919eeb4e3a2abb3fb386c471d8734c0ebe02cc8299ae3de6ca423d2179725353

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 11:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb45716379945bddc2f1a03a080de090N.exe
Size

88KB
MD5

bb45716379945bddc2f1a03a080de090
SHA1

fae8ebe89637426c09bfa13aaf9c2454307a44a7
SHA256

919eeb4e3a2abb3fb386c471d8734c0ebe02cc8299ae3de6ca423d2179725353
SHA512

47bded1b0f1ec61d4f4e779eddb12d5f23f488d75823bd3c3f5d6ea877da2f0156dd6a93503f169374e3c7bd2bb6078513073dba8f19de8f6afd1eefa93b92f2
SSDEEP

768:5vw9816thKQLrox4/wQkNrfrunMxVFA3V:lEG/0oxlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90036A5-E158-406f-8F97-267BFEB11D5F}\stubpath = "C:\\Windows\\{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe"	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE045A9E-9471-44ef-8240-A9A263CF0473}	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE045A9E-9471-44ef-8240-A9A263CF0473}\stubpath = "C:\\Windows\\{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe"	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7434027-35F0-446c-9B50-D7B29BFC4837}\stubpath = "C:\\Windows\\{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe"	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6711E8-40C1-4925-B08B-1C034046172D}\stubpath = "C:\\Windows\\{7F6711E8-40C1-4925-B08B-1C034046172D}.exe"	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FF071D-6910-4f17-B77B-4C76660F3BB7}	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7434027-35F0-446c-9B50-D7B29BFC4837}	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FF071D-6910-4f17-B77B-4C76660F3BB7}\stubpath = "C:\\Windows\\{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe"	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}\stubpath = "C:\\Windows\\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe"	bb45716379945bddc2f1a03a080de090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89788BD7-11DA-4f41-B589-D02429FFC403}\stubpath = "C:\\Windows\\{89788BD7-11DA-4f41-B589-D02429FFC403}.exe"	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}\stubpath = "C:\\Windows\\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe"	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}\stubpath = "C:\\Windows\\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe"	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}	bb45716379945bddc2f1a03a080de090N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89788BD7-11DA-4f41-B589-D02429FFC403}	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90036A5-E158-406f-8F97-267BFEB11D5F}	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F6711E8-40C1-4925-B08B-1C034046172D}	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
2068	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
1220	{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
File created	C:\Windows\{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
File created	C:\Windows\{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
File created	C:\Windows\{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
File created	C:\Windows\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
File created	C:\Windows\{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
File created	C:\Windows\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	bb45716379945bddc2f1a03a080de090N.exe
File created	C:\Windows\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
File created	C:\Windows\{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb45716379945bddc2f1a03a080de090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	bb45716379945bddc2f1a03a080de090N.exe
Token: SeIncBasePriorityPrivilege	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
Token: SeIncBasePriorityPrivilege	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
Token: SeIncBasePriorityPrivilege	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
Token: SeIncBasePriorityPrivilege	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
Token: SeIncBasePriorityPrivilege	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
Token: SeIncBasePriorityPrivilege	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
Token: SeIncBasePriorityPrivilege	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
Token: SeIncBasePriorityPrivilege	2068	{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2516	3040	bb45716379945bddc2f1a03a080de090N.exe	29
PID 3040 wrote to memory of 2516	3040	bb45716379945bddc2f1a03a080de090N.exe	29
PID 3040 wrote to memory of 2516	3040	bb45716379945bddc2f1a03a080de090N.exe	29
PID 3040 wrote to memory of 2516	3040	bb45716379945bddc2f1a03a080de090N.exe	29
PID 3040 wrote to memory of 2212	3040	bb45716379945bddc2f1a03a080de090N.exe	30
PID 3040 wrote to memory of 2212	3040	bb45716379945bddc2f1a03a080de090N.exe	30
PID 3040 wrote to memory of 2212	3040	bb45716379945bddc2f1a03a080de090N.exe	30
PID 3040 wrote to memory of 2212	3040	bb45716379945bddc2f1a03a080de090N.exe	30
PID 2516 wrote to memory of 2912	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	31
PID 2516 wrote to memory of 2912	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	31
PID 2516 wrote to memory of 2912	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	31
PID 2516 wrote to memory of 2912	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	31
PID 2516 wrote to memory of 2808	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	32
PID 2516 wrote to memory of 2808	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	32
PID 2516 wrote to memory of 2808	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	32
PID 2516 wrote to memory of 2808	2516	{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe	32
PID 2912 wrote to memory of 2944	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	33
PID 2912 wrote to memory of 2944	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	33
PID 2912 wrote to memory of 2944	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	33
PID 2912 wrote to memory of 2944	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	33
PID 2912 wrote to memory of 2664	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	34
PID 2912 wrote to memory of 2664	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	34
PID 2912 wrote to memory of 2664	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	34
PID 2912 wrote to memory of 2664	2912	{89788BD7-11DA-4f41-B589-D02429FFC403}.exe	34
PID 2944 wrote to memory of 2688	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	35
PID 2944 wrote to memory of 2688	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	35
PID 2944 wrote to memory of 2688	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	35
PID 2944 wrote to memory of 2688	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	35
PID 2944 wrote to memory of 2804	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	36
PID 2944 wrote to memory of 2804	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	36
PID 2944 wrote to memory of 2804	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	36
PID 2944 wrote to memory of 2804	2944	{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe	36
PID 2688 wrote to memory of 2164	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	37
PID 2688 wrote to memory of 2164	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	37
PID 2688 wrote to memory of 2164	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	37
PID 2688 wrote to memory of 2164	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	37
PID 2688 wrote to memory of 2512	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	38
PID 2688 wrote to memory of 2512	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	38
PID 2688 wrote to memory of 2512	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	38
PID 2688 wrote to memory of 2512	2688	{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe	38
PID 2164 wrote to memory of 548	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	39
PID 2164 wrote to memory of 548	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	39
PID 2164 wrote to memory of 548	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	39
PID 2164 wrote to memory of 548	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	39
PID 2164 wrote to memory of 2964	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	40
PID 2164 wrote to memory of 2964	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	40
PID 2164 wrote to memory of 2964	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	40
PID 2164 wrote to memory of 2964	2164	{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe	40
PID 548 wrote to memory of 2684	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	41
PID 548 wrote to memory of 2684	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	41
PID 548 wrote to memory of 2684	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	41
PID 548 wrote to memory of 2684	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	41
PID 548 wrote to memory of 2932	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	42
PID 548 wrote to memory of 2932	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	42
PID 548 wrote to memory of 2932	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	42
PID 548 wrote to memory of 2932	548	{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe	42
PID 2684 wrote to memory of 2068	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	43
PID 2684 wrote to memory of 2068	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	43
PID 2684 wrote to memory of 2068	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	43
PID 2684 wrote to memory of 2068	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	43
PID 2684 wrote to memory of 924	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	44
PID 2684 wrote to memory of 924	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	44
PID 2684 wrote to memory of 924	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	44
PID 2684 wrote to memory of 924	2684	{7F6711E8-40C1-4925-B08B-1C034046172D}.exe	44

C:\Users\Admin\AppData\Local\Temp\bb45716379945bddc2f1a03a080de090N.exe
"C:\Users\Admin\AppData\Local\Temp\bb45716379945bddc2f1a03a080de090N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
  C:\Windows\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
    C:\Windows\{89788BD7-11DA-4f41-B589-D02429FFC403}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
      C:\Windows\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
        
        C:\Windows\{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
        
        C:\Windows\{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
        
        C:\Windows\{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
        
        C:\Windows\{7F6711E8-40C1-4925-B08B-1C034046172D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
        
        C:\Windows\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe
        
        C:\Windows\{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4448~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F671~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7434~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE045~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9003~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{026D4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{89788~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4CC2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BB4571~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{026D40B6-BDFB-441b-9164-96D27FE9EFD8}.exe

Filesize
88KB

MD5
402416f576362177716a9a01fa06128a

SHA1
e6880a1915d48a1ceda249a2d20ce09d1509d0de

SHA256
c0b1d07def183dbcfd91dd357275164e1e4c24bf8a8e5cc784956db0f53ef85c

SHA512
fe9c07d6ad6281bd97092083e8a21e121bba49f8bf188faea863b257ecf02beb5d42cae258c360964a4ee4e01727ff3e2a4554b9a08630ff2260406d0f9db56d

Download Submit
C:\Windows\{51FF071D-6910-4f17-B77B-4C76660F3BB7}.exe

Filesize
88KB

MD5
9ebdafa561db1ada529cc80b3f1222e2

SHA1
84f697847507cbf1b4fbb5202141b7bb34366b4e

SHA256
3fdf3044f9874d9cd32ac613ec66ff8d8523fd44505c70097443b637f0387594

SHA512
f513b56866cb4870b665ef2a5e7ed31760e74c3fec8aabc9f839c39144ceeb8cb9bce3c35e7a537888b1b6081c2cc41956a7e9d2963e0fec8ff4d03d8779e709

Download Submit
C:\Windows\{7F6711E8-40C1-4925-B08B-1C034046172D}.exe

Filesize
88KB

MD5
b7a617c70b32b6df875e7871c0ce8e6b

SHA1
47bced6b3033839bb85095aa3a52bd35897245e8

SHA256
0abe647e262d43b46239d514c38b4232b07b0d8ee4df7b6479aef14473f2959e

SHA512
31166fa4533d0053462012e457f37f1e2e0f615f5c7c5ae44459dbde220f53d4e6610b50a3b385625da7d76e05f7668841da5d9b246cb80b65773c5e8fe0956d

Download Submit
C:\Windows\{89788BD7-11DA-4f41-B589-D02429FFC403}.exe

Filesize
88KB

MD5
2e6420c190b1cd1e54af83306efcf799

SHA1
d474bbab2ff1226d004aedfdf66c96ad122c4117

SHA256
b2fb981c3933459a709a47bd912f67c9f4bf06d7078333d443a8b70263ddad92

SHA512
c19c5f1a7508385a2f4c7492736fd315315f7ee36a7d9f9e312a7526898c4f8f089dcf57a9bf4a382abdc1035bbbf34aaa18ad4c95ceef08a950121cc8cd1301

Download Submit
C:\Windows\{BE045A9E-9471-44ef-8240-A9A263CF0473}.exe

Filesize
88KB

MD5
8fd120090a2818f04a11bc69c662a90e

SHA1
7a41cc17bb7bb524cdb37c90d26c46ebb25fc58d

SHA256
3d5eb54463cd96726732b8e2a09586f4322efc015f76961cd099f67032ce37d5

SHA512
68d3d0ba2f68226960d9be4a16ad92aeb16a0b05351d1ba30a051a77435904a3881cfc42d5e0e8460ed4068c67f0ac386f9a480084b05e1ebfe1fb99c7ee6c18

Download Submit
C:\Windows\{D4448090-527A-4ae7-8F37-5B8A7E1EDD42}.exe

Filesize
88KB

MD5
8b842506b11997ef248f52fd98ec1401

SHA1
492d7fcb47f2260ebeb6c4668a5694e6d9b5bade

SHA256
673e8f33418a0ad570ca835093b28a47d8c78c20610c5173bd77d81c82cc2d0d

SHA512
da1d90f5205d2192db84c50f99a21c39352f1b619c30f3eeef4c54206d092d93725ac4113f4cca6462654dbd5cf7c43b976780fa5b922c2c82599b3e3c64561d

Download Submit
C:\Windows\{D90036A5-E158-406f-8F97-267BFEB11D5F}.exe

Filesize
88KB

MD5
2879031e7cdc038d2daa82a8c1c0000e

SHA1
35eca51c799c8a4f6c8ba1344b9925a63040ca56

SHA256
05fd70871c9203acaa24d35314f1c8b0170776a968e225f0a3fdc52e17d7fbcb

SHA512
737e82d6b88141fd09aeda28331f1cf453fb8f858d7e45a6df6ddb2594a4ed787d9d2efde4d385d874d2766bd97018ca1a56f93de8cee3aa56780bd7b26445e3

Download Submit
C:\Windows\{E4CC2D8A-CFEF-47b8-8F6E-CCB944F1700F}.exe

Filesize
88KB

MD5
edfb86b0e3b6227d034535e509e349d5

SHA1
d6579e928f41089b163a6f3fa9743a76eeb82f5e

SHA256
d199b977658e30d44c00ecfbef540465b339c30af63888a299340f9fcef7420c

SHA512
8d83ec3908b6776c6898311cfde90af1c6d227c1397bec962b155195ec5f5c0a0fc505106e50561b9c1f59a040d98573120437d01f173a8bfee5e49fc24b4815

Download Submit
C:\Windows\{F7434027-35F0-446c-9B50-D7B29BFC4837}.exe

Filesize
88KB

MD5
2228f6e52d6fed124f7e1a0b3398aae2

SHA1
8c8dc5013e1f10762434edb6285168f41cc2acd5

SHA256
04c570f7b60ac0e2da212293056966bafa80c851dc0a181484f6b48fb5f7b0d6

SHA512
b5594bfda6b943fc8cbdf89ffdfde615aa080285aa2272c1d1661f046a3bd175ea9759e51e715c9acc5cb470bb57510d31eaae952819d5f74f9ab38121c01e46

Download Submit
memory/548-60-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/548-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-78-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2068-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-51-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/2164-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2516-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2516-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2516-13-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2684-69-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2684-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-42-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2912-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-23-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2912-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-32-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/3040-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-4-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/3040-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads