4a56dddca821e7aa7ea94cb65ecc35363bfac8fb175b21025e6b049e533ff817

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a7eb987857272b3376438762b02680N.exe
Size

91KB
MD5

97a7eb987857272b3376438762b02680
SHA1

17b6abd23f3b8a729734fe33edd0c4a4d8d32258
SHA256

4a56dddca821e7aa7ea94cb65ecc35363bfac8fb175b21025e6b049e533ff817
SHA512

e44fbb48c6599bf409244d504c300713b7e0ee6dee67e4db629c5a80e014b51b715a8b32cea2b4c11cf7954a206fafee2942ddd13645fe8aa60f0d6db799f39b
SSDEEP

768:5vw9816uhKirowC4/wQNNrfrunMxVFA3b7t:lEGkmonlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1819D57-C944-41c7-9322-0E6DA67E0567}	{5257BF42-2892-4306-B65D-A88B321D1865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F22C384-824C-4bfc-A75F-64467E94E075}	97a7eb987857272b3376438762b02680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F67483-460E-4abc-85AD-420014A1CFD8}	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}\stubpath = "C:\\Windows\\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe"	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5257BF42-2892-4306-B65D-A88B321D1865}	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5257BF42-2892-4306-B65D-A88B321D1865}\stubpath = "C:\\Windows\\{5257BF42-2892-4306-B65D-A88B321D1865}.exe"	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}\stubpath = "C:\\Windows\\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe"	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19F67483-460E-4abc-85AD-420014A1CFD8}\stubpath = "C:\\Windows\\{19F67483-460E-4abc-85AD-420014A1CFD8}.exe"	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}\stubpath = "C:\\Windows\\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe"	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F22C384-824C-4bfc-A75F-64467E94E075}\stubpath = "C:\\Windows\\{8F22C384-824C-4bfc-A75F-64467E94E075}.exe"	97a7eb987857272b3376438762b02680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}\stubpath = "C:\\Windows\\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe"	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}\stubpath = "C:\\Windows\\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe"	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1819D57-C944-41c7-9322-0E6DA67E0567}\stubpath = "C:\\Windows\\{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe"	{5257BF42-2892-4306-B65D-A88B321D1865}.exe

Executes dropped EXE 9 IoCs

pid	Process
1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe
2336	{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
File created	C:\Windows\{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
File created	C:\Windows\{5257BF42-2892-4306-B65D-A88B321D1865}.exe	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
File created	C:\Windows\{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	97a7eb987857272b3376438762b02680N.exe
File created	C:\Windows\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
File created	C:\Windows\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
File created	C:\Windows\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
File created	C:\Windows\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
File created	C:\Windows\{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe	{5257BF42-2892-4306-B65D-A88B321D1865}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a7eb987857272b3376438762b02680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5257BF42-2892-4306-B65D-A88B321D1865}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2552	97a7eb987857272b3376438762b02680N.exe
Token: SeIncBasePriorityPrivilege	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
Token: SeIncBasePriorityPrivilege	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
Token: SeIncBasePriorityPrivilege	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
Token: SeIncBasePriorityPrivilege	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
Token: SeIncBasePriorityPrivilege	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
Token: SeIncBasePriorityPrivilege	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
Token: SeIncBasePriorityPrivilege	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
Token: SeIncBasePriorityPrivilege	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1768	2552	97a7eb987857272b3376438762b02680N.exe	95
PID 2552 wrote to memory of 1768	2552	97a7eb987857272b3376438762b02680N.exe	95
PID 2552 wrote to memory of 1768	2552	97a7eb987857272b3376438762b02680N.exe	95
PID 2552 wrote to memory of 628	2552	97a7eb987857272b3376438762b02680N.exe	96
PID 2552 wrote to memory of 628	2552	97a7eb987857272b3376438762b02680N.exe	96
PID 2552 wrote to memory of 628	2552	97a7eb987857272b3376438762b02680N.exe	96
PID 1768 wrote to memory of 5072	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	97
PID 1768 wrote to memory of 5072	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	97
PID 1768 wrote to memory of 5072	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	97
PID 1768 wrote to memory of 2236	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	98
PID 1768 wrote to memory of 2236	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	98
PID 1768 wrote to memory of 2236	1768	{8F22C384-824C-4bfc-A75F-64467E94E075}.exe	98
PID 5072 wrote to memory of 2184	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	102
PID 5072 wrote to memory of 2184	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	102
PID 5072 wrote to memory of 2184	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	102
PID 5072 wrote to memory of 1280	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	103
PID 5072 wrote to memory of 1280	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	103
PID 5072 wrote to memory of 1280	5072	{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe	103
PID 2184 wrote to memory of 3012	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	104
PID 2184 wrote to memory of 3012	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	104
PID 2184 wrote to memory of 3012	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	104
PID 2184 wrote to memory of 4920	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	105
PID 2184 wrote to memory of 4920	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	105
PID 2184 wrote to memory of 4920	2184	{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe	105
PID 3012 wrote to memory of 1384	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	106
PID 3012 wrote to memory of 1384	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	106
PID 3012 wrote to memory of 1384	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	106
PID 3012 wrote to memory of 3616	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	107
PID 3012 wrote to memory of 3616	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	107
PID 3012 wrote to memory of 3616	3012	{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe	107
PID 1384 wrote to memory of 4220	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	109
PID 1384 wrote to memory of 4220	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	109
PID 1384 wrote to memory of 4220	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	109
PID 1384 wrote to memory of 3776	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	110
PID 1384 wrote to memory of 3776	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	110
PID 1384 wrote to memory of 3776	1384	{19F67483-460E-4abc-85AD-420014A1CFD8}.exe	110
PID 4220 wrote to memory of 5052	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	111
PID 4220 wrote to memory of 5052	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	111
PID 4220 wrote to memory of 5052	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	111
PID 4220 wrote to memory of 4288	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	112
PID 4220 wrote to memory of 4288	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	112
PID 4220 wrote to memory of 4288	4220	{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe	112
PID 5052 wrote to memory of 1280	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	117
PID 5052 wrote to memory of 1280	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	117
PID 5052 wrote to memory of 1280	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	117
PID 5052 wrote to memory of 1452	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	118
PID 5052 wrote to memory of 1452	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	118
PID 5052 wrote to memory of 1452	5052	{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe	118
PID 1280 wrote to memory of 2336	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	123
PID 1280 wrote to memory of 2336	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	123
PID 1280 wrote to memory of 2336	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	123
PID 1280 wrote to memory of 2056	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	124
PID 1280 wrote to memory of 2056	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	124
PID 1280 wrote to memory of 2056	1280	{5257BF42-2892-4306-B65D-A88B321D1865}.exe	124

C:\Users\Admin\AppData\Local\Temp\97a7eb987857272b3376438762b02680N.exe
"C:\Users\Admin\AppData\Local\Temp\97a7eb987857272b3376438762b02680N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
  C:\Windows\{8F22C384-824C-4bfc-A75F-64467E94E075}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
    C:\Windows\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
      C:\Windows\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
        
        C:\Windows\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
        
        C:\Windows\{19F67483-460E-4abc-85AD-420014A1CFD8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
        
        C:\Windows\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
        
        C:\Windows\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{5257BF42-2892-4306-B65D-A88B321D1865}.exe
        
        C:\Windows\{5257BF42-2892-4306-B65D-A88B321D1865}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe
        
        C:\Windows\{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5257B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5DF1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61CB2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19F67~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFB0D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57813~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA7F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F22C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\97A7EB~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DA7FE8F-97B0-4d76-B8E9-9CDF87AE13CA}.exe

Filesize
91KB

MD5
5bcee6808f40cbb46ebcc7a7650577c6

SHA1
fec4b1d17ee185ab556d75aa31339dfb94f2b637

SHA256
e0f5d1f2617068aff8dcbf6ee86d1152e0fdfbb2161b6a2f8a61c4e5eb198b90

SHA512
89efca41b63e4060d536aa9f921ed796dc054a00a4222da834ee35837e58201b0c8c94930d90116290dfe2c580dcc69a6f351f64eb85286fb929839a9de7cd04

Download Submit
C:\Windows\{19F67483-460E-4abc-85AD-420014A1CFD8}.exe

Filesize
91KB

MD5
3eca5362c1ba4527c987bc027b7425f4

SHA1
0484a659ffc471e1dd3ce970365619d8b5dd704c

SHA256
a3ccc0be931c5963882423700669614dd776e34eb368ada14ccd48b73804c33b

SHA512
4d111969ad8d296d410f60c5217e11e430f896eb1a81c053e5d4ff9c06a283955aeec737a713fdb6cc7897cd88677c2a524d2f9d9bd1bd014226726f14d09821

Download Submit
C:\Windows\{5257BF42-2892-4306-B65D-A88B321D1865}.exe

Filesize
91KB

MD5
f9a1b45ca60e1daf4ccab6538e1c6d64

SHA1
87e950dd48687515bc033b98e5ba07e963d4062e

SHA256
100500c24583a31cf185b773131b4e01da60ed8abc682cc7715b31eba6254e07

SHA512
0b0118c4c26bfac85054d244bb160cafc29d51582ed4894990710179998929aaece182c8ce962aec466825ecd70b511d0c768f9f01fe9076ab8fca4999b64642

Download Submit
C:\Windows\{578136EB-3F16-4c11-A209-EF02AB9FCA1B}.exe

Filesize
91KB

MD5
0168aafeb714b56ffc862a2cf06f1cee

SHA1
e479dfcf093c0928048cfd6cc22e45937e80e250

SHA256
ebca5c009c32c4a601b346e4e7f87e31af8b922a745c7c3bd971f5b950b01936

SHA512
69d9e6250302ae7ab72be126217b3e9700420e7c7dbedbaf1f9a1c18a52af1d44563787032d5f4ed67ee7ebf62b80d3224b92b5664ae2e59532a66e512b29a3e

Download Submit
C:\Windows\{61CB2962-4DF7-4517-BF83-9181CE5E7F81}.exe

Filesize
91KB

MD5
50cfc187c86704359f8366a9d20e907a

SHA1
a60d4be3675b737a40f853703bf41b5858ba5c0b

SHA256
c0919c8e246aff339c21def7b19983772d441883c3348855d47a7f595e068971

SHA512
656580de06283b32656516d7201e005a493069b8cb5aa6fdac2145a650db7446ef089acb9fda2d07b35d9d9ce18d0f22911e286d01c228177529b81f9e35b588

Download Submit
C:\Windows\{8F22C384-824C-4bfc-A75F-64467E94E075}.exe

Filesize
91KB

MD5
39a46ef8591d815738a83a814a536b24

SHA1
d503d7c022ade0872a8cc20e031cc32417a21ef5

SHA256
74ada49c7b9fae952017ce54da2112a7edad15dbb18ebc00c8bbef35b0f41163

SHA512
b15d829444ff18cc1cc038b1a0ac101c3a4dd357bbb0841adb4ef2c477b7ef894a5e28a1038ea09d40f5f9da659b8d52ac71e7a90e7320fdb5e29453dd6797e2

Download Submit
C:\Windows\{A5DF166E-F7C0-4d8f-B39F-E9D8AEEC88F9}.exe

Filesize
91KB

MD5
b7e2575254099fe66b90a8bc8b87f787

SHA1
b7ee450f45f22f788c6d7d18875b7dcbc83bfc86

SHA256
5dd5a02e3ee6dea3b2f0f22cf36f953f501c197058405572e4a7dff6de614699

SHA512
696fa2df3036889efa608b6a83da4844796f1d9eb20eb285061cee07f903f5adf7a8a303c8043ab30659cb928708ff611ad96c5bd66aca57176f2f26c5ae7575

Download Submit
C:\Windows\{DFB0D0A6-1372-4f3b-AEE8-689EDCFFCE1E}.exe

Filesize
91KB

MD5
8411134ec4acbfad93803f4a1d8a5fd8

SHA1
99998a798e4e8217d03543b0498f7f193503eea2

SHA256
2965697ac54404ef16b1142cab27cc266436b31322b03d72cf47f3ffbda2ebf9

SHA512
7e984313b62be32e3ddbd6907efecd53b551a10fac0d01ade057e31c12b0e6435c1b1ef201c19cd40b7ad8b6484c1ef802ee310e64ee6d8c360d2a8d57bb3164

Download Submit
C:\Windows\{E1819D57-C944-41c7-9322-0E6DA67E0567}.exe

Filesize
91KB

MD5
b900bb7cf805734efd50c99260af117c

SHA1
5fcf28fbaa25bc399020d352fcfffe018d0df30f

SHA256
c51e8f7a95a727681ea222253bf6f9ec347a93cf2fa9d1a1d0e7491587ccd081

SHA512
47d2d4759776a84a5c49f6335d10eaae12d255ca044588dfb7dc0c27f0ee4f54ca603802ba00ca5859a11e2f2da08359d1bb3b692d06c67015aa90a9d82eb7f6

Download Submit
memory/1280-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1280-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1384-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2184-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2184-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2336-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3012-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3012-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4220-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4220-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5052-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5072-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5072-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads