4a56dddca821e7aa7ea94cb65ecc35363bfac8fb175b21025e6b049e533ff817

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a7eb987857272b3376438762b02680N.exe
Size

91KB
MD5

97a7eb987857272b3376438762b02680
SHA1

17b6abd23f3b8a729734fe33edd0c4a4d8d32258
SHA256

4a56dddca821e7aa7ea94cb65ecc35363bfac8fb175b21025e6b049e533ff817
SHA512

e44fbb48c6599bf409244d504c300713b7e0ee6dee67e4db629c5a80e014b51b715a8b32cea2b4c11cf7954a206fafee2942ddd13645fe8aa60f0d6db799f39b
SSDEEP

768:5vw9816uhKirowC4/wQNNrfrunMxVFA3b7t:lEGkmonlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}\stubpath = "C:\\Windows\\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe"	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88577B7D-1457-4cf9-9380-AC6985E2DD68}	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88577B7D-1457-4cf9-9380-AC6985E2DD68}\stubpath = "C:\\Windows\\{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe"	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}\stubpath = "C:\\Windows\\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe"	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}	97a7eb987857272b3376438762b02680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}\stubpath = "C:\\Windows\\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe"	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}\stubpath = "C:\\Windows\\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe"	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}\stubpath = "C:\\Windows\\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe"	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6112045-A7CB-48af-A479-93CB21C87C47}	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6112045-A7CB-48af-A479-93CB21C87C47}\stubpath = "C:\\Windows\\{B6112045-A7CB-48af-A479-93CB21C87C47}.exe"	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}\stubpath = "C:\\Windows\\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe"	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}\stubpath = "C:\\Windows\\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe"	97a7eb987857272b3376438762b02680N.exe

Deletes itself 1 IoCs

pid	Process
1168	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
1768	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
340	{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
File created	C:\Windows\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
File created	C:\Windows\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
File created	C:\Windows\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	97a7eb987857272b3376438762b02680N.exe
File created	C:\Windows\{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
File created	C:\Windows\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
File created	C:\Windows\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
File created	C:\Windows\{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
File created	C:\Windows\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a7eb987857272b3376438762b02680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	996	97a7eb987857272b3376438762b02680N.exe
Token: SeIncBasePriorityPrivilege	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
Token: SeIncBasePriorityPrivilege	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
Token: SeIncBasePriorityPrivilege	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
Token: SeIncBasePriorityPrivilege	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
Token: SeIncBasePriorityPrivilege	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
Token: SeIncBasePriorityPrivilege	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
Token: SeIncBasePriorityPrivilege	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
Token: SeIncBasePriorityPrivilege	1768	{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1864	996	97a7eb987857272b3376438762b02680N.exe	31
PID 996 wrote to memory of 1864	996	97a7eb987857272b3376438762b02680N.exe	31
PID 996 wrote to memory of 1864	996	97a7eb987857272b3376438762b02680N.exe	31
PID 996 wrote to memory of 1864	996	97a7eb987857272b3376438762b02680N.exe	31
PID 996 wrote to memory of 1168	996	97a7eb987857272b3376438762b02680N.exe	32
PID 996 wrote to memory of 1168	996	97a7eb987857272b3376438762b02680N.exe	32
PID 996 wrote to memory of 1168	996	97a7eb987857272b3376438762b02680N.exe	32
PID 996 wrote to memory of 1168	996	97a7eb987857272b3376438762b02680N.exe	32
PID 1864 wrote to memory of 2796	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	33
PID 1864 wrote to memory of 2796	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	33
PID 1864 wrote to memory of 2796	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	33
PID 1864 wrote to memory of 2796	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	33
PID 1864 wrote to memory of 2952	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	34
PID 1864 wrote to memory of 2952	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	34
PID 1864 wrote to memory of 2952	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	34
PID 1864 wrote to memory of 2952	1864	{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe	34
PID 2796 wrote to memory of 2700	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	35
PID 2796 wrote to memory of 2700	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	35
PID 2796 wrote to memory of 2700	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	35
PID 2796 wrote to memory of 2700	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	35
PID 2796 wrote to memory of 2728	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	36
PID 2796 wrote to memory of 2728	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	36
PID 2796 wrote to memory of 2728	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	36
PID 2796 wrote to memory of 2728	2796	{B6112045-A7CB-48af-A479-93CB21C87C47}.exe	36
PID 2700 wrote to memory of 2552	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	37
PID 2700 wrote to memory of 2552	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	37
PID 2700 wrote to memory of 2552	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	37
PID 2700 wrote to memory of 2552	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	37
PID 2700 wrote to memory of 2612	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	38
PID 2700 wrote to memory of 2612	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	38
PID 2700 wrote to memory of 2612	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	38
PID 2700 wrote to memory of 2612	2700	{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe	38
PID 2552 wrote to memory of 2600	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	39
PID 2552 wrote to memory of 2600	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	39
PID 2552 wrote to memory of 2600	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	39
PID 2552 wrote to memory of 2600	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	39
PID 2552 wrote to memory of 1688	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	40
PID 2552 wrote to memory of 1688	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	40
PID 2552 wrote to memory of 1688	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	40
PID 2552 wrote to memory of 1688	2552	{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe	40
PID 2600 wrote to memory of 2872	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	41
PID 2600 wrote to memory of 2872	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	41
PID 2600 wrote to memory of 2872	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	41
PID 2600 wrote to memory of 2872	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	41
PID 2600 wrote to memory of 2904	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	42
PID 2600 wrote to memory of 2904	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	42
PID 2600 wrote to memory of 2904	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	42
PID 2600 wrote to memory of 2904	2600	{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe	42
PID 2872 wrote to memory of 2912	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	43
PID 2872 wrote to memory of 2912	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	43
PID 2872 wrote to memory of 2912	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	43
PID 2872 wrote to memory of 2912	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	43
PID 2872 wrote to memory of 2524	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	44
PID 2872 wrote to memory of 2524	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	44
PID 2872 wrote to memory of 2524	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	44
PID 2872 wrote to memory of 2524	2872	{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe	44
PID 2912 wrote to memory of 1768	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	45
PID 2912 wrote to memory of 1768	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	45
PID 2912 wrote to memory of 1768	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	45
PID 2912 wrote to memory of 1768	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	45
PID 2912 wrote to memory of 2368	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	46
PID 2912 wrote to memory of 2368	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	46
PID 2912 wrote to memory of 2368	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	46
PID 2912 wrote to memory of 2368	2912	{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe	46

C:\Users\Admin\AppData\Local\Temp\97a7eb987857272b3376438762b02680N.exe
"C:\Users\Admin\AppData\Local\Temp\97a7eb987857272b3376438762b02680N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
  C:\Windows\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
    C:\Windows\{B6112045-A7CB-48af-A479-93CB21C87C47}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
      C:\Windows\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
        
        C:\Windows\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
        
        C:\Windows\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
        
        C:\Windows\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
        
        C:\Windows\{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
        
        C:\Windows\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe
        
        C:\Windows\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F10E1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88577~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3FA4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{965A3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5EEB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE18B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6112~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BFFF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\97A7EB~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{6BFFF97F-6AED-407f-9F10-B50F0A67C131}.exe

Filesize
91KB

MD5
e24b5f89714904c89c73dc98ec9cc6e3

SHA1
be1bfb7bcf60c8d4c1b2c3b8161c63a549c51a9c

SHA256
3c14d7366600592bd14373192e4dc92479c83edf6f53f266b0ffa01d2d9b1ccb

SHA512
5ca0b79c7806d6f22a73e7f3d8f79853a5ef05eb67c61690e3288211a4cf072e4e310f07c79ed20880ceaea5b3f71a630ee836271cdbe754f4c8551a1fc12740

Download Submit
C:\Windows\{88577B7D-1457-4cf9-9380-AC6985E2DD68}.exe

Filesize
91KB

MD5
afdaa3c07500a74100e2c5dcea675db0

SHA1
8835dd3367510d24e81a6a259e68265b4efc47e6

SHA256
1c829553441d509744d6115e5139698e4bc24836e037a2ac7ccc5bad3d901848

SHA512
2b5ce3b3e7161a7b98c3ef914d1cb741a2e73ffa66c4f35c1ef1075709a9f7d51204490c72d17b716b6a59356a2015d147349e329cba1d65c068941f187c1aed

Download Submit
C:\Windows\{8C67BF3C-2DB6-4ef4-B7C0-A21F0B8AA356}.exe

Filesize
91KB

MD5
44e7fbfb93c45c7bc0972905d4c1e636

SHA1
9fdcf15ab6c3874e72f97c8f097332ce637d0566

SHA256
3531b71d3ebb4971023a5a9feb2af0b20f6b3a38c86f9ae53148775d5059d906

SHA512
8aa27568b27a6d69a71477b220f44ddbce09b41b56a18b82c6426195cca0794185fdce6b7951a4e773f92a83edfb62e25601283d7740289abf17954d223a795d

Download Submit
C:\Windows\{965A3AE7-C032-4d4a-8DDA-486BA7B8809C}.exe

Filesize
91KB

MD5
99f6ad33a2e1b858554368a8a523c6ef

SHA1
4785a3a8d64726b7ebd9fcbac1fb3116298b1005

SHA256
0b8bec9df8687037915ff8a1eacf6bf6c857742208f3543bcdbedbecdcef6bb0

SHA512
497c9ff483235cb48dbabfe16b45cfe2a01c043ffb0d73460fce4c7ddb6d0108424c2c95321bfbab17db1366e43b4ae013ce89383b97d354b949153beed4876b

Download Submit
C:\Windows\{B6112045-A7CB-48af-A479-93CB21C87C47}.exe

Filesize
91KB

MD5
aaf8aac9dc430ab002d52299b1d171a7

SHA1
f937f8cb813d393f971d68a6878ef05178d4fbd0

SHA256
4647cb23d6dc8d0352dd5f04e01ddbf5729bd60a2a06dfeda043dcd8ccea0bd8

SHA512
5f00a3949a55a83182c5c68115ed62687f27923da20a2212427c8f73a0a8e595c5130a600047b994a29dea638c57bcf8854e69396c23829f831cf899a2068f79

Download Submit
C:\Windows\{BE18BB5F-65B6-49f3-AA3A-78CE78645FE3}.exe

Filesize
91KB

MD5
2fc94281fe0530a64f403d2d261c416f

SHA1
5d5c47dadcd1b0243cdd39aef26cdca982c2b03a

SHA256
3529805bbe6cdb97d9e153dbf9347a114099f0756f04522fef75349f2548ff62

SHA512
5c2db2575411152df331324dd024c890b288708b55cb42412d8d6a52d753518232f6e42e277e8c79073a55dc39b74f28e14b81bb4a6709d2ae4af6fe1fb4b4bd

Download Submit
C:\Windows\{C5EEB022-200D-46f1-B6E8-99BE057FF0D5}.exe

Filesize
91KB

MD5
b05471fe0f6da5b8f858e1c54a4f5d3a

SHA1
5d05e1d5c76c0714a1bbe5974d7e4decb1ed3410

SHA256
0b0fb80d473e88d7dcb4debdd7a50fa8fa75b45c5afc032fecc19e9a71fd63d7

SHA512
b6420517bf16ea13a857cc2f177b29674739ca9228a547f26103978c11e155fd3ee765ea578c55f526cbcf48d88683e4d4f0f9bc454099904057b423e699f43f

Download Submit
C:\Windows\{F10E11D5-592A-49ae-94B9-C81BB26F15AA}.exe

Filesize
91KB

MD5
e49af0606602d9f6d6dd8b09fc471cf5

SHA1
559320b459d6c688f3e4e568556236da571b6cbf

SHA256
f4cc3736942bd06afa91ec74ca195a18f54c1f0a1d5036d2f853fd4ed10f2d90

SHA512
44a85cc571bd10832ecf6f49289e8b4c8b00d749e878c8550102a2ec6d7d9d9a766a3b1dcce97ebe7e5c3d22a3f43d35c3613da59a77a0fe1041e672d926705d

Download Submit
C:\Windows\{F3FA4973-B0DD-473e-B89F-7CB5B85D9512}.exe

Filesize
91KB

MD5
ea723b1a4d775638c3e9d0dcd2c64682

SHA1
f14774fee147d7265aff7d68cb9ed5a85d852def

SHA256
ba7cf78a71643eb3f78a8be25778c0aa08f5ff57e676c31147c0d1935d7fe903

SHA512
03e71d11d293556d58e4a93c1883ca7b542ad50a8783c60b5271e9d4346605747311cac44871d3488cd85ef5f7dfa218e9ee03a44b31c797c662661df9c7b2a4

Download Submit
memory/996-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/996-3-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/996-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/996-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-86-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1768-87-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1768-78-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1864-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1864-13-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2552-43-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2552-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-56-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2600-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-59-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2700-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2796-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2796-29-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2796-23-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2796-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2872-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2872-63-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2872-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-76-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2912-75-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads