4055e5a33a2b1f

SHA512
23e7859fc9557be43043f82a8730973955a0c2ad2275a522b10bb5a6b1ce4aa2173bd59ffff14d425b2db9332600b9cc9289a627a5e6ee371ea8e95d2a93ea81

Download Submit
C:\Windows\{46AD8DD9-672F-49c4-B22C-57F29D8569E8}.exe

Filesize
79KB

MD5
5d75672867a719ae9f18e3f0bfa08abf

SHA1
0906b935b5c8a878cbe21baf3b17949d3d1bdec6

SHA256
ae6a7fb6fb12b0da72c5b4b30fde033de09271f600cb8be68bf59f706f937b6e

SHA512
4e4b35c692167695ce8b6d6b26215ec3bd287c041d8ea02929e3787deb0460ce6f5213e0886f9946eb5faa577db2629518b3e3fa96911b98c4b50727d12f74a7

Download Submit
C:\Windows\{73459440-1EC3-45f9-8F35-1977B203DE75}.exe

Filesize
79KB

MD5
9d5d77de382b0539aef850113f8716e6

SHA1
cd0fb7d15a943d440a73f116312833be4038bcc0

SHA256
dd9a24c752cf6362a2691cf3110507406b6b3702cde4540ad39df884c285f0b3

SHA512
9976f8805781176db9f99cf8dfb7b6e119f773f8848b8900ea5f6c4d65d6038d0c2c627c4bdf0f29375aff0ec9bec213cc6d3fbc6695fa0638cee6910001ba4c

Download Submit
C:\Windows\{9556A55D-590C-4dc9-97B1-3DDFB62F037D}.exe

Filesize
79KB

MD5
031b82c46f88fb2c679b39baf197a592

SHA1
cf17714a4f4a74b9efaf7461cbd3a67154a948f4

SHA256
e444e3d0e7fd807a7948740bd0b52923c9bcf53c5754eeca7cc2e52c9b2c7a16

SHA512
dd1acab87582aeeb6665b54c37d9018dacfc3b9bc736bf394a2ab496ee5f05da8299d7f06858cc5f7fa65f2abac4a206e5cfe6298ed09e11d6477ec4716c883a

Download Submit
C:\Windows\{9BAB79CB-15B4-401b-BEDF-92B034A5F5E9}.exe

Filesize
79KB

MD5
f19cb7b52f422f5906f54d19b6067c9e

SHA1
a00075357b2e224e59f9c01003b42fe4eeebd053

SHA256
e2a3b052e2a11a0663d1d6842da8320aa6218ea1eaab23049244c42a8e43cb6e

SHA512
56308c5926b3b768e3507932f6078f482568f07332fece5d6bb457e16fc16f83437a147f4c8bb46b72fe89eb5783f4d48e4e5dc5d38a5862946cc215566759bb

Download Submit
C:\Windows\{A11C834B-8EB5-446c-99E9-91BA25B9C0B3}.exe

Filesize
79KB

MD5
fe2eaae2a6ac9681ed361975645b99c4

SHA1
d2ebdfaa63e37abfc10c368249cc87d29ae3b0ec

SHA256
ed9c1817429650956f3db6d5240d616e863519d154875c7026110c5272a4d608

SHA512
6f2d95644645e61c8179a4a3f6ee95be861d12c5cbc22f63f6d08a11576d184c4bdd759e9146b4ae5c13ffbe303b9db740f5c4d27fc7aaa5d204b442549ab14b

Download Submit
C:\Windows\{A4AA18F3-DD85-4842-841C-C8A792984222}.exe

Filesize
79KB

MD5
6abaae3f4d35469ed544a3eebc608354

SHA1
0e1236d4e48653dba4e40204183ddb458856b7c7

SHA256
b665b0fd6014e57357a0264ca1872524b3fce3e6880ce6b543b946a40281e1f1

SHA512
53152369b9088a02813800b6b020e76706e6a21b0fa09ab71d32623c2db082010adf43cbbaa9d0c9eb09ec40d62bcac11baf9ae3fd5dd09332edb47e501f3579

Download Submit
C:\Windows\{ACD9FCCB-E1BF-4210-A318-6F3AA0B1F0EB}.exe

Filesize
79KB

MD5
7096c7799cbcac21c137cef7a4331b7f

SHA1
ee6c98d2bf78358b7470cc80af82c601d0fe9466

SHA256
37f84d231d94f379b0b215f12060e77adc5f5d4ac5d874f43eef2249c6f2d36b

SHA512
edc9d94453dc787e230b508f9323041f42bfceab890533aaaeeb17278740f99fefa72bfe41bab667518298f104e3ac980acb1cd2839795bed6bb2af30715a811

Download Submit
C:\Windows\{DF7CB284-A126-48ca-8FE7-514A5910FBBA}.exe

Filesize
79KB

MD5
a5d5942f09b7192c1d4e87e6f947dc3a

SHA1
1aedf7fcaebda81406e2059a90f2c0ad12b9918f

SHA256
0f1e41870e19d13ed3233bf8721738f12e3f699d46e2e605965ee9d9370a8c15

SHA512
753e721e8d55bb88fac0ecb65bf14d99cb3b30459aedfda538630e4869592d3f48c361316d57e17c4c040e4caefcf671db9f16b1968949e6bb0e74d96a7a9140

Download Submit
C:\Windows\{E19D3CE5-1F3B-4848-B294-E360D0ED052C}.exe

Filesize
79KB

MD5
e7601dadaa5833fbfbff35eeab482a4a

SHA1
ea7a2baec6ad4037a696886d8e0700615b61dbb6

SHA256
0c79b47799846c0cbcd76d3bf0d0dfc2d87e051e38230c995e30fe67f6229268

SHA512
6c82eaa41b54275ce29f7b57626ed725479dd691b2570b5bb026d34b894eb9711d45db04db324a6e7038bd67d2cd6485a8ae5661f5b4cdb6c52b533e42a457d9

Download Submit
C:\Windows\{F2524BE6-4D4C-4162-857D-B22806135C3B}.exe

Filesize
79KB

MD5
f3be635f38cd82ca0db30e452f677c4d

SHA1
2a8df42968c2ad78f306677e266697c3fb039b7e

SHA256
a8abb70442cc82296efba81ae6702c3347c9e85c0a0f45f565a62abad506b922

SHA512
aafc454502cb7d024ae38abd0f52e2de03dbbad26ea5fdf7b05f6cec5337423d1ea40a4daead19cbd6e01d2a488d62be5d2e290525ff9b94116b536ef87bc0a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads