1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
Size

89KB
MD5

32b303ede20868b12edeb8608645087a
SHA1

f788286ccadff96d48d137b63c006e1bcc754412
SHA256

1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b
SHA512

64866008249c27915c861fd21c5afee8641f046e36a48f81da922df10411ab1aa86f6ea6c85a24799e89eb14115ba9eec4eab68cd23dc3b4978e825ed57e466e
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3k:lEG/0onlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFE2448B-9052-4a61-ABB4-847487A30F02}	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}\stubpath = "C:\\Windows\\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe"	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}\stubpath = "C:\\Windows\\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe"	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80399D5-AB69-4c15-ACB0-C24B7048A886}\stubpath = "C:\\Windows\\{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe"	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFE2448B-9052-4a61-ABB4-847487A30F02}\stubpath = "C:\\Windows\\{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe"	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}\stubpath = "C:\\Windows\\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe"	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1648E9-D0B7-43d4-9031-8785A4826702}\stubpath = "C:\\Windows\\{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe"	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A80399D5-AB69-4c15-ACB0-C24B7048A886}	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E99127B-F502-4e50-A906-14DBE90719E9}\stubpath = "C:\\Windows\\{5E99127B-F502-4e50-A906-14DBE90719E9}.exe"	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D64FBC-170D-4551-A1C9-6555ACE2336C}\stubpath = "C:\\Windows\\{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe"	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1648E9-D0B7-43d4-9031-8785A4826702}	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E99127B-F502-4e50-A906-14DBE90719E9}	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}\stubpath = "C:\\Windows\\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe"	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}\stubpath = "C:\\Windows\\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe"	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81D64FBC-170D-4551-A1C9-6555ACE2336C}	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}\stubpath = "C:\\Windows\\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe"	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
480	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
2004	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
2260	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
908	{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
File created	C:\Windows\{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
File created	C:\Windows\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
File created	C:\Windows\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
File created	C:\Windows\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
File created	C:\Windows\{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
File created	C:\Windows\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
File created	C:\Windows\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
File created	C:\Windows\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
File created	C:\Windows\{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
File created	C:\Windows\{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
Token: SeIncBasePriorityPrivilege	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
Token: SeIncBasePriorityPrivilege	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
Token: SeIncBasePriorityPrivilege	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
Token: SeIncBasePriorityPrivilege	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
Token: SeIncBasePriorityPrivilege	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
Token: SeIncBasePriorityPrivilege	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
Token: SeIncBasePriorityPrivilege	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
Token: SeIncBasePriorityPrivilege	480	{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
Token: SeIncBasePriorityPrivilege	2004	{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
Token: SeIncBasePriorityPrivilege	2260	{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2932	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	30
PID 2152 wrote to memory of 2932	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	30
PID 2152 wrote to memory of 2932	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	30
PID 2152 wrote to memory of 2932	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	30
PID 2152 wrote to memory of 2688	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	31
PID 2152 wrote to memory of 2688	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	31
PID 2152 wrote to memory of 2688	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	31
PID 2152 wrote to memory of 2688	2152	1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe	31
PID 2932 wrote to memory of 2816	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	32
PID 2932 wrote to memory of 2816	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	32
PID 2932 wrote to memory of 2816	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	32
PID 2932 wrote to memory of 2816	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	32
PID 2932 wrote to memory of 2600	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	33
PID 2932 wrote to memory of 2600	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	33
PID 2932 wrote to memory of 2600	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	33
PID 2932 wrote to memory of 2600	2932	{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe	33
PID 2816 wrote to memory of 3008	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	34
PID 2816 wrote to memory of 3008	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	34
PID 2816 wrote to memory of 3008	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	34
PID 2816 wrote to memory of 3008	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	34
PID 2816 wrote to memory of 2028	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	35
PID 2816 wrote to memory of 2028	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	35
PID 2816 wrote to memory of 2028	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	35
PID 2816 wrote to memory of 2028	2816	{5E99127B-F502-4e50-A906-14DBE90719E9}.exe	35
PID 3008 wrote to memory of 1988	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	36
PID 3008 wrote to memory of 1988	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	36
PID 3008 wrote to memory of 1988	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	36
PID 3008 wrote to memory of 1988	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	36
PID 3008 wrote to memory of 1540	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	37
PID 3008 wrote to memory of 1540	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	37
PID 3008 wrote to memory of 1540	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	37
PID 3008 wrote to memory of 1540	3008	{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe	37
PID 1988 wrote to memory of 2124	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	38
PID 1988 wrote to memory of 2124	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	38
PID 1988 wrote to memory of 2124	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	38
PID 1988 wrote to memory of 2124	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	38
PID 1988 wrote to memory of 2108	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	39
PID 1988 wrote to memory of 2108	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	39
PID 1988 wrote to memory of 2108	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	39
PID 1988 wrote to memory of 2108	1988	{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe	39
PID 2124 wrote to memory of 2448	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	40
PID 2124 wrote to memory of 2448	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	40
PID 2124 wrote to memory of 2448	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	40
PID 2124 wrote to memory of 2448	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	40
PID 2124 wrote to memory of 916	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	41
PID 2124 wrote to memory of 916	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	41
PID 2124 wrote to memory of 916	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	41
PID 2124 wrote to memory of 916	2124	{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe	41
PID 2448 wrote to memory of 2616	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	42
PID 2448 wrote to memory of 2616	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	42
PID 2448 wrote to memory of 2616	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	42
PID 2448 wrote to memory of 2616	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	42
PID 2448 wrote to memory of 2144	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	43
PID 2448 wrote to memory of 2144	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	43
PID 2448 wrote to memory of 2144	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	43
PID 2448 wrote to memory of 2144	2448	{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe	43
PID 2616 wrote to memory of 480	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	44
PID 2616 wrote to memory of 480	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	44
PID 2616 wrote to memory of 480	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	44
PID 2616 wrote to memory of 480	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	44
PID 2616 wrote to memory of 532	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	45
PID 2616 wrote to memory of 532	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	45
PID 2616 wrote to memory of 532	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	45
PID 2616 wrote to memory of 532	2616	{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe	45

C:\Users\Admin\AppData\Local\Temp\1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe
"C:\Users\Admin\AppData\Local\Temp\1ebc3ec1ade020c5c11557b640653636a44c83a74a5fce66e399666e1c66014b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
  C:\Windows\{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
    C:\Windows\{5E99127B-F502-4e50-A906-14DBE90719E9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
      C:\Windows\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
        
        C:\Windows\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
        
        C:\Windows\{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
        
        C:\Windows\{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
        
        C:\Windows\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
        
        C:\Windows\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
        
        C:\Windows\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
        
        C:\Windows\{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe
        
        C:\Windows\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E164~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9D77~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E9C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{408DB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81D64~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE24~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC4C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E118~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E991~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8039~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1EBC3E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3BC4CA7F-300F-4b8d-9589-05648B1976A4}.exe

Filesize
89KB

MD5
4563247521d080e91974e106624700a5

SHA1
a6b75c68edeba2a52c8f310a2f5de00be18cf26f

SHA256
1a1fe7d1ab46954b4d7fb0c8e976db1aed686047e06d4d785d4ca74061d2bd9c

SHA512
b26f622634462d12629a329d1a834e72ab3a6dd1bb89190f33326d455b56c0fb2c561dacc032e991a6ca01cefa0f64330f4ccc0ab1bf9f617f3dd79a95cae434

Download Submit
C:\Windows\{408DBCD1-434F-4030-98FD-CAB2DFDA354F}.exe

Filesize
89KB

MD5
1cf777c841c85d0e419707f0a09fd288

SHA1
bada696bcaf1bc221c5b82726a8a2bbf86f0d209

SHA256
fc93925b5fde9493a6396e031fda199e5493bed72fd3cafb31bc42ad96c77b73

SHA512
37ef9512d758b0f04221f61e5684084e50a092798c4f5e09984330e40c4e301f36990e26a11a3ccd7c516e7fc9d657dd14e1c73a4e73c9ab22dd038a96c778c8

Download Submit
C:\Windows\{5E1648E9-D0B7-43d4-9031-8785A4826702}.exe

Filesize
89KB

MD5
a629239eb95b0710059468847320fe7b

SHA1
2f5f27ab9196ef013504979d4c1891a68c260f14

SHA256
f8091da9207a3a3b9cdbf672122144f7aedac73018a34eeb36811d15fd75aae0

SHA512
3a56a1472fd6e52cacd94a14e12777fc7f20baf6c78d63b04ba4fcf9a3500df090876f19921d6f20ac59a92b9e94189f7d615a970b7fa44a54fcc29dd1ac00ad

Download Submit
C:\Windows\{5E99127B-F502-4e50-A906-14DBE90719E9}.exe

Filesize
89KB

MD5
d8dd60690b050170b5857f2794b9cce1

SHA1
53604488365ebec051b49bfd6fe50c29db29a189

SHA256
baa95d89b5db464c3579d03fe5462578a9d2e92ce00a9f15301efa24147221ec

SHA512
7192a42ead9d4d6bedb0d99c54607d5b5d95c992d450ed5029b34ddf3e4c6ee3584fd45a81803c4262519e06d85dfcf8eb64259b75e8b33126361d144749e9c0

Download Submit
C:\Windows\{7E1182E1-7EC4-4d8e-AE9D-32FED55C672B}.exe

Filesize
89KB

MD5
e03fd2d5e0305b141ea1cca6723aefdf

SHA1
26ddca38529ac89a2c5fa7e94b7fe12567f66db2

SHA256
7c06ce4a91ba296057263646d6ed3769f825c38b8ac18bfdd700df0264f26028

SHA512
727f5550e55d9745825e25f427aa5adbeef4d925b1e26241853ba184e02af508442a1746e4c13956e110b748e024dde37e421b30b1e43c786864779305f584e6

Download Submit
C:\Windows\{81D64FBC-170D-4551-A1C9-6555ACE2336C}.exe

Filesize
89KB

MD5
39d42741588cb029870b7105eed0ff4b

SHA1
198de2cfd0764b970ea7c23e2c2f336b334ab493

SHA256
2dc425b5b9c87a9561d6ed8245ff986ba848b8dece852fe2c05a95aeee763f74

SHA512
125214afb8ebd3fac81638f8d5066dd727a309c7c21c5b498e688c807ee92fe5c09672d86170466de29e9e36aa3f982142187ab37e587abb35be7831bc371889

Download Submit
C:\Windows\{A80399D5-AB69-4c15-ACB0-C24B7048A886}.exe

Filesize
89KB

MD5
bc4242fc50efb4347968c0bf64534cc9

SHA1
dac8a2f4b3d45206366aedf68d0ec28d449098e4

SHA256
6a87e37622b86f99a7837de42c65a04b71950db76373dcf7bc4188d6b14e9b54

SHA512
05b0f347d3f5307f6ab44cb278b1acd3a75201ad27b87cc598dd9c18f2899137b3e139f33a7bddd4077715af8a2a2cdad247af730dba1762cd9e24d79706f489

Download Submit
C:\Windows\{AFE2448B-9052-4a61-ABB4-847487A30F02}.exe

Filesize
89KB

MD5
668810fd5e77efec7602d64ccae14c1b

SHA1
1826875e5fcfb2ffdf69db95b66037281e5040c3

SHA256
59af970f822878368597afd54f47893a0403c34f5a015fd84324d4b8f833b142

SHA512
dce43be240bb53ac5dc78929a76df18be7ee95e6665ba2948367b72d782fa98d4c5cf5caa96b0016dfef4cbca169c13a5e7bf26447a52cd33c622a0fe7cbf1de

Download Submit
C:\Windows\{C9D77923-AF14-4574-A8DC-E7CC1848A04C}.exe

Filesize
89KB

MD5
9a49d20ca7c5e9983d91a8b6a160ec3e

SHA1
92aef25c1416e546136dfbfad4d6ff36134bcd24

SHA256
6e96d2eed01c42fca0e54c1fcfcddfce588503a3379a88672271b68fbed076b0

SHA512
970a3d6a0ac7d439ffe993a54eee4e3d25169d36d03826835577666ea041913f122973e190f0d42f3e2bcbcb1cf35d9392233d4c96bd00f0a78acf3c7eca5072

Download Submit
C:\Windows\{CFF74FA5-52FC-49f5-A08A-9B8F8D0EA06E}.exe

Filesize
89KB

MD5
3d67f5f26869082f834fcaa6acf0703c

SHA1
9702a3d584a29f89e03be2c76f18aee05b5bf70d

SHA256
39d2f721f49ac72b65d79877d9ce7e0910e8dd4633e83d01fa0bbb3570228587

SHA512
ede243a440d1bdd6d771822a8d49a8b5418a6b88e9349dd316d1a8d8d0a0996d922861eb3897a0baf2d7bcaf248b09274869c9e94014ff2e15e89b818e47c38b

Download Submit
C:\Windows\{D4E9CFDF-20FA-4bc6-8371-57F4E2128676}.exe

Filesize
89KB

MD5
fb7dc04bd067a77860eaec7e02707a2b

SHA1
4c4dd880e1edd49b70632854a5b978d3fed1c1ca

SHA256
e76db7034fcb353af38ee470b3fd5daf558c53da87e4923b399cec25b91f72a8

SHA512
ca3657f5f24e2486a2751996ead84d77c2503d049fb08d23d9ae85a55e7e8ae84fce91e3e06601e789bc4b46fd83f5475386deeac1f7b444d0abc0559f372ff6

Download Submit
memory/480-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/480-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1988-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1988-42-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1988-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2004-92-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2004-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2124-55-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2124-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2152-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2152-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2152-3-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2152-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2260-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2260-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2260-102-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2260-98-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2448-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-73-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2616-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-69-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2616-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2932-13-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2932-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3008-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads